04 Sep Time is passing for passwords: 5 alternatives
We are passionate about security. Passwords are currently an important part of everyday life, but slowly they are fading into the history books. When King Password dies, who is his heir? Read on to find out.
Passwords are passing; their time is slowly coming to an end. Their existence has persisted for year upon year, almost becoming an expected aspect of everyday life. There is rarely a day where you don’t use your password: whether you are logging into your emails or social media, it is almost muscle memory when you are plugging those special characters into your keyboard.
Passwords can be emotionally semantic… or maybe not. Most passwords, according to a 2016 KeeperSecurity study, are comprised of pet names, hometowns, childhood memories or someone special’s birthday, making passwords an extension of one’s personality. However, perhaps you are not attached to yours like some are. Perhaps your password is a carefully calculated string of nonsense, complexed and more secure than something that can be guessed by taking a quick look at your Facebook page. Either way, your password is still your password.
Well unfortunately for the semantic bunch, online security is getting ever-more sophisticated and passwords are on their way out. Seriously. Bill Gates stated at the RSA conference in 2004 that “people are going to rely less and less on passwords” as “they just don’t meet the challenge for anything you really want to secure”. Looking at how innovatory hackers have become, it’s clear Gates was right. Hacking has plagued our internet for as long as it has existed. It seems as if it’s only getting worse. From Ransomware like WannaCry and CryptoLocker to simple password cracking algorithms such as Aircrack-ng, businesses and people’s personal lives are at the crux of a world-wide epidemic that doesn’t seem to be slowing down.
If passwords aren’t the solution anymore, what is?
1: Two-step verification
Already adopted by the likes of Google and Microsoft, two-step verification provides users with an extra layer of security, rather than replacing passwords altogether. Consider it a ‘double check’, just to verify that it is you who is trying to login. It works like this: you type your password in, and the service will send you a push notification on a personal mobile device to confirm your login. This works because if someone has your password and is trying to login to your account, they are unlikely to also have your mobile phone in their pocket too. Right?
Two-step verification has been used by banks for online banking for years in the form of a Secure Key card or a Card Reader, but it’s only been hitting regular accounts like email and social media in recent years.
In 2013, the iPhone 5s was released: the first mobile phone with a fingerprint scanner for secure login. Since 2013, almost every brand has released a mobile device with a fingerprint scanner, ranging from mobile phones to even laptops and computers.
Not many people, however, understand the differences between the two main types of finger print scanner: optical and capacitive. Optical readers obtain a digital depiction of our fingerprints using light sensitive diodes that navigate the peaks and troughs of the finger. This information is stored and must be replicated when the device is trying to be accessed. Capacitive, the more secure version of the two, uses an electric current to identify and analyse the biology of one’s finger, and stores the information similarly to the optical variant. The electrical current varies depending on the image of our finger. The image the electrical current provides is more specific that an optical resolution.
Unless the hacker has somehow obtained your finger, they are unlikely to be able to access your devices and accounts using this method.
3: Facial Recognition (Biometrics)
At one point in time this technology was only ever seen in spy movies: iris recognition and physical feature identification. The only phone on the market (as of 04/09/2017) with this technology, the Lumia 950, uses Windows Hello to incorporate this security measure. The front facing camera opens and recognises the users eye using infrared light and matches it based on a stored image that the user activates when they first set up their device. Eventually, this along with fingerprint scanning could be combined to create the ultimate two-step verification process; a fingerprint and an image of your iris!
Although not implemented into everyday life yet, it can be expected that iris and fingerprint recognition will be used to access simple accounts such as your emails and social media instead of passwords. Very secure!
4: Heart Rate
What? Heart rate? Yes, you read that right.
A heart rate security system is based on an individual’s heart beat and uses the recorded data as an authentication system. Although like fingerprint scanners, there is one huge benefit to this style of authentication security. You do not need to touch anything. No need to touch a fingerprint scanner, type on a keyboard, pick up a phone… the list could go on. Why? Heart rates can be detected under the radar, completely behind the scenes, using bands such as the Nymi Band.
It works like this. Everyone’s heartbeat is completely different. It doesn’t just come down to heartrate. The size of the heart, the positions of the valves, the exact shape of the heart all influence the exact type of beat that occurs. Collecting this data in the form of electrical signals, like in an electrocardiogram allows completely unique authentication that is near impossible to replicate.
Again, it’s very unlikely that the hacker will have access to your heart – by that point I doubt you would really care whether or not they get into your accounts or not.
5: Single and temporary passwords
Single and temporary passwords are random number generated (RNG) codes that give access to accounts for a short period of time.
This method has been deployed mainly in password recovery systems. The user will specify a mobile number for their account and when they request to change their password an SMS message will be sent with a login code to change it. The benefits of this remove the need to go through extra security questions such as “who was your first employer” or “what was the name of your first pet”.
Other forms of this system are used as a primary login strategy. An example would be Yahoo!’s temporary code system that is used every time a user logs in.
Additionally, the use of this system can be seen in verification processes, for example within Steam Guard. Steam Guard is a security measure put in place by Valve Corporation to protect Steam users from video game trading scams. Whenever a user wishes to trade an inventory item, or logs in on a new device, a push notification lasting 30 seconds including a RNG based code will be sent to their mobile app to confirm the process of trade or log in. If the user misses the code, a new code will have to be generated and the old one will not work.
One day a password will simply a be a distant memory; at least you won’t ever have to click that “forgot password” button again… unless you lose a finger or two.
~ by George Balaam