How does a machine verify the identity of a human being? Irises, heartbeats, fingertips and voices, for starters.
Authentication has been a tough nut to crack since the early days of the Web. Now come a batch of high-tech alternatives, some straight from science fiction, as worries grow about the security risks associated with traditional user name and password systems.
Apple on Tuesday introduced two new iPhones, including for the first time a model with a fingerprint sensor that can be used instead of a passcode to open the phone and buy products. The new feature is part of a trove of authentication tools being developed for consumers — and not just for phones.
Some of these, like the fingerprint sensor, involve the immutable properties humans are encoded with, while others turn our phones into verification devices.
Among the most novel — and also somewhat unsettling — biometric authentication tools is a new wristband developed by cryptographers at the University of Toronto. It contains a voltmeter to read a heartbeat.
“You put it on. It knows it’s you. It communicates that identity securely to everything around you,” said Karl Martin, one of its creators.
Security is a primary selling point of the wristband, Nymi. While a heart can be broken, Martin promises that a heartbeat cannot.
These technologies arrive against the backdrop of mounting concerns over security and privacy, as the old ways of verifying identity online have been exposed as risky. Buckets of user names and passwords have been stolen from a variety of popular sites, and last month, it was discovered that even passwords as long as 55 characters could be broken.
Clef, a startup firm in San Francisco, has developed a mobile app that lets you send an encrypted key from a mobile app to a desktop computer.
Then, the website you are trying to enter can effectively recognize you based on your phone, instead of a typed-in password.
LaunchKey, a Las Vegas startup that is in a testing phase, also looks to the mobile phone for authentication. You register with LaunchKey and connect your account to a particular cellphone. Then, when you log into a website or mobile app that accepts the startup’s service, it sends a notification to that phone. Using an app, you move an icon on the screen to authorize authentication.
The startup OneID, based in Redwood City, Calif., offers a single sign-on that can be used on various websites and devices. In a video, an engineer at OneID, Jim Fenton, demonstrated how he used OneID to open his garage door at home.
The Achilles’ heel of many new Internet-connected devices, Fenton said in an interview, is protecting secure access.
“If you connect all these things to the Internet, you need to have good ways — good from a security standpoint and a convenience standpoint — good ways to control access to things,” he said. “Having user names and passwords is not a good solution for every device.”
Biometric authentication tools, like fingerprint readers, have already been put in devices like laptops, but they have not always worked correctly. It remains to be seen how well Apple’s fingerprint sensor will work and whether users will adopt it.
At the same time, biometric sensors raise questions of security. When Apple’s sensor was announced Tuesday, a flurry of skepticism and privacy concerns erupted online even though Apple said users’ fingerprints would be stored only on the phone — not sent to online servers or made available to app developers.
Another problem: Nymi, OneID and other startups in this field will struggle to attract consumers without high adoption rates among sites.
A more fantastical solution is being developed in a lab at the University of California, Berkeley. Computer scientists there say a simple and cheap headset will be able to read your mind to verify your thoughts — and save you the work of typing in a password.
Technologists say just one trick is unlikely to unlock the problem of authentication. One set of tools may verify identity on websites; another may unlock cars; still another could grant access to bank accounts.
A coalition of hardware and software companies, calling itself the Fido Alliance, is working on a set of specifications for password alternatives that the industry can rally around. Its guidelines are expected to be released at the end of the year. Companies affiliated with Fido are already testing products, like fingerprint readers and software that recognizes faces and voices. One day, users might be able to log into a favorite e-commerce site by speaking into a computer and buy something with a gaze at a mobile PayPal app.
Getting to know you
Facebook has arguably had the most success in becoming a one-stop identity verification service. Millions of websites allow users to log in with their Facebook credentials, which is also a way for Facebook to get to know you better — and serve you more tailored ads. The dangers are obvious. A thief with your Facebook credentials can pretend to be you across the Web.
Mozilla has been trying to popularize its Persona alternative to that single sign-on system. Mozilla makes sure your email provider verifies that the account belongs to you. Then, for every site that accepts a Persona login, you can log in with the original verified email. Passwords are not required.
Mozilla’s identity product is linked to only a small number of websites — “thousands” is all a Mozilla spokesman would say — compared with several million sites that support a Facebook login.
Johnathan Nightingale, a vice president of engineering at Mozilla, said the emergence of Internet-connected devices all around us brings a new urgency to the need to develop alternatives to passwords.
“The idea that all the things around us are going to be intelligent is great, but they don’t all have screens and keyboards and password managers,” he said. “They can’t always count on 12 uppercase letters, three lowercase letters, two punctuation marks and a percent symbol.”
He regretted that his tech colleagues had been stymied by the problem for so long.
“We tell ourselves as a group we are predicting the future,” he said. “Mostly we are hoping for the future.”