Imagine a future in which you log into your computer just by looking at the screen. When you open up a browser to shop, the website already knows it’s you because of how you click and move around the page. On your way home from work, you walk up to an ATM and use your voice to withdraw cash.
Some of these technologies are already available, and others will come soon. Together, they might make passwords a thing of the past.
What’s the trouble with passwords? For one thing, they aren’t doing their job: Weak passwords are too easy to hack, while stronger passwords are too difficult to remember. A new Pew Research Center report finds that 39 percent of adults online have a difficult time keeping track of their passwords.
Many companies are warming to the idea of ditching passwords. Last month, Mastercard began testing a credit card with a fingerprint scanner built in, and Wells Fargo is letting customers access ATMs with nothing but a smartphone.
We can thank the Internet for all these new identity technologies.
“We used to do business like banking in person, with identification in hand,” says Mark Difraia, senior director of solutions technology at MorphoTrust, a firm that works on identity-related services. “Once we started moving services onto the Internet, we very quickly lost the ability to determine the person and the credential.” That’s how we ended up with dozens of usernames and passwords.
MorphoTrust is working on electronic ID systems that link with each state's driver’s license issuing agency to make sure people are authenticated online. This year, MorphoTrust worked with the state of Alabama to create a system that allowed people to file their state tax returns using a selfie to validate their identities.
As biometrics get more popular, there will be new ways to integrate them into our everyday lives. Sensors are becoming compact and cheap, and the algorithms used to validate biometric data have become extremely fast and accurate. Anil K. Jain, a biometrics researcher at Michigan State University, said in an email that he's most excited by how biometrics technologies including face, iris, and fingerprint scanners will be embedded in consumer devices.
But most biometrics still have shortcomings: fake fingers and printed photos can trick a system, and biometric data can be stolen, Jain explained. That’s why he envisions biometric and non-biometric technologies working together to protect our identities, something that's known as multi-factor authentication.
“Depending on the security level desired, we can just use biometrics (like a print for mobile phone unlock),” Jain said. “But for higher level authentication (like mobile payment), we will use two-factor or multi-factor authentication, like biometrics plus a PIN and the credit card.” Which means, yes, more numbers to remember.
Roman Yampolskiy, a computer scientist at the University of Louisville, has worked on behavioral biometrics systems to build profiles that authenticate users based on how they operate a computer. Say someone steals your laptop at a coffee shop while you step away to get a refill. “The behavioral shift — what they are doing and how they do it — could trigger the computer to lock certain things,” Yampolskiy says.
That behavior profile could include frequently visited websites, but also how the user scrolls or clicks. “All interactions on a computer could be profiled,” Yampolskiy says, “even how much memory they are using.” While these actions aren't necessarily unique to each person (there are only so many ways to use Microsoft Word, after all) there are enough subtle features to identify a change in users.
Think of an Elephant
Yampolskiy also envisions a future in which we use brainwaves to access our devices, but one group of scientists may already have done it. Researchers in Italy announced in a 2014 study that by interpreting how an individual's unique brainwaves were linked to specific thought processes, they were able to create a brainwave-based biometric authentication system.
In another recent study on brain biometrics, scientists selected images to elicit specific responses from individuals. These images included words, items, foods, and even a photo of celebrity Anne Hathaway. The researchers then examined 50 people who were sequentially exposed to these images while wearing a headset that measured their brain activity. The result? Peoples’ brains interpreted the images differently enough that the biometric system could distinguish the "brainprint" of each participant with 100 percent accuracy.
But even these state-of-the-art biometrics technologies have issues.
“Privacy is something in need of additional research,” Yampolskiy says. “Who has access to your personal thoughts and patterns, and how is the data used? It’s not so much a technical issue but a political issue. There is a lot of concern about government getting access to private information of this kind.”
Jain said we may never truly be free from the tyranny of passwords since there are people who may not be able to provide every biometric trait. For example, a small number of people have poor quality fingerprints that can't be recognized by scanners, so passwords would always be there as a backup.
He also sees a challenge in making authentication technology as transparent and seamless as possible to the user.
“Every time I want to unlock my phone, I need to enter either the PIN or biometric info,” Jain said. “In a typical day, we may have to do this forty times or so, which is a nuisance. Given that we spend more time with our phone these days than other devices, why can't the mobile phone learn its owner over time?”