In April 2004, Bill Gates predicted the death of passwords. More than ten years later, their end is a more current topic than ever, and many technology brands are seeking a replacement for them. The reason is that passwords pose some problems, such as the authentication method for each user: paradoxically, the safer passwords are, the easier they are to forget. And conversely, the easier they are to remember, the less secure they usually are.
Throughout this time we have seen various proposals for solving the latter problem: mnemonics to create passwords that are easy to remember but quite safe at the same time, getting renowned online security companies like Kaspersky to promote this type of method. However, such solutions are nothing but a patch: are there real alternatives for passwords? Yes! Let’s look at the top five.
1. Two-step verification
Two-step verification is not a true alternative to passwords, but rather a booster that increases their security. It is based on a double check: “something you know” (the password) with “something you are” or “something you have”. Most of the time, this second factor is usually a code sent by SMS. Thus, to access a service, you enter your password, and then the code that is sent to your phone. Another popular example of two-step verification is coordinate bank cards (“something you have”), cards with an array of numbers arranged in rows and columns. To do any online banking paperwork, such as a transfer, the system prompts the user to enter the numbers in a particular cell (eg, B8, or H5), to be more certain that whoever is performing the procedure is the person they say they are and not an impostor.
2. Fingerprint
The use of the fingerprint as an alternative to the password has increased dramatically in recent years, mainly thanks to smartphones. In 2013 the iPhone 5s, the first mobile phone with a fingerprint sensor, was released. Since then, almost all brands have ended up incorporating it: Samsung, Sony, LG, HTC, Huawei, etc.
Until not too long ago, traditional fingerprint sensors were relatively expensive and very heavy. Now they are small enough to incorporate into smartphones and tablets, hidden in any button, and fast enough to check fingerprints in less than a second. There are two types of fingerprint readers: optical and capacitive.
The optical reader obtains a digital image of our fingerprint by means of light-sensitive diodes that differentiate between the valleys and ridges of the finger, and then store the pattern, which should be replicated every time the device is accessed. On the other hand, the more complex and secure capacitive reader uses electric current through small conductive cells covered with an insulating layer, rather than using light to analyse the valleys and ridges of our fingerprints. This current will vary depending on the particular image of our finger.
Here we can see the video presentation of Touch ID by Apple, its fingerprint protection system, released in 2013 with the iPhone 5s.
3. Windows Hello
The new system introduced by Windows 10 is based on biometrics. This is the unique recognition of human beings through their physical features. Fingerprints are part of biometrics, but there are further methods. What Windows Hello does is to combine them: any terminal with Windows 10 can use any method, depending on which one is incorporated, and Windows Hello just acts as a gateway.
Which methods are there? In addition to the aforementioned fingerprints, Windows Hello also offers iris recognition, which is currently only present in one smartphone, the Lumia 950. The terminal opens the front-facing camera when unlocked and recognizes the user’s eye in front of it. Then, the camera is combined with infrared light to detect the image of the iris and look for points where it is identical to the one recorded by the owner. What if, for whatever reason (injury, conjunctivitis, insufficient lighting, etc.) it cannot identify the iris? Nothing happens; you can still enter the traditional unlocking PIN.
Besides fingerprint and iris recognition, another method is facial recognition, which works much like the iris: it detects the image of the face using the front-facing camera, the infrared image and a facial 3D map. Combining these three technologies, the system generates a series of computer algorithms to measure certain facial features, such as the distance between the eyes, the width of the nose or the shape of the jaw. Thanks to this, we can use this technology whether we are wearing glasses or not, if we grow a beard, etc.
A very visual example of Lumia 950 iris recognition in action.
4. The Yahoo! single and temporary password
To access your email, for example, you can choose between a single and a temporary password. The system will generate a random and temporary code that will be sent to you by SMS every time you try to log in. That is the curious proposal launched in March 2015 by Yahoo!. Being random and temporary, the password is more secure than one following a pattern or one that could be used indefinitely. Microsoft has already released an almost identical system, with the difference that Yahoo! allows it to be set as a default, rather than being used on a one-off basis.
With this system, the concerns of creating a secure password, keeping it protected and being able to remember it are removed. The main problem is the possibility of losing the phone, since in many cases, even with unlocking protection (password, PIN, fingerprint, iris pattern, etc.), the contents of the SMS could be read on the locked screen. For this reason, this is a system that has divided security experts.
5. Heart rate
This system is based on using the heart rate of each person as an authentication system. Although it may have no advantage over the use of a fingerprint on paper, it is suited to very high-security environments. So what’s the benefit? That you don’t need to do anything, like touching a fingertip sensor or entering a SMS code, because our heart rate can be detected in the background, completely invisible to us.
And how exactly does it work? The heartbeat of each person is truly unique. It is not only measured through the number of beats per minute. There are several other factors: the size of the heart, its exact form, the position of the valves… everything that influences the intensity and type of beat that you can collect as an electrical signal, like an advanced electrocardiogram. So, whether we are at rest or active, that spectrum obeys the same pattern.
A company that has already developed this technology to replace the password is Nymi, creators of the Nymi Band bracelet that identifies people based on the heart rate measured at their wrist.
Meanwhile… password managers
If we intend to keep using the traditional password, a piece of security advice always comes in handy: use a password manager. Some of the most popular are 1Password and LastPass. Basically, they help us randomly generate passwords that are very complicated to guess, store them safely, and then store them locally, encrypted without going through external servers that are susceptible to hacking or a security hole, so you can access them from any device. Thus, it is easy to have a different password for each service, all being extremely safe and complex, without having to remember them.
Javier Lacort
(Hipertextual)
Comments on this publication