Is It Time To Phase-Out Passwords for Good?
Password Replacement is in The Works
Replacing passwords will ultimately make us safer online.
According to Business Insider, it takes a hacker less than half a second to crack a simple password.
Most passwords too easy to guess or else we use the same password over-and-over. (Uhh, guilty of the last one!)
What About Using a Password Keeper?
So what about using a password keeper to keep track of your passwords?
It’s a great idea in theory. But your data isn’t safe if it’s stored in a browser. Anyone with access to your device can see your passwords.
We can all agree that passwords are a poor way to authenticate your identity.
The FIDO Alliance was formed to find a better way than passwords to keep user data safe.
The FIDO Authentication Protocol
FIDO (which stands for “Fast IDentification Online”) wants to make online authentication safer for consumers while reducing costs for businesses. Password phase out is FIDOs ulitmate goal.
Members of FIDO include Amazon.com, American Express, Bank of America, Google, Intel, MasterCard, Microsoft, PayPal, Samsung, Visa and eBay. When all these corporations are on board, password phase out is a certainty.
FIDO authenticates users via two pieces of encrypted information, called a public key and a private key.
Here is how public and private keys work.
You electronically present your public key to a website you’d like to sign into. Next, the website sends back a piece of random data to your device. (This is called a challenge) Then the challenge is signed with your private key and access to the website is granted.
All this passing of public and private keys happens in the background in a split second.
Let’s take a closer look at how Microsoft and Apple incorporate FIDO using a biometric assist.
How Microsoft’s Windows Hello Authenticates Users
Microsoft made a move toward password phase out with their Windows Hello feature. It allows users to use biometric data for verification on Microsoft Surface tablets, PCs and laptops with Windows 10 installed.
Windows Hello gives users three biometric options for data verification – fingerprints, facial recognition and iris scan.
Windows Hello’s facial recognition process.
- An infrared light illuminates your face. Next, an array of infrared dots is projected on your face, to map out high and low spots.
- An infrared camera captures an image of these dots. The image is stored on your device.
- After you’ve completed this setup, simply scan your face to access your device, scan your face. Your device unlocks when your scan with the previously taken infrared image.
How accurate is Microsoft’s facial recogntion? Very!
The Australian Business Review ran a test of Windows Hello with six sets of identical twins. Impressively, Windows Hello was able to tell each set of twins from each other.
However, Microsoft isn’t the only game in town for technology to replace passwords.
Apple’s TrueDepth Facial Recognition Feature
Apple has their own facial recognition feature called TrueDepth. It works in much the same way as Windows Hello 3D Structured Light works. TrueDepth is able to detect your face even in the dark because of how it uses infrared light.
Here’s how TrueDepth works on iPhone X:
“TrueDepth uses a combination of infrared emitter and sensor to paint 30,000 points of infrared light on and around your face and also capture flat or 2D infrared snapshots. For the points, the reflection is measured, which allows it to calculate the depth and angle from the camera for each dot and construct a depth map.”
Using biometrics for authentication sounds great – but do they really make your data more secure? Some experts say no.
Biometric Data IS Subject to Hacking Too
Tying biometrics to authentication SHOULD keep your data safer, but it isn’t foolproof. It’s easier than you’d think to hack biometric data.
Isao Echizen, a researcher for NII’s Digital Content and Media Sciences Research Division, says that “Modern phone cameras are powerful enough to capture sufficient fingerprint details if users expose their fingers to the camera.” – BleepingComputer.com
Last year a group of scientists extracted fingerprints from Facebook photos taken three meters away.
Determined hackers have unlocked devices with masks, photos and lifted fingerprints in the past. You don’t have to be a genius to be a biometric hacker either.
Just ask the six-year-old who used her sleeping mom’s thumbprint to unlock her phone. Then she used mom’s Amazon.com app to go on a $250 Pokemon shopping spree.
Yikes! The question becomes . . .
Is Biometric Authentication Really Less Risky Than Using Passwords? It Depends
For the average person, authenticating with biometrics is much less risky than using passwords. That is, as long as your data stays stored on your own device.
You’re at risk for the rest of your life if your biometric data gets into the wrong hands.
After all, you can change your password, but you can’t change your fingerprint or facial features.
What’s Your Take on Password Phase Out? Is Biometric Authentication Really Better?
Do you feel the benefits of ditching passwords for biometric authentication outweigh the risks or are you still skeptical? We’d love to hear your take – please leave a comment below!
About the Author
NormaR is our WeBananas tech blogger. She came to us as a crusty copywriter from the Far North who lives and breathes conversions. In her spare time, she's a diehard Edmonton Oilers fan (sadly), a foodie and a passionate landscape photographer.