If Karl Martin has his way, the only password you’ll ever need is your heartbeat.
The chief executive officer of Toronto-based startup Bionym is part of a group of researchers and executives trying to kill one of the most persistent features of digital life – the text password.
“I think people are fed up,” he says. “This is getting worse and worse – you have a password for every account, a lot of 12– or 16-digit passwords. People are throwing their hands up.”
Quietly, a movement is taking shape within the technology industry to finally kill off the traditional password – driven not only by growing consumer outcry, but also the twin scandals of high-profile hacking incidents that exposed customer information at major corporations such as Target, as well as the Edward Snowden revelations about the extent of digital government surveillance.
The flaws of traditional computer security once again came under the public spotlight this week, after security experts revealed the existence of a flaw called “Heartbleed.” The bug, considered one of the most significant security weaknesses in recent history, Heartbleed affects the encryption used to protect some of the most sensitive data on the Internet, including passwords and personal information.
However, there are a number of technology companies trying to replace text passwords entirely with everything from fingerprint readers to voice recognition systems to cardiac rhythm monitors.
Nuance Communications, for example, is currently pushing a “voice biometrics” solution that has proven popular with corporate clients such as some major Canadian banks, says Brett Beranek, the company’s solutions marketing manager.
The system, developed in part by Canadian engineers, authenticates a user’s identity by measuring some 100 different variables that together contribute to making every individual’s voice unique – from the width of the larynx to the size of a speaker’s teeth.
As Mr. Beranek notes, voice biometrics have proven popular with some big companies in part because they make it easier for customers using a call centre to authenticate themselves without having to type a password on their phone’s keypad. But the system is also useful because, even if accessed by an unauthorized party, the voice biometrics database contains no information that can be easily used elsewhere, unlike traditional text password databases – especially ones that don’t encrypt the data.
Toronto-based Bionym takes yet another approach. The company’s researchers have developed a bracelet that authenticates a user based on the unique rhythm of their heartbeat. As long as a person wears the bracelet, they are constantly logged in, with no need to enter any passwords. The system can potentially be used for everything from opening a home’s front door to alerting a store owner when a certain customer arrives. Whenever someone removes the bracelet, it shuts down, making it virtually useless if stolen.
“We can put the equivalent of a 128-character password on your wrist that you don’t have to remember,” Mr. Martin says.
Over the past decade, the lowly computer password has morphed into a complicated mess. Online banking and other high-value transactions have prompted web services to demand that their users employ longer and increasingly more convoluted passwords – which are easily forgotten. In addition to length and complexity, the average user now often has to keep track of a dozen or more passwords to access everything from Facebook to an in-car Bluetooth connection.
But despite the massive store of sensitive information those passwords protect, all indications are that users still opt for the simplest passwords possible. By analyzing stores of login data, researchers repeatedly found that the most common PINs and passwords invariably include “1234” and “qwerty.”
For decades, researchers have worked on other means of authenticating users. But it’s only recently that the technology industry has started seriously considering alternatives to the text password. Last year, Apple introduced a new iPhone with a built-in fingerprint reader, joining a number of laptop manufacturers that have done the same. The move came around the same time that a number of high-profile hacking incidents (and, subsequently, Mr. Snowden’s revelations about government hacking) left customers worried about the reliability of their traditional login information.
But perhaps the biggest boost to alternative password technology came with the creation of the Fast IDentity Online Alliance in the summer of 2012. Made up of some of the industry’s biggest names, including BlackBerry, Microsoft and Google, the FIDO Alliance was created to help push for other types of authentication. In February, the group announced its first major deployment – a system that lets users verify digital payments through PayPal by using the fingerprint reader on the new Samsung Galaxy S5 smartphone.
“While this first deployment of FIDO Ready technology leverages a biometric – a simple swipe of a finger – we anticipate FIDO authentication to emerge in many forms and applications,” FIDO president Michael Barrett says.
Ultimately, for the technology to finally become commonplace, it is the industry that will have to push for alternatives to the traditional password, Bionym’s Mr. Martin adds.
“When Canada switched from the dollar bill to the loonie, some people complained, but the government just stopped printing the bill,” he says. “I think some changes have to be forced a little bit because, in the case of passwords, the service providers know that the current system is broken.”