The pursuit of passwordless authentication has been a long and arduous one, with advancements often confined to research labs and specialized fields. The necessary technology for widespread implementation was simply out of reach until recently.
Despite the challenges, a major industry player is gradually shifting the landscape. Although technical, legal, and ethical aspects require careful consideration, the advent of biometric security and passwordless authentication marks a significant turning point. Biometrics are revolutionizing the way we approach security, and their influence is only set to grow.
Why Eliminate Passwords?
For security-conscious developers, the advantages of streamlined login experiences are self-evident. From a user’s standpoint, the need to manage countless online services and devices necessitates a more practical solution. This trend of increasing digital engagement is unlikely to change, making efficient login methods more crucial than ever.
While various approaches aim to reduce reliance on passwords, biometric authentication stands out. Services like Google, Microsoft, and Facebook accounts offer a convenient alternative by consolidating digital identities, effectively mitigating password fatigue.
OAuth and OpenID, utilized by major tech companies for years, provide a framework for managing digital identities. Although not technically passwordless, these methods offer a similar level of user convenience.
Here’s an overview of the pros and cons associated with this approach:
Advantages:
- Enhanced user convenience
- Straightforward implementation
- Robust security measures
- Trust associated with established brands
Disadvantages:
- Reliance on a centralized service
- Vulnerability to single-point-of-failure scenarios (compromising one account grants access to others)
- Potential exposure to security risks beyond user control
- Privacy concerns that might deter some users
While these points hold true for other alternatives, security certificates offer an exception. However, their use is typically limited to businesses rather than individual consumers. The overall benefits outweigh the drawbacks, which is evident in the widespread adoption of existing accounts for accessing third-party services.
The Role of Biometrics in Enhancing Security
Biometric authentication systems address numerous challenges by eliminating the need for centralized services, mitigating privacy risks, and ensuring a seamless user experience when implemented correctly. Let’s delve into the pros and cons of this approach:
Advantages:
- Fingerprint scanning: speed, affordability, and relatively high security
- Voice recognition: user-friendliness and resistance to manipulation
- Iris scans: robust security and potential for greater convenience than fingerprint scanning
- Electrocardiogram technology: continuous authentication capability
- Addressing privacy concerns across all biometric methods while maintaining strong security
Disadvantages:
- Limited suitability of biometrics for certain applications
- Often prohibitive deployment costs
- Restricted platform support and limited availability
- Technological immaturity in some areas
- Biometrics are not a foolproof solution, security vulnerabilities can still exist
Biometrics are not a novel concept or technology; they have been employed in various sectors for decades and have long been a staple in Hollywood narratives. Early iterations, such as fingerprint scanners on laptops, often fell short of expectations, resembling gimmicks rather than practical solutions.
However, significant progress has been made since then. Advances in processing power, superior imaging sensors, and sophisticated software have breathed new life into biometric technologies.
Fingerprint Scanners Gain Industry Traction
Apple’s Touch ID, arguably the most recognizable fingerprint authentication solution, is just one example of this technology’s resurgence. Apple’s decision to open up Touch ID to third-party developers in iOS 8](https://appleinsider.com/articles/14/09/17/apple-opens-touch-id-to-third-party-applications-with-ios-8) and integrate it into new iPhones, iPads, and Apple Pay solidified its position.
This strategic move gives iOS an edge over Android and other platforms, as every new iPhone and iPad will continue to feature Touch ID until a superior alternative emerges.
However, Android’s potential shouldn’t be underestimated. An increasing number of Android devices now incorporate fingerprint scanners, evolving from early swipe-based scanners to touch-scan units similar to Apple’s design. Notably, this feature is no longer exclusive to high-end devices, with even some budget-friendly phones from Chinese manufacturers incorporating it.
Despite this trend, Google’s decision not to include a fingerprint scanner on its Nexus devices, despite rumors suggesting otherwise for the Nexus 6, raises concerns for Android developers. Traditionally, Google utilizes Nexus devices to introduce new technologies, followed by documentation and API releases, as seen with NFC support on the Nexus S and the barometer sensor on the Galaxy Nexus.
This absence of a standard framework hinders developers and leads to fragmentation, with vendors relying on their own code and supporting various scanner types. Samsung’s attempt to address this issue with its Pass API offers a partial solution. Motorola’s similar initiative with its Atrix devices four years ago faced similar limitations.
While numerous hardware manufacturers and developers have released SDKs for fingerprint scanner integration, the lack of a standardized environment remains a significant obstacle, impeding efforts to reduce fragmentation and ensure interoperability.
The widespread adoption of fingerprint scanners on most phones might still be a while away, but progress is evident. In just a couple of years, we’ve witnessed a shift from their absence on flagship phones to their inclusion in affordable devices.
The question arises, how practical are they? Are they merely gimmicks like their predecessors found on older laptops?
The technology’s effectiveness is undeniable, but its applications remain limited. Software development needs to catch up with hardware advancements, requiring more services, APIs, standards, and guidelines from industry leaders, particularly Google. In their current state, fingerprint scanners on many Android devices serve as mere novelties.
While convenient, fingerprint scanners are not without flaws. Despite their uniqueness, security concerns persist. Although becoming increasingly difficult, some scanners can be fooled using simple images or more sophisticated methods like 3D printing, as demonstrated by a security expert pointed out a couple of years ago.
Practical limitations also exist, such as the inability to use fingerprint readers with gloves, an injured thumb, or in other specific situations. However, these drawbacks are relatively minor.
Microsoft’s Focus on Iris Scanning
To summarize, both Android and iOS have embraced fingerprint scanners for biometric security, although their potential remains largely untapped. But what about desktop environments? While biometrics are utilized for phone unlocking and payment authentication, how can we achieve a truly passwordless desktop experience?
Microsoft’s recent unveiling of Windows Hello offers a potential solution. The official Windows blog for a comprehensive overview provides a comprehensive overview of this initiative.
Microsoft’s vision for Windows Hello is described as follows:
“Instead of relying on a shared or shareable secret like a password, Windows 10 securely authenticates to applications, websites, and networks on your behalf—without transmitting a password. This eliminates the risk of a shared password being stored on servers and potentially compromised by hackers.
“Before authenticating on your behalf, Windows 10 verifies device possession using a PIN or Windows Hello on devices equipped with biometric sensors. Once authenticated with ‘Passport,’ you gain instant access to a growing number of websites and services across various industries, including e-commerce sites, email and social networking services, financial institutions, business networks, and more.”
Windows Hello, a biometric authentication system, promises instant access to Windows 10 devices using fingerprint scanning, iris scanning, or facial recognition. Microsoft assures users that “plenty” of new Windows 10 devices will support Windows Hello. However, iris scanning stands out as a particularly intriguing approach.
Iris scanning, compared to other methods, offers several advantages. It boasts higher reliability and potential for greater convenience than fingerprint scanning. Microsoft’s implementation will go beyond webcams or phone cameras, utilizing “a combination of special hardware and software” to ensure system integrity.
The iris scanner will leverage infrared technology, likely near-infrared, enabling operation in all lighting conditions and iris detection through glasses, even tinted ones. This technology’s compact size allows for easy integration into devices, either alongside selfie cameras on mobile devices or as an addition to existing standalone webcams commonly used with computers. This makes it suitable for retrofitting onto existing desktop PCs.
In addition to infrared scanners, Microsoft will incorporate traditional biometric security measures, such as facial recognition, utilizing Intel RealSense camera technology. This move will likely increase Windows Hello adoption, particularly as users transition to newer notebooks and hybrids built on Intel platforms.
For mobile devices, iris scanning presents several advantages over fingerprint authentication. It functions flawlessly with gloves, iris injuries are less frequent than thumb injuries, and overcoming a consumer-grade iris scanner is significantly more challenging than a fingerprint scanner.
Another notable aspect of Microsoft’s approach is their commitment to user privacy. The company won’t store users’ biometric data. Instead, the biometric signature will be stored locally on devices, accessible only to the user. This signature serves solely as a means to unlock the device and Passport, eliminating its use for network authentication.
The effectiveness of Microsoft’s biometrics plans remains to be seen, and a definitive assessment will have to wait until the release of Windows 10.
Exploring Always-On Authentication
While existing technologies show promise in replacing traditional passwords, emerging concepts offer even greater possibilities. What if we could eliminate the need for passwords, fingerprint scans, or any explicit authentication altogether?
“Always-on authentication” represents the next frontier in this domain. While several approaches have been proposed, it’s important to distinguish between machine-to-machine authentication and user authentication. Always-on authentication typically refers to technologies like “always-on” SSL authentication, SHH connections, NFC credentials, and various networking protocols, often used to monitor and authenticate financial transactions, thereby mitigating online fraud risks.
Relatively few solutions exist for always-on user authentication. Bionym’s Nymi wristband exemplifies this concept. This wearable device, resembling a fitness tracker, possesses advanced capabilities.
The Nymi wristband functions by scanning the user’s unique electrocardiogram (ECG). Simply wearing the device enables continuous authentication. As long as the user’s heart is beating, they remain logged in.
While the prospect of replicating this functionality on smartwatches like the Apple Watch or Android Wear devices might seem appealing, the technology is not yet advanced enough. Unlike smartwatches that primarily track heart rate, the Nymi utilizes a highly sensitive sensor to analyze the shape of the user’s ECG wave, a task currently beyond the capabilities of smartwatches.
However, smartwatches seem like the ideal platform for such an application, and it’s only a matter of time before they possess similar capabilities.
Imagine a future where unlocking your phone, car, office, and computer requires nothing more than your presence and a heartbeat. Seamlessly logging into accounts, making payments, shopping, and even withdrawing cash from ATMs, all without the hassle of passwords or physical cards. While this vision might seem futuristic, we are steadily moving towards it.
Implications for Developers and Users
Software developers currently have access to off-the-shelf middleware and tokenization solutions for implementing passwordless authentication. Passwordless, a token-based, open-source framework for Node.js and Express, serves as a prime example. For those interested in its implementation, Mozilla provides a comprehensive blog post that explains it.
While the transition will take time, the essential building blocks for biometric authentication are gradually falling into place. Current passwordless technologies will continue to evolve and eventually be superseded by more advanced biometric solutions.
Despite growing momentum, many remain skeptical about the feasibility of widespread biometric adoption. While acknowledging the technical challenges associated with biometrics, a broader perspective reveals a compelling case for its inevitability. Factors like industry trends, increasing emphasis on personal and corporate security, high-profile security breaches, and growing privacy concerns all point towards a future where biometric security becomes the norm.
However, the most significant driver might not be privacy or B2B security, but rather the rise of mobile payments.
The volume of mobile transactions in the US alone is projected to more than double this year, reaching $10 billion. Bloomberg forecasts this figure to skyrocket to $110 billion by 2018. On a per-capita basis, the average American consumer will make roughly $30 in mobile transactions this year. By 2018, this number is expected to surge to $330 per person. Assuming a consistent compound annual growth rate, we could be looking at figures in the thousands per capita by 2021.
With such staggering sums at stake, the adoption of secure and user-friendly authentication methods, such as biometrics, becomes not just a possibility, but a necessity.