At your fingertips: Passwords to the past
Computer passwords could soon be a thing of the past. Rebecca Armstrong gives the thumbs up to the latest security gadgets
Published 21/11/2007 | 13:28
Take a moment to think about how many passwords you use every day. If you bank online and log on to check your balance, you'll use one, then another for logging on to a work email, and perhaps one more for a Google or Yahoo! email account.
Facebook junkies are prompted for a password, as is anyone who decides to download a song on iTunes, or do a bit of internet shopping.
A survey by the organisers of Info-security Europe, the information security industry trade fair, found that the average number of passwords used at work is five per person – so, with personal passwords factored in, most people use about 12 passwords every day.
Wouldn't life be easier if all we had to do to get on to email or pay for the weekly shopping was to place a thumb on a fingerprint scanner on your computer's keyboard? It would mean the end of having to memorise endless PIN numbers and passwords to keep our identities secure.
It may sound a bit Star Trek, but biometrics (personal identification using biological traits, such as retinal or iris scans, fingerprints or face recognition) are increasingly being applied to everyday tasks. The University of Warwick is leading the way in thumbprint scanning, and its latest breakthrough has brought biometrics closer to the realm of the everyday.
In Japan, face scanning is already used by one bank as an identification method at cashpoints. In Brazil, ID cards have fingerprint information encrypted in a barcode. At the Olympic Games in Athens, fingerprint scanning allowed athletes access to secure locations. The UK has an iris recognition system at immigration centres.
"Most of the public probably think they don't use biometrics at all," says Dr Tony Mansfield, head of biometrics at the National Physical Laboratory. "But many will have come across them at airports, even if they don't realise it." In the USA, all new arrivals are required to have their fingerprints taken, while iris scanning is used to speed up security at Amsterdam's Schiphol airport. Iris scanning is available on request at several airports in the UK, including all four Heathrow terminals. According to Infosecurity Europe, about 5 per cent of IT organisations already use some form of biometrics for security.
On a smaller scale, laptops fitted with fingerprint scanners have been available for five years, obviating the need to set up a personal password. Hewlett-Packard, Fujitsu and Toshiba have created models for security-conscious users, and Microsoft has developed a fingerprint reader that plugs into a computer's USB socket.
These devices may impress your friends and thwart your children when they're trying to get online, but they don't yet help you to pay for your groceries or check your bank account. There are a few hurdles in the way of the biometric revolution.
"When you're dealing with the great British public, technology has to be absolutely foolproof. It has to be reliable enough for banks and other organisation and it actually has to work," says David Porter, head of security and risk at the consultancy Detica. "If I'm behind someone at a busy ATM and they're mucking around with a finger on a fingerprint reader or trying to wipe somebody else's McDonald's off the screen, I'm going to start thinking, 'For God's sake, get a move on.'"
Tom Ilube, chief executive of the online identity protection service Garlik, explains that while using your iris or fingerprints to identify yourself sounds as if it would make life simpler, it would only do so if every bank, building society and online store used the technology. "If you're a consumer who interacts with 10 or 15 different organisations and they all decide they want to send you a device like a fingerprint scanner or iris scanner in order to log on, it soon gets ridiculous." Not only would this be deeply inconvenient; it would also be seriously expensive to implement.
"Ten years ago, Nationwide Building Society ran a pilot using iris recognition at cashpoints at their head office in Swindon," Mansfield says. "The customers liked it, but the trial came to an end and it didn't go any further. The reason was that a bank can't suddenly replace all its ATMs because the infrastructure across the banking community isn't in place. A bank wouldn't want to do it alone and the system would only work with one bank's ATMs when customers need to use a number of them."
Of course, that could all change if the technology is perfected. This is where the University of Warwick comes in. The biggest hurdle is that it's almost impossible to get accurate readings every time you scan your fingerprint. "With current biometric applications, users have to co-operate quite well with a system to get the best performance," Mansfield says. "For an iris scan, they have to position themselves carefully, and perhaps understand reasonably well how the system works, to get the best reading." With fingerprint scanners, if your hand is sweaty or you've burnt your finger, you'll be rejected. Angle your digit slightly differently, and you could be denied access to your bank or email account. The research by the university has seen the development of a scanner able to read partially distorted prints – though the technology is still at the prototype stage.
There are other difficulties. Another university, Göttingen in Germany, points out that as the digitised scan of your fingerprint is sent over the internet, it is vulnerable to interception by fraudsters. If they get hold of this image of your scan, they could use it to hack into all kinds of "secure" websites.
The standard way to prevent this is by encrypting it, using a scheme called the "fuzzy vault", which allows for a fingerprint to differ slightly from the original print (necessary given fluctuations of skin textures and finger movement) but which keeps the fingerprint template safe. The coded information includes detailed co-ordinates of specific features of a print, which are compared to those of the original fingerprint, kept in a secure database.
To fox online fraudsters, the system generates fake details, called "chaff". Only the intended legal recipients of the thumbprint can filter out the chaff and identify the important co-ordinates.
But the researchers at Göttingen found that powerful computers can break the code, leaving the true fingerprint details in danger. And if your fingerprint is compromised in a biometrics-led world, the repercussions could be legally and financially devastating.
Early adopters will crave biometric banking, but consumers will be wary. "The problem with it is that consumers typically don't like that sort of thing," Ilube warns. "If you survey people and say, 'Would you like this to be more secure?' they say, 'Yes.' So then you say, 'Here's a little device you need to start using,' and they don't like the idea. People panic, they don't know what to do with it, they lose the gadget – it becomes a source of concern. Quite often, when banks try to put new technology into effect, they find that the customer experience goes down rather than up, because consumers prioritise convenience way above security."
Hi-tech ways to stay secure
Chip-and-PIN at home
This device combines chip-and-PIN technology with number generating. Some banks have started providing customers with these. You log on to your bank's website and key in your ID number and password as normal. Then, to shop online or transfer funds, you insert your bank card into the reader and enter your PIN. The device then generates a random number, which you type into your computer. The number generator is encrypted with a selection of a potential 99,999,999 numbers. The bank knows on its central computer which these are and the order they will come up in.
USB Biometric Flash Drive
A plug-in fingerprint reader for laptops and home computers is a good option for anyone who's bad at remembering passwords. Users place a finger on the in-built reader to access sensitive documents, or to log on to websites. You can programme in the fingerprints of up to 10 people. The devices, which cost as little as £18, can't yet be used for banking or shopping online; they're mainly sold for convenience rather than security. They also double as storage devices for songs, photos or documents.
Several banks are looking at what's called "two factor authenticated" security. Instead of relying on a single password, the banks want to introduce another security factor. It's like having two keys to open a safe. Lloyds TSB recently sent its customers this pocket device that produces a random number, in the same way as the chip-and-PIN device above. When you log into your internet banking, you punch in that number, with your usual passwords. Lloyds TSB says it tested its device for 18 months with 23,500 customers; 95 per cent rated it as easy to use.