Behavioural Passwords: Is Interpretive Dance a New Cybersecurity Threat?
Passwords have been around for millennia. Thousands of years before the advent of the computer, the Roman military would use what Polybius described as a watchword to distinguish ally from enemy.
Similarly, during the Battle of Normandy, US paratroopers used constantly changing call-and-response passwords - flash would be responded to with thunder, for example - to establish friend from foe.
The password entered computer science in 1960 thanks to Fernando Corbató, as a means of keeping files private. The Massachusetts Institute of Technology had developed a time-sharing system that all researchers had access to, however all files shared a common disk. To keep individual files private, a password was introduced and users could access only their own.
Source: SC Magazine
With the introduction of the internet, the popularity of the password soared as a straightforward but relatively effective means of keeping user accounts secure. Decades on, cybersecurity is still a challenge as data leaks and hacking attempts are more rife than ever. For many, the fact that we are still primarily using passwords as a means of protecting our sensitive data is an anachronism in dire need of addressing.
This is where biometrics can make an impact - and, indeed, they already are. You can thank tech giants like Apple and Samsung for popularising the technology, introducing fingerprint scanners some six years ago and slowly building functionality onto the technology.
Initially, users could unlock their devices using their fingerprints. Today, banking apps grant access based on the information, and purchases can be made on app stores using no more than a print.
On a very simple level, biometrics improve the user experience. Rather than having to remember passwords or draw patterns to unlock devices or perform other secure tasks, users can simply use fingerprints or facial recognition.
Both are almost always quicker and more secure, serving as a brilliant example to users that the technology is nothing to fear and can improve their experience significantly.
“89% of consumers are already familiar with biometrics in some form, with 55% using fingerprint recognition technology on a regular basis”
Some 89% of consumers are already familiar with biometrics in some form, with 55% using fingerprint recognition technology on a regular basis. This comes from the inclusion of fingerprint scanners on just about every major smartphone released in the last few years.
With one tap, users can gain access to their devices in a way that is deemed so secure, that it can be used to authenticate payments. Many also now utilise facial recognition technology for even more seamless user identification, with the likes of Apple allowing users to pay using only their faces.
Passwords are a weak link for both user security and company efficiency. For most people, the notion of having the same password for every account they hold is too dangerous - password theft is rife and any breach would be best contained to a single account. On the other hand, remembering multiple different passwords across the myriad accounts we hold in 2019 is also imperfect.
For customers, it’s a headache, while for corporations it can be an expensive waste of time.
According to CNN, Microsoft spends $2 million a month on helpdesk calls from people who want to change their passwords. According to a 2017 report from VISA, some 61% of respondents have multiple passwords across their different accounts, making the problem a significant one. When asked why they had abandoned an online purchase in the past, half of the respondents cited not being able to remember a password as a reason.
Source: Google Blog
Abdulaziz Alzubaidi has a PhD in engineering with a focus on security and is currently a faculty member at Umm Al-Qura University. For him, biometrics are the future of authentication and the humble password may be due retirement.
“I see biometrics having a high possibility of replacing traditional authentication methods”
“When we talk about biometrics, we should consider both types of biometrics; physiological and behavioural,” Abdulaziz told Binary District Journal.
“Modern devices support physiological biometrics such as fingerprint and face recognition. Although these biometrics have a few limitations, they should be used as an authentication method, since traditional methods like entering a PIN or drawing a pattern are vulnerable to simple exploits like shoulder surfing attacks, which allow anyone to gain device access. In my opinion, I see biometrics having a high possibility of replacing traditional authentication methods.
“Imagine this scenario, your device has been used by a friend or even a family member, who knows your password for your device and online bank. He/she can easily access the device and log in to your account, even if he/she uses multi-factor authentication. This simple scenario shows that traditional authentication methods can increase the security issue for anyone. It is not only for banking but for any available app on your device, like social apps, emails etc., so biometrics are more secure when we compare them with the password method.”
Managing Resistance to Change
User experience is important here, though. If relying on fingerprint scanning alone is too porous, developers should consider other methods of authentication before adding more biometric hoops to jump through.
No one wants to have to scan their thumb and their face while speaking into their phones just to access their mobile banking.
