Monday February 13, 2017

Death of the password? Biometrics could be the future of digital security

A strong password is long, contains letters, numbers and symbols, and doesn't contain any words from the dictionary.

A strong password is long, contains letters, numbers and symbols, and doesn't contain any words from the dictionary. (Shutterstock)

Listen 24:39

Read story transcript

Passwords have become a memory-bending chore. What mix of letters, numbers and symbols will keep the hackers at bay? What if something as simple as a wristband could unlock all your devices and you could forget all those pesky and often insecure passwords?

According to technology experts, convenient biometric authentication — that is, the measurement of unique physical characteristics, such as fingerprints and facial recognition to verify identity, might be the future of digital security. 

Common security breaches, like last week's Loblaw PC Plus members breach, have technology experts continuously calling for the death of the password.

Bob O'Donnell, president, founder and chief analyst of TECHnalysis, told The Current that it is "incredibly important" to find an alternative to passwords.

"Because it is not difficult for people to have their passwords discovered through various types of phishing attacks," he says, adding that biometrics is "where things have to go."

Only last week, Loblaws warned their PC Plus rewards collectors to strengthen their passwords after points were stolen from some members' accounts.

Kevin Groh, the company's vice-president of corporate affairs and communication, says the breach stems from people using weak username and password combinations across multiple sites.

fingerprint iphone

Fingerprints, iris scanning and facial recognition reduce the risk of digital security breaches. (CBC)

But there are only so many passwords someone can remember and in an age where people log onto everything from their bank accounts to social media throughout the day from multiple devices, biometrics are seen as the future of personal online security.

The fingerprint scanner on your smartphone is a common example.

Nymi, a small, wearable device that uses electrocardiogram (ECG) to authenticate your identity, is another.

"Everyone has a unique cardiac rhythm, like a fingerprint, so the idea is that if you lose your wristband it won't work for anyone else," says Karl Martin, CEO and co-founder of Nymi.

"Essentially you wear it, it transmits wirelessly and unlocks your devices and accounts without you having to take any extra effort. You're not having to remember any sort of complex secrets, your pass phrases or passwords. Literally you just wear the device and it works on your behalf to unlock everything."

Martin says that the technology industry has put the burden on users for far too long, requiring them to prove who they are constantly.

Lorrie Faith Cranor, professor of Computer Science and of Engineering and Public Policy at Carnegie Mellon, agrees that there is a fundamental reason making secure passwords causes stress — or often isn't done as advised. 

"We're being asked to do something that is fundamentally very difficult," says Cranor.

"We're supposed to choose for every account a unique and hard to guess password that we can remember and most of us are not really good at remembering things."

How safe?

Biometrics would make things easier, but how much more secure would they make all our accounts? 

While there are always ways to be hacked, and biometrics are not foolproof, O'Donnell says it would be an "enormous risk reduction" that would work incredibly well for most people.

"What this is all about is reducing the risk, that's fundamentally what we're all about here," he says.

"A, they keep you from having to remember those passwords we forget or always reuse constantly and B, they dramatically reduce the risk and therefore make it a much safer environment in general."

Listen to the full conversation at the top of this web post. 

This segment was produced by The Current's Karin Marley and Ashley Mak.