A USERNAME and password combination has long been the standard security mechanism for online accounts. But that method just isn’t cutting it anymore.
Huge data breaches, in which hackers gain access to personal information, have risen sharply in the last few years. And consumers have named identity theft their No. 1 online concern for 14 consecutive years, according to the Federal Trade Commission.
Sometimes, our existing security infrastructure can’t protect us, like when our personal data is stored in vulnerable databases. But all too often, we’re our own worst enemy. Our own weak passwords make it all too easy for hackers to guess them; we use the same passwords for multiple sites, offering thieves a sort of skeleton key. And even when we’re told about data breaches, we don’t always respond by changing passwords or any other behaviors.
The reality is, passwords don’t look to be leaving us anytime soon. Still, there are some new and interesting tools to help make our password-protected world a little safer.
by Molly Wood
Four easy tips to protect your digital accounts from the next breach. Video by Wendi Jonassen, Molly Wood and Vanessa Perez on Publish Date November 5, 2014. Photo by Mel Evans/Associated Press.
Many of the most ambitious and promising technologies are coming in the realm of biometrics — that is, using some physical part of yourself like your voice, fingerprint, facial recognition or an iris scan.
Biometric security systems have long been promised. Those promises have started to become reality in recent years, and really became mainstream with the introduction of a fingerprint reader in iPhones last year.
Now, people with the latest iPhones can unlock their phones, authorize purchases from iTunes and other apps and even pay at some stores by just touching their finger to their phone. The phone reads the person’s fingerprint and approves the payment.
“It used to be a fingerprint sensor had to connect with a USB cable and you’d pay hundreds of dollars,” said Hector Hoyos, the chief executive of Hoyos Labs, a biometric security start-up. “Now it’s on your iPhone.”
Credit Minh Uong/The New York Times
This month, Mr. Hoyos’s company will release 1U, an app that uses facial recognition to log people into various accounts. The app starts at $30 a year; the price can go up depending on how many websites and devices you connect to it.
The app doesn’t replace passwords entirely. To use it, you must first log into each online service, like your bank or email account or Facebook, while in the app. When you want to log into one of those services in the future, you visit the site through the app and have 1U scan your face with your phone’s camera. If the scan is successful, the app logs you in as though you had typed in your password.
Because you don’t need to remember your passwords when using the app, you can set a unique and sophisticated password for each service in the first place. In addition, the app allows you to set various levels of security for different accounts.
You can choose to have the app scan your face quickly for one account, for example, and do a “liveness” test, which will force you to move your eyes and smile before you can log in, for another account.
The app can connect with your computer, too, so when you want to log in to sites there, you can glance at your phone for a facial scan instead of entering your password. The phone sends an encrypted message to the computer authorizing the login.
The experience isn’t perfect: For one thing, you have to go to the sites through the 1U app instead of the apps or the browser you usually use. And looking at your phone to log into a website on your computer is clunky.
In addition, using 1U won’t protect you from a situation in which your username and password are stolen from some other service that you use, like your bank or a store where you shop online. But it may encourage you to have different, and strong, passwords for each service, limiting the potential damage.
In any case, your biometric information, encryption credentials and other personal information should be safe. They are stored only on your phone, Mr. Hoyos said.
In the future, Mr. Hoyos hopes that companies will stop using passwords altogether, eliminating the risk of having login credentials stored on external servers. Other companies are following a similar path: Making biometric add-ons that work with existing password systems while trying to persuade companies to make a wholesale change.
EyeLock, a start-up in New York, just released Myris, a USB-connected iris scanner that costs $280.
The iris is one of the most unique human identifiers, as no two are alike. Anthony Antolino, the chief marketing officer for EyeLock, said the company was working with companies like Bank of America and had already incorporated its iris scanning technology into some of its buildings.
As for the Myris device, it’s essentially an extremely high-tech password manager. Like the 1U app, it doesn’t replace your passwords, it just replaces the need to enter them when you’re logging in to a site or to your computer.
Unlike 1U, though, the Myris software can create new, secure passwords for you and save them so you don’t have to remember them, the way that password manager programs like LastPass do. And it can import saved passwords from programs like LastPass.
All those new passwords, and your iris information, is stored on Myris’s colorful hockey puck-shaped device that you plug into your computer. That’s a warning, too: If you lose your device, there’s no getting that information back. You’ll have to tediously change every password.
Myris is easy to set up. It has a small mirror on its underside, which you stare at while sensors on the device read each eye. After the initial setup, you set up your online accounts using the accompanying EyeLock software.
Using the iris scanner is fun and futuristic, and logging into services is fast — it takes about a second.
There are multiple downside, though. One is that Myris doesn’t work on mobile devices. Another is that you have to have the device attached to your computer.
And as with 1U, if your password is compromised from a company’s servers, you’re out of luck.
Still, using Myris should give you more security than entering a password on your own. Using the scanner will eliminate keylogging, which happens when malware on your computer reads your keystrokes and gleans your password. And using a password manager at all, especially an iris-based one, reduces the likelihood that you’ll repeat your passwords or that you’ll create easy-to-guess ones.
If these two new products don’t excite you, rest assured that biometrics are almost surely headed your way soon.
Brett Beranek, the director of product strategy for voice biometrics at Nuance Communications, which makes voice-recognition software and technologies, said most consumers would begin to encounter some kind of biometric systems in the next few years.
In the last three years, he said, Nuance has gone from 10 million enrolled users to 45 million, as companies like Vanguard, Barclays, T-Mobile and U.S. Bank have incorporated its voice authentication technology.
What remains unclear, though, is whether there will be one preferred method of biometric authentication: fingerprint, iris scanning, voice authentication or facial recognition. And companies will have to make sure that whatever they store on their servers can’t be stolen en masse.
Once those decisions are made, though, biometric readers could be here to stay.
“The technology and the knowledge to implement a solution to completely eradicate usernames and passwords exists today and we have it and it is safe and convenient,” Mr. Hoyos said. “At what speed corporations adopt it is a different matter.”