Equally, some people may not be comfortable with using a fingerprint scanner at all, particularly if they are being asked to provide that information just to access a social media account.
What will be important is customisation. Developers will have to offer users different options and make the security implications of those options clear, much in the same way that some websites offer two-stage authentication but don’t make it compulsory.
If a banking app can be opened with one a fingerprint, great, but some users will feel more comfortable adding a password and an iris scan to the process, once the latter becomes sophisticated enough.
In terms of security, pivoting to biometrics may well throw up just as many questions as it does answers.
Crucially, passwords can be changed if stolen. If a hacker finds a way of breaching biometric authentication, the implications for the user’s multiple accounts and devices would be huge - it’s a lot less simple to change your fingerprints or your face.
There have also been cases of hackers gaining access using a picture of a user’s face. This could mean that multi-stage authentication will still be necessary, nullifying the seamlessness that makes biometrics so appealing in the first instance.
Just Be Yourself
The next step in customised authentication is behavioural biometrics. This is biometrics not based on physical identifiers like fingerprints or scans of the iris, but rather the analysis of a user’s behaviour to determine their identity.
Going far beyond technologies like voice and signatures, behavioural biometrics can focus on anything from finger movements to hand tremors and hand-eye coordination.
It can even be determined how well the user knows the information they are being asked to submit, or how familiar they are with the app they’re trying to gain access to.
“Behavioural biometrics does not need more sensors, so the cost of building any device will not increase”
“Recent research has proved that behavioural biometrics have the potential to identify a smartphone owner with high accuracy,” Abdulaziz says.
“Most of these studies use different approaches like touchscreen, keystroke, gait, behavioural profiling etc., and show each subject has a unique identity. Behavioural biometrics does not need more sensors, so the cost of building any device will not increase.
“The main points that we need to consider are time to train, size of data, and where should be trained. Addressing these points will lead behavioural biometrics to be one of the important biometrics, in my opinion, not only in smartphones but to most smart devices.”
Behavioural biometrics, if successfully deployed, will solve problems that other forms of cybersecurity have faced throughout their existence.
One major positive is that it is a passive form of identification - users need not change their behaviour at all to access their devices - in fact, quite the opposite.
They can also be deployed throughout the session in the background, meaning gaining access won’t give hackers carte blanche to exploit a user’s account.
As with all authentication methods, accuracy will be paramount. There are a number of companies - see NuData, BehavioSec or Invisible Challenges, for example - working on building behavioural biometrics solutions, while UK bank NatWest has shown interest in utilising the technology to prevent fraud in real time.
Getting to a workable degree of accuracy will involve machine learning and even deep learning, while a large degree of drip-feeding will be needed to encourage a typically sceptical public to trust the technology.
If the success of fingerprint ID for smartphones can be taken as a marker, then biometrics will be welcomed by users.
The technology is an easy sell, and any discomfort around tech companies holding your fingerprint data will be offset by how clearly preferable Face ID is to a password when it comes to keeping a bank account secure.
There will be teething problems - hacks will make headlines and some will be uncomfortable with the technology - but ultimately the password appears doomed in the face of a truly 21st century alternative.
The unique nature of a person’s fingerprint, along with always having it with you, and never being in a position to forget it, has long made this the entry point into biometric security. However, as soon as a new security protocol is established, efforts to circumvent it will follow.
In 2018, researchers at New York University created an AI program called DeepMasterPrints, which was able to replicate a person’s fingerprints to then be synthetically produced. The research team exploited the fact that many fingerprint scanners only read a small portion of a person’s print, so, by feeding in genuine prints to a generative adversarial network, they were able to obtain new prints that shared only certain matches.
By demonstrating this comparative weakness in existing scanners, the NYU researchers hope to push forward development of more secure fingerprint readers in subsequent devices.
Illustrations by Kseniya Forbender
To contact the editor responsible for this story:
Margarita Khartanovich at [email protected]
- What’s Up With... That Virtual Reality (VR)? Is It Still The Thing?
- Can We Stop Our Toasters From Spying on Us?
- Can Blockchain Be Censored?
- Microsoft Cortana Research: Could Negative Perceptions of AI Harm Its Development?
- What Are Digital Twins and Why Are They The Next Stage in the Internet of Things (IoT)?