San Francisco - Headlines
about mass data breaches have become ominously routine, and yet password
convenience still trumps security for most people.
That's why, year after year,
the world's most popular log-on remains "123456," a password so
obvious it accounted for 17 percent of the 10 million compromised passwords
analysed by Keeper Security, which sells a log-in management
service.
The answer, of course, is
to get rid of passwords altogether. Biometric technology—especially
fingerprint scanners—have been steadily replacing the need to type in a
password, which can easily be guessed by hackers wielding smart algorithms.
Now, with the world increasingly embracing voice-activated devices like
the Amazon Echo and Google Home, companies are starting to create technology
that recognizes a person's speech patterns. Facial recognition is starting to
catch on as well.
Read also: The trick to creating unique passwords
“Our vision is to kill
passwords completely,” says Dylan Casey, vice president of product management
at Yahoo! Inc., which has suffered major security breaches. “In the
future, we’ll look back on this time and laugh that we were required to create
a 10-character code with upper- and lower-case letters, a number, and special
character to sign in, much in the same way that today’s teenagers must laugh at
the concept of buying an album on a compact disc.”
The question is whether
companies will be able to persuade people to switch to biometric log-ins and
whether the new technology will prove any more resistant to hackers than the
old-fashioned password.
Apple popularized the
fingerprint scanner by embedding it in the iPhone four years ago, subsequently
baking the technology into the MacBook lineup. Now Microsoft is getting into
the act. Last month, the company started to let the estimated 800 million
people who use its Outlook.com, Xbox.com, Skype.com and other cloud-based
features log on with a fingerprint scan on their smartphone if they so
choose. By October or November this year “you'll be able to take your
phone, walk up to your Windows 10 PC and just use your thumb print to log into
your PC,” says Alex Simons, who’s in charge of products within
Microsoft’s identity division.
Banking solution
The banking industry, long
mindful of security, has adopted some of the most cutting-edge technology.
The UK bank Barclays started letting wealthy customers verify their
identity during telephone banking with their voices back in 2014, and
rolled out an opt-in version to retail clients last year. “Our voice security
works by taking a recording and analysing the different voice patterns, the
vocal tones, the pitch and the pace,” says Simon Separghan, who's in charge of
Barclays' contact centres across the UK, India and the Philippines. He said the
bank is currently working to implement the technology into its mobile banking
app. HSBC, Citi, Santander are also all starting to let customers use
their voices to log into their telephone banking accounts.
Face recognition is
becoming more common as well. Lloyds Banking Group Plc. announced in
April that it would trial Microsoft’s Windows Hello technology, which lets
online users log into their web-based accounts by pointing their face at a
computer’s webcam. United Services Automobile Association has enabled the
same within its mobile app for smartphones, as has U.K. challenger bank Atom.
Is the new technology
hacker-proof? Barclays’ Separghan is sanguine about the bank's voice-activated
log-in system and says there have been no breaches so far. “We're very
confident that the system is as unique as your fingerprint," he says.
"So whether or not people are doing impressions or tape recordings and
playing them back, the system has the ability to detect that.”
But Michela Menting,
digital security research director at ABI Research, isn't so sure.
“With artificial intelligence you'll have machines that'll be able to
clone human voices and maybe be able to pretend to be somebody else,” she says.
In April, three developers
from a Montreal AI startup released demos of their speech synthesis
tool, Lyrebird, which they said could “copy the voice of anyone” with as
little as a 60-second recording. They released audio samples of their work,
which mimicked the voices of Barack Obama, Hillary
Clinton and President Donald Trump.
One of Lyrebird’s
founders, Alexandre de Brébisson, who is studying AI at the University of
Montreal, said his team’s motivation was to improve speech synthesis rather
than anything nefarious. “We believe that vocal human-computer interfaces will
become more and more widespread in the future and we want to make them better,”
he said.
Could his software be
used to fool voice-based authentication? “We haven't tested our tech on those
systems,” he said, “but we would not be surprised that our current technology
can already fool those systems."
Concerns
Similar concerns have been
raised about face-recognition. Microsoft says its Hello technology, now
available in a range of Windows-based computers and soon to be tested
at Lloyds Bank, Halifax and Bank of Scotland, uses infra-red sensors
to build a reliable representation of a human face. The company says the
technology can’t be fooled by holding up a photograph to the lens. But in
March, reports surfaced that the facial-recognition feature of Samsung
Electronics Co.’s new Galaxy S8 smartphone could be tricked exactly that way.
In a statement, Samsung noted that users have several ways to unlock their
phones and said facial recognition can only be used to open the Galaxy S8 and
not to "authenticate access to Samsung Pay or Secure Folder."
Read also: When password rules weaken security
Thirteen years ago, Bill
Gates predicted the death of the password. It never happened because
people cling to old habits and can't always afford the latest technology. To
avoid alienating customers, the banks aren't insisting that they switch to
safer technology but are letting them opt in. So though cheaper biometric
sensors and smarter software have helped improve online security, Menting
believes passwords may be around for another 50 years—kind of like
landlines. “Until we have embedded devices in ourselves that can act as that
password," she says, "I really don't see them losing the
authentication war anytime soon.” Hackers are counting on it.