Every day we hear a story about another breach in a company’s security and that sensitive or personal data has been leaked or hacked. We are reminded or forced to change our passwords on a regular basis, and to ensure that they conform to an ever increasingly complex set of requirements all of which are supposed to deter and defeat those who want our information. We’re clearly still failing.
The practice of demanding proof of identity in exchange for something valuable has been around far longer than maybe most of us IT people would think. Ancient Egyptians used passwords regularly and “The Book of the Dead” (1550-1070 BC) contained passwords used by the deceased to overcome the dangers of the afterlife and gain admittance to several stages of the underworld.
I wonder how many security breaches they had?
In this security arms race, companies are busy devising ever more increasingly complex cryptographic algorithms to defend our modern day valuables. We as consumers, or users, are now drawn in close to this problem and are subjected to ever more complex and random passwords.
The problem with this is we’re all busy people and as the number of portals, websites and devices we own and access rises, so does the number of passwords we have to remember. Few things in the world are more frustrating than the Forgot Password process as it’s forced upon us at the least convenient time, for example when you’re trying to place an online order, or authenticating with your music or social media.
So many of us still write them down, even stick them to the side of our computer screen – yes I have still seen this going on in 2016! Completely defeating the idea of security. Many of us don’t change our passwords unless we are forced to and when we are, we are thrown into chaos as the Mr Spock like “completely logical captain” password we chose is now the furthest recollection in our minds!
So in a world where convenience is king, those people tasked with keeping security products ahead of the hacker have long been pushing two-factor authentication where a password and something else, like an ID card are used together to gain access. The problem is if you lose the card or it’s copied, your back to square one - just the password to defeat. As an example, in the data centres that Vissensa operates, the ID badge used to assess areas in the building is not allowed outside and must be returned to the security booth when leaving - to prevent it being cloned.
Increasingly, companies are investing in biometric research, banking hard on the idea that the future of online credentials lies within users’ individual human characteristics.
Touch ID and other fingerprint scanning technologies are fast emerging and are a wonderfully convenient solution to the password and PIN problem on everyday devices such as our computers, smartphones and even entry locks to our houses - and we’re grabbing this technology with both our biometric hands – Literally!
A January report from Juniper Research found that more than 770 million biometric authentication apps will be downloaded each year by 2019, a huge increase from the 6 million downloads forecast for the mobile phone market in 2015.
But beware, this new found easy authentication comes at a price. Remember when we thought a password had been compromised we changed the password to something else? Well how easy do you think it will be to change your biometrics if they are stolen or compromised?
In 2014, Jan Krissler from Chaos Computer Club used high resolution photography, including one from a government press office, to successfully recreate the fingerprints of Germany’s defence minister.
Over to Elliot Williams at HackADay who has written a thought-provoking essay explaining why you should never rely on Touch ID in lieu of using a password on your device, no matter how convenient it is. Yes, he admits the obvious: Passwords are not all that secure. But although we hate the inconvenience of passwords, relying on Biometrics is a much worse option because your fingerprints are not difficult to come by. We leave them everywhere and they can be picked up and copied relatively easily. What’s also frightening is that if you’re an avid user of touch Id and biometric security your prints are probably all over your devices right now.
OK, so iris scans not finger prints? Maybe not. Again Jan Krissler, has used both high-resolution photography and even Google Images to hack iris scanners. He reports “I did tests with different people and can say that an iris image with a diameter down to 75 pixels worked on our tests” he also exposed another security problem that sound straight out of Star Trek called the “corneal keylogger”. He explains that a hacker who has access to a user’s phone camera, but nothing else can read what is being typed by analysing photographs of the reflections in the eyes. He even demonstrated it on stage!
Back to Elliot Williams for the last word: “A fingerprint stays with you for life. Once I steal your fingerprint, I can unlock your current fingerprint-secured device and every fingerprint-secured device that you’ll ever buy in the future. Fingerprints are half-secrets that can’t ever be changed, and thus make lousy passwords.”
My thoughts on this - there is no “sliver bullet” when it comes to security, and I think we are all going to have to remember passwords along with other security measures for a long time yet.