Much has been written about the impending end of the password, with some experts saying this will come as soon as 2018, while others say passwords will always stay in use but will become used in combination with new biometric methods. In either eventuality, we’re taking a look at how ready our infrastructure is to take on this change, and what benefits and threats will come with it too.
The latest figures taken in polls that asked whether the public is ready for biometric security revealed an overwhelming preference; ‘ 93% of consumers would choose biometrics over the traditional security measures’, citing that they feel this would provide a higher level of security than passwords alone.
Of course, since 2014 biometric security has become more commonplace, on smartphones and in airports, our fingerprints or eye patterns are regularly being scanned to allow us access, but it has yet to truly take hold.
We’ve all become very used to hearing hacking stories from major companies, with large amounts of data being stolen – or on a small scale, our own accounts getting hacked through password capture. This has become commonplace, but biometric security is hailed as the next step to stop this happening.
In combination with this lack of security from our passwords, we have also all exceeded our ability to keep up with passwords’ differing demands. Research conducted jointly by Mastercard and Oxford University reported that 51% of consumers repeat passwords across multiple sites; 25% of consumers reset one password per day and 21% of consumers forget their password after two weeks.
It’s time for a change and Bhalla, president of Global Enterprise Risk & Security, Mastercard believes, “(Biometrics are)driving the trend towards a password-free future, where digital identity is all about who we are, not what we remember.”
The move towards our security knowing us, rather than us remembering it, is one of the main benefits associated with the change, although no expert seems particularly sure of it being foolproof yet.
Fingerprint readers have been the mainstay of many commercial devices, but it’s been shown that iris and palm print recognition is estimated to be 10 times more accurate for identification. With these more secure choices for biometric security now identified, we expect to start seeing devices swing towards these as safer methods in the years to come.
Unfortunately, there are some obvious security flaws that come with using identity identification as a password. Firstly, it has been proven very easily hackable by professional hackers.
Security Researcher, Jan Krissler, nicknamed ‘Starbug’ from the famous Chaos Computer Club (CCC) has unmasked both iris and fingerprint security as having flaws. He showed how simple it is to break into security systems by using close-up images of the owner’s face or finger – something that’s far from impossible to get hold of.
Another key issue that has been reported surrounds the financial services sector. Whilst the industry seems ready to adopt this new level of security, only 36% of decision makers in biometric security implementation say they have adequate knowledge to make those decisions.
This raises questions around whether security technology can be properly managed, as well as properly implemented in some important infrastructural areas.
There is also a risk that our laws haven’t evolved with the advancement of this technology, leaving many unanswered questions, such as: who can demand your biometrics and under what circumstances? Can your biometrics be captured without your consent? Where will the biometrics be stored and for how long?
Since 2013, Israeli courts have begun implementing laws against the collection of personal data that comes with biometric security. The Protection of Personal Information Act (POPI) regards biometric data as “personal information”. POPI regards personal information as information relating to an identifiable, living, natural person including, but not limited to, biometric information of the person.
There has since been a legal case in Israel against the use of biometric security being used in workplaces to clock in and clock out employees. The court ruled that, in relation to a biometric attendance clock, a person’s fingerprint constitutes “private information” and that the use of a biometric attendance system infringes an employee’s right to privacy.
Clearly, using this type of physical information as an identification tool will attract more controversy as its prevalence increases. Likewise, without new guidelines and laws introduced to regulate the use of biometrics globally, there is the potential that far from increasing an individual’s security, biometrics could actually reduce it, if not stored and utilised properly.
Will we ever trust biometric security fully?
It is commonly thought that biometrics, as it is today, should be seen as a higher level of security in the authentication process, but not as a complete replacement to passwords. Biometrics are best used as secondary to pin codes or in a combination of the two, for the tightening of security.
In this guise, biometrics have not yet usurped passwords. However, it is surely only a matter of time before biometrics overcome that daily challenge we all experience currently, as we face yet another login screen telling us our username or password are ‘not recognised’.
A recent study on building biometrics found there to be five factors key to making biometric security work: performance, usability, interoperability, security and privacy. in the future, we’ll be keeping a close eye on the last two!