Passwords get hacked — a lot. In an effort to move beyond passwords, big companies are embracing biometric technology: the use of fingerprints, iris scans or voice recognition for user identification.
To heighten security, smartphones are being outfitted with biometric features. But, ditching passwords for biometrics may not make the hackers go away.
Selfie Security
At a big security conference called RSA, thousands of people gather in San Francisco's Moscone Center, selling products to make life online more secure.
Conor White, an executive at a biometrics company called Daon, begins to demonstrate how he logs into his bank account.
"I've just launched our mobile app and you can see here, I'm straight into the app," he says. "Watch how it authenticates me."
He doesn't type in a password. He holds his iPhone up to his face, like he's going to take a selfie.
He blinks — on purpose. What follows is a camera click sound.
"I blink because photographs don't blink," White says. "It's a basic test to make sure it's not someone holding up a photograph of me on the Internet."
And if selfie security doesn't work — say you're in a dark room — you can use your fingerprint instead, or your voice. White reads this sentence to get into the app: "My identity is secure because my voice is my passport."
His company recently landed a big contract with USAA to do biometric identification for the financial services firm's account holders. White says bankers are calling him regularly now because the old system has failed.
Biometrics are a great alternative, he says, because they're superpersonal.
"I wear my face every day," White says. It's the only face I have. As they say, a face only my mother could love."
And if it feels too personal, don't do it, he says.
"At the end of the day, it's down to choice," White says. "If people feel uncomfortable, they don't have to do it. They can continue to go with the password-based model. They may not get the level of service that they want, but it's their choice."
A Race To Patent
It's a choice for now. But given the pace at which companies are putting biometrics into their hardware, it could become the new normal soon.
Patent attorney Yuri Eliezer, with the firm SmartUp, says a decade ago, there were just 46 patent applications for biometrics. Last year, he counted at least 567.
"It's a definitely a growing number and we anticipate that's going to continue to grow," he says.
Apple, Samsung, Google, Microsoft and Intel are all filing. Eliezer says biometrics is part of the blueprint for the newest lines of smartphones and fitness trackers.
"This is something we're always holding in our hand or having in our pockets, always so close to our bodies," he says. "And now, the fact that we could integrate these sensing devices into our mobile devices, it makes it all the more useful to aggregate and collect data on us."
It could provide something useful, too.
According to patent filings: Apple wants to use biometrics to lock and unlock messages [keep that text for your irises only]; Microsoft is interested in entertainment value and is working on a device that monitors your heart rate or blood oxygen levels — maybe to adjust the music while you play Xbox.
"If your heart rate's increasing, the music might speed up or slow down based on the environment the gaming providers are trying to create," Eliezer says.
Increasing Risk
The biometric boom raises some well-known privacy concerns. It also raises some less-known security concerns.
David Cowan with Bessemer Venture Partners is an investor. He has put over $100 million into digital security companies, but he refuses to invest in biometrics.
"Either a password or a biometric can be stolen," he says. "But only the password can be changed. Once your fingerprint is stolen, it's stolen forever, and you're stuck."
Hackers have already made dummy fingerprints — using pictures of people's hands available online — to swipe into the iPhone 6 scanner.
Cowan says in a world where just about anything can be hacked, the cost of biometrics is just too high.
Transcript
MELISSA BLOCK, HOST:
And now to the security of our devices. Passwords get hacked a lot. In an effort to move beyond passwords, big companies are embracing biometrics. Think fingerprints, voice-recognition and iris scans. But as NPR's Aarti Shahani reports, ditching passwords for eyeballs is unlikely to make hackers go away.
AARTI SHAHANI, BYLINE: I'm at a big security conference in San Francisco. It's called RSA, and there are thousands of people here in the Moscone Convention Center selling products to make life online more secure.
CONOR WHITE: So I'm going to actually show you how I log into my bank account.
SHAHANI: Conor White is an executive with Daon, a biometrics company.
WHITE: So I've just launched our mobile app, and you can see here I'm straight into the app. Watch hot it authenticates me.
SHAHANI: He doesn't type in a password. He holds his iPhone 6 up to his face like he's going to take a selfie.
WHITE: And watch what happens.
SHAHANI: He blinks on purpose.
Why'd you blink?
WHITE: I blinked because photographs don't blink. So it's a basic test to make sure that it's not someone holding up a photograph of me on the Internet, so...
SHAHANI: Clever, clever.
And if selfie security doesn't work - say you're in a dark room - you can use your fingerprints instead or your voice. White reads this sentence to get into the app.
WHITE: My identity is secure because my voice is my passport.
SHAHANI: His company recently landed a big contract with the bank USAA to do biometric identification for their account holders. White says bankers are calling him regularly now because the old system has failed. Biometrics are a great alternative, he says, because they're super personal.
WHITE: I wear my face every day. It's the only face I have. It's, as I say, a face only my mother could love.
SHAHANI: And if it feels too personal, don't do it.
WHITE: At the end of the day, it's down to choice. If people feel uncomfortable, they don't have to do it. They can continue to go with the password-based model. They may not get the level of service that they want, but it's their choice.
SHAHANI: It's a choice of for now, but given the pace at which companies are putting biometrics into their hardware, it could become the new normal soon. Patent attorney Yuri Eliezer, with the firm SmartUp, says a decade ago there were just 46 patent applications for biometrics. Last year, he counted at least 567.
YURI ELIEZER: Oh, absolutely, yeah. It's definitely a growing number, and we anticipate that it's going to continue to grow.
SHAHANI: Apple, Samsung, Google, Microsoft, Intel - they're all filing. Eliezer says biometrics is part of the blueprints for the newest lines of smartphones and fitness trackers.
ELIEZER: This is something we're always holding in our hand or having in our pockets always so close to our bodies. And now the fact that we could integrate these sensing devices into our mobile devices, it makes it all the more useful to aggregate and collect data on us.
SHAHANI: And provide something useful, too. According to patent filings, Apple wants to use biometrics to lock and unlock messages - keep that text for your irises only. Microsoft is interested in entertainment value and is working on a device that monitors your heart rate or blood oxygen levels - maybe to adjust the music while you play Xbox.
ELIEZER: And if your heart rate's increasing, the music might speed up or slow down based on the environment the gaming providers are trying to create.
SHAHANI: The biometric boom raises some well-known privacy concerns. It also raises some lesser-known security concerns. David Cowan with Bessemer Venture Partners is an investor. He's put over $100 million into digital security companies, but he refuses to invest in biometrics.
DAVID COWAN: Either a password or a biometric can be stolen, but only the password can be changed. Once in your fingerprint is stolen, it's stolen forever, and you're stuck.
SHAHANI: Hackers have already made dummy fingerprints using pictures of people's hands available online to swipe into the iPhone 6 scanner. Cowan says in a world where just about anything can be hacked, the cost of biometrics is just too high. Aarti Shahani, NPR News, San Francisco. Transcript provided by NPR, Copyright NPR.
300x250 Ad
300x250 Ad