Technology & Science

Yahoo email hack: Are biometrics the answer to a safer online world? Not yet, says expert

Biometric security measures like fingerprint readers and eye scanners have grown in popularity, but one expert says it'll be a long time before they replace passwords and other traditional online security methods.

Fingerprint readers, retina scanners growing in popularity, but no single tool works for everyone

Hackers accessed half a billion Yahoo email accounts as far back as two years ago, Yahoo admitted Thursday. (Marcio Jose Sanchez/Associated Press)

Yahoo admits that 500 million of its email accounts were compromised in 2014.

Ransomware attacks lock or cripple hospitals' computer networks unless they hand over a massive payout.

Actors and celebrities' websites are hacked, or nude photos are stolen and spread online.

Oh, and your antivirus programs aren't solving the problem.

The flood of headlines suggests the frequency and severity of cyberattacks is getting worse, instead of better. Are the tools we're using to keep our personal information secure keeping up?

Technological advances in security measures are slowly gaining traction. Biometrics, especially, have grown in popularity. By scanning your fingerprint, retina, or even listening to your heartbeat, devices can identify you with data that's unique only to you — and without the hassle of remembering and managing multiple passwords over dozens of services.

Long wait ahead before we are password-free

It sounds like a promising, password-free future. But Eldon Sprickerhoff, chief security strategist of Cambridge, Ont-based cybersecurity firm eSentire, warns that it will be a long time before any single method can supplant traditional passwords as the preferred method of locking down your online accounts.

The biometric wristband from Toronto company Nymi detects a wearer's heart signals to authenticate their identity. (Nymi)

"Whatever this (new technology) is, it has to have broad availability. It has to have wide acceptance," he told CBC News. "And for it to effect huge change, it takes a lot of time."

New technology always has a period of early adopters existing alongside older, tried-and-true platforms. Only after years or even decades will the new completely replace the old.

Sprickerhoff mentions the chip-and-PIN payment methods available on credit cards as one example. Banks and credit card companies have gradually introduced them to their cards, but the traditional payment methods are still available. You can even still use a chunky credit card imprinter, if you're feeling adventurous.

The popularity of the iPhone's fingerprint scanner has made consumers more comfortable and familiar with biometrics, according to a MasterCard executive. (Reuters)

Some smartphones have fingerprint readers users can unlock with a swipe instead of a password. The most well-known is probably Apple's Touch ID reader, which has been around since 2013.

Microsoft PC owners can use Windows Hello, which can use either a fingerprint reader or a retina scan to unlock your computer.

In both Microsoft and Apple's cases though, users aren't being forced to migrate to biometric security. They can use traditional alphanumeric passwords like they always have.

Accessibility questions

Biometrics, especially methods currently growing in popularity like fingerprint and retina scanners, introduce new complexities that will have to be ironed out before they are considered the new default.

Fingerprint readers have been around for many years, but if your hands are damaged from a papercut or are worn down thanks to a labour-intensive job, Sprickerhoff says, not every reader will be able to verify your fingerprint.

"If you're a bricklayer, you don't really have fingerprints, so to speak," he said.

It also brings up questions about accessibility to the disabled: People without fingers or hands, clearly, won't be able to use a device that only unlocks with a fingerprint scanner.

"There's no single biometric method that works for every person. So you have to make some accommodation for it," said Sprickerhoff.

MasterCard's Identity Check can identify you with either a face or fingerprint reader, in case accessibility issues prevent the use of either. (MasterCard)

Some companies have taken that into account as they roll out new security options for their clients.

MasterCard unveiled its Identity Check program in March, which allows you to open their smartphone app using facial recognition — earning it the nickname "selfie pay."

But the technology has a few blind spots, specifically when it comes to identifying someone wearing glasses or with identical twins.

Because of this, users can upload either a photo of their face or their fingerprint data to check their ID.

In the meantime, Sprickerhoff advises people to learn more about online security and how it affects their day-to-day lives, from banking to shopping to email, and practice their due diligence in a password-protected world.

Change your passwords often. Stay on constant alert against phishing scams. While you're at it, consider covering your laptop's webcam with some tape.

"You can't go wrong with those old-school methods," he says.