CES 2014: A Technological Assault on the Password
Typing in passwords on tablets and PCs could become a thing of the past.
Typing in passwords—and worrying about data breaches at online services—could soon occupy less of your time. This week at the International Consumer Electronics Show, several companies launched technologies that get around passwords with authentication technologies that rely on fingerprints, eyes, or other tricks. Some of these technologies will be available this year on existing gadgets, while others are set to be integrated into future PCs, tablets, and phones. One has the backing of Google, which has said it hopes passwords will eventually be used only rarely (see “Google Experiments with Ring as Password”).
Security experts have long said passwords are a poor way of keeping devices and online accounts private. But with few alternatives, they have come to dominate digital life. The primary drawbacks to relying on passwords are that people struggle to remember them and often reuse them, and companies must store them in central databases that are targeted by criminals. Some 150 million usernames and passwords were taken from Adobe servers in October 2013. Evernote, LinkedIn, and other companies have suffered similar breaches.
“Usernames and passwords are not good security, and they are also inconvenient—and getting more difficult to manage as we get more and have to make them more complex,” says Stina Ehrensvärd, CEO of Yubico, which at CES demonstrated the YubiKey Neo, an authentication device similar to a USB stick.
It works with a protocol called U2F that’s under development by Google, whose employees use the device to access internal systems at the company. Users insert their personal Neo into a PC’s USB port or tap it against a mobile device when they need to log in to an app or Web service. A helper phone app or the Chrome browser then uses the secure chip inside the Neo to exchange cryptographic keys with the service. The user also needs to enter a short PIN.
Although using the system requires novel hardware and login systems, Yubico, Google, and some partners are trying to convince other companies and browser makers to adopt it. Ehrensvärd says large companies, such as banks, will want to do so because it offers the right balance between greater security and ease of use for their customers. “The user experience can be super-slick,” she says, “and one key is not locked to any one company or service.” The YubiKey Neo will go on sale later this year for $50 after the U2F protocol has been further refined, says Ehrensvärd. She expects many to be sold in bulk at a discount to companies, some of which may issue it free to their customers.
Several other companies at CES demonstrated ways to use parts of the body to vouch for your identity. Synaptics, which builds touch-pad and screen technology used in many computers and mobile devices, promoted its new fingerprint sensor division.
Fingerprint biometrics are hardly new, but Sebastien Taveau, formerly chief technology officer of Validity, a fingerprint sensor company that Synaptics acquired in October, says that the scanning technology is now mature enough to become commonplace. He points to Apple’s inclusion of a fingerprint reader on its iPhone 5S, launched last year, as a turning point. “It really made it a consumer technology,” he says.
Synaptics already makes fingerprint readers that are in some business laptops and the HTC One Max smartphone, but at CES it showed more compact sensors that could be easier to use. These capture a fingerprint with a tap and can be integrated into a button, like the one in Apple’s 5S iPhone, or even placed under the glass of a smartphone in the area next to its screen. Eventually, it may become possible to embed fingerprint sensors in the screen of a touch device, says Taveau.
Authentication devices can also allow new forms of personalization, says Andrew D’Souza, president of Bionym, which makes a wristband called the Nymi that verifies phone users’ identity by the unique signals from their heartbeat. “We’d like you to walk into a restaurant and they give you a drink you like and remember your name,” he says. D’Souza says that this year his company will announce partnerships with payment, retail, and online companies, which will let people log in using the Nymi instead of a password.
A device that scans your eyes to let you access your PC and online accounts also launched at CES. The Myris is a circular device about the size of a computer mouse and connects to a computer by a USB cable.
To use it, you stare into the small mirror on its underside for 15 seconds, during which time an infrared video camera looks for 240 points in each iris. On the basis of the individual signature it detects, helper software can enter passwords into websites or unlock a computer that uses the Windows, Mac, or Chrome operating systems.
The Myris will go on sale in the first half of this year, but no price has been announced by EyeLock, the company behind it. Chief marketing officer Anthony Antolino told MIT Technology Review that by the end of the year the technology will be embedded into some PCs and tablets. That is possible because infrared cameras are soon to appear in those devices (see “3-D Camera Heads to Laptops and Tablets”).
Synaptics, Yubico, EyeLock, and other anti-password companies are developing their technology under the umbrella of the FIDO Alliance, an industry group which aims to ensure that such technologies can work with each other (see “PayPal, Lenovo Launch Campaign to Kill the Password”). FIDO, which has the backing of major companies including Google, Microsoft, PayPal, Lenovo, and MasterCard, has endorsed Google’s U2F protocol.
Whatever final protocols FIDO adopts, they will have one thing in common: a person’s fingerprint, or the unique identifier of any USB device, will not be sent over the Internet. Rather, they will be checked locally; all that is transferred over the Internet will be cryptographic keys that can’t be reverse-engineered to steal a person’s identity. Taveau of Synaptics says that offers enough protection for all but those with very motivated enemies. “If someone cuts your finger off,” he says, “you have bigger problems.”
Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.Subscribe today