Forgot password? Awesome! Thank biometrics, for your body shall be your master key to everything. – The Economic Times

Clipped from:

SynopsisBy the end of this decade, passwords will likely be dead. The expanding passwordless world is banking on biometrics to replace alphanumeric passwords for reasons spanning uniqueness, convenience, and ease of use. Despite not being a ‘secret’, biometrics are harder to fake, replicate, reuse, or transfer, making them a compelling solution to secure our digital lives.

Even as the concept of passwords was gaining popularity in the late 1960s — a few years after the text-based authentication method was used by the Massachusetts Institute of Technology — Hollywood was decades ahead. The industry was already fascinated with advanced technologies such as retina scans and voice- and face-recognition systems that could authenticate users.

In the 1968 epic science-fiction film, titled, 2001: A Space Odyssey, one of the characters gets access to a space station via voice authentication. There are plenty of such examples of the extraordinary prescience displayed by yesteryear Hollywood scriptwriters. In 1982, another movie of the same genre, Star Trek II: The Wrath of Khan, showed the character of Captain Kirk doing a retinal scan to access the highly classified Genesis Project. Then in 2002, Steven Spielberg pushed it further with the Minority Report. In the movie, set in 2054, John Anderton (Tom Cruise) even undergoes an eye transplant to avoid getting detected by iris scanners.

Now, an ordinary individual will not have to take such extreme measures like the disgraced cop played by Cruise in the action-detective thriller. But the real world is fast catching-up with the reel world and today biometrics is an indispensable part of our daily digital lives. According to a recent study by Infosys, the global passwordless authentication market is expected to balloon from USD36 billion at present to USD300 billion by 2025.

Biometric authentication systems are very complex and have “crazy amounts of entropy (randomness)” says Vijay Balasubramaniyan, co-founder and CEO of Pindrop, an Atlanta-based voice biometrics startup backed by Andreessen Horowitz, Google Capital, and others.

But in the case of passwords, hackers can deploy attacks which can do millions or even billions of random combinations to crack them. In comparison, Balasubramaniyan points out, “Biometrics have so much more variability that it becomes difficult to figure out.” An alphanumeric password might be just eight to 15 characters long while typical biometrics such as voice could have at least 140 features.

The Unique Identification Authority of India (UIDAI) has a biometric database of 1.3 billion people collected through the Aadhaar programme while creating the unique identity numbers for them. Biometrics are powerful as they don’t have to be kept a ‘secret’ like passwords and can’t be simply typed out by a fraudster. A biometric identifier can be multiple strings of encrypted data that is difficult to put together. Further, owing to the irreversible form of storage that companies claim to do, they are also extremely difficult to recreate.

Vulnerable identities
“Hackers don’t break in, they log in,” says a Microsoft Corporation blog. The beginning of any hacking incident is from the carefully chosen password — your best kept secret. Imagine your food-delivery app’s database getting hacked. That’s enough to give you sleepless nights.

On an average, 579 password attacks take place every second, according to a September 2021 post by Vasu Jakkal, corporate vice-president, security, compliance and identity, Microsoft. This number means that there were nearly 18 billion attacks in a year.

“Users make minor tweaks to their existing passwords — say add a number here or an exclamation mark there. Systems have become so good that they know what tweaks to make to a password to succeed,” says Balasubramaniyan.

According to the 2021 Verizon Data Breach Investigation report, more than 80% of cybersecurity breaches in the last three years had their roots in the use of compromised and weak credentials. Vishal Salvi, chief information security officer and head of cyber security practice, Infosys, says, “The growth in the use of passwords has caused considerable thinning of the sturdiness of passwords.” There are 300 billion passwords in use globally according to Salvi.

Matthew Foxton, India regional president, Idemia, a Paris-based identity-related security services provider, points out that there’s been a proliferation of online identities. He says it accelerated in the last 18 months due to Covid-19 as people spent more time behind multiple screens for working, entertainment, shopping, and other activities.

Less than 30% of the smartphones sold before the pandemic had biometric unlock feature. By 2020, it had doubled to 60%. Foxton forecasts that 80% of the total online transactions will be carried out via biometric authentication by 2025. His firm counts many big names among its clients, including the Interpol, UIDAI, Singapore’s Changi airport, and 80 police forces including those of France and Germany.

“We are moving towards a keyless world.”

— Shyam Motwani, executive vice-president and business head, Godrej LocksMeanwhile, Salvi of Infosys lists out three types of factors which form the bedrock of any authentication strategy, typically referred to as multi-factor authentication (MFA).

The first, he says, is something you know — like a password or a personal identification number (PIN). The second is something you have — like a one-time password (OTP). And the final type of factor is something unique to you — like your voice, face, or fingerprints.

The last kind of MFA is clearly gaining impetus as options such as text or SMS-based OTPs are found to be vulnerable to attacks.

Biometric as the first factor
Biometric characteristics have a higher degree of uniqueness to identify an individual. And these are also improving with the introduction of policies like ‘liveness detection’ (the algorithm won’t mistake your photo as your face). Saket Modi, CEO, Safe Security, says, “In a few years, biometrics will become the first factor of two-factor authentication (2FA). And you may not need 2FA in all cases — like when reading an online subscription versus accessing your bank account — the latter will need 2FA”.

If a database of passwords is compromised, it means that the hackers have your password. But in the case of biometrics, they can’t recreate your voice or face. The way biometrics are stored, it’s irreversible. Though, just like for passwords, salt (a random unique value) is added to conceal the actual password, variations of biometrics are made to create a set of unique features like voice, face, fingerprints which are irreversible.

Shifting to safety@2x

For example, in the case of voice the entire vocal tract is measured via a sample. The vocal cords and the shape of the vocal tract, mouth, and the nasal cavity go into creating a unique voice. From the audio, the voice biometric algorithm recreates the features of the kind of vocal tract which produced that voice. So it helps in figuring out what a person’s throat, mouth, and nose look like physically.

“This allows a user to speak any language — English, Hindi, Korean, or Spanish — and the algorithm will recognise the voice. As it is matching throat characteristics and doesn’t care about the language being spoken,” says Balasubramaniyan. It’s so accurate that even among a kitten triplet it can easily identify the young feline that just meowed.

For some hackers, breaking into such a system may sound easy. But it is complex since the voice characteristics data is stored in an irreversible manner. The hacker won’t be able to recreate the voice.

Besides voice details, companies tend to do device printing to enhance security. Every device has a unique signature — a microphone in a laptop, desktop, and smartphone are different. Algorithms are able to distinguish between devices and even check whether it’s a person’s real, live voice or a recorded one — a method often adopted by hackers to launch replay attacks.

Surmounting challenges
Despite all its advantages, biometric authentication could pose some major problems under certain situations. For instance, the system could deny you the access to make a transaction just because you have a common cold and it doesn’t recognise your voice. Similarly, age-related changes in human features are also a challenge.

To address these concerns, systems are getting trained to recognise such changes and make decisions. People’s biometric features change with time and that needs to be factored into the authentication mechanism.

“When I see you a year later, if nothing has changed in your biometrics, it’ll be weird. That alerts the system that it’s a replay attack, especially if it’s [biometric data] too close to what it was when measured,” says Balasubramaniyan.

As people age, their voice becomes lighter. While women have a higher frequency than men, the fundamental frequency changes slowly over time.
As for common colds, that’s why the algorithm is not just relying on voice but device characteristics as well. In the case of a failure, the confidence level on the machine in authenticating a user may drop from say, a high 98% to 80%.

While like voice, facial features too change, change over time, the iris doesn’t change in a human being’s lifetime. Likewise, a person’s fingerprint does not change although it is subject to wear and tear. Fingerprint recognition algorithms are getting better at reconstructing prints from potential damage like creases and scars. Typically, an identity document has a 10-year lifespan, though companies claim algorithms can now recognise faces even over longer periods of time like more than 30 years.

Biometric authentication@2x

As for storing biometrics, it could be done on devices (smartphones or laptops) or on cloud servers. FIDO (Fast Identity Online) is the standard for device-based authentication and the goal of the alliance is to help reduce the use of alphanumeric passwords. It supports a full range of authentication technologies including biometrics and has over 250 members including giants such as Microsoft, Google, Intel, PayPal, Samsung, and Amazon.

The FIDO2 standards further the goal of eliminating passwords over the Internet. It is replacing the need for a username and password to log in with passwordless authentication. It protects from common online attacks such as phishing and man-in-the-middle attacks.

Terence Gomes, country head, security, Microsoft India, says, “We advocate going passwordless and 200 million users are already using our platform to go password less and use biometrics”.

Chandan Pani, chief security officer, Mindtree, points out that experiments involving every possible human trait are underway — from monitoring heart-rate to implanting under-skin chips to scanning blood vessels to identifying the shape of earlobes and eye movements, and so on. “It can be said confidently that passwords will someday become a thing of the past. Biometrics are effective as they are harder to fake, replicate, reuse, or transfer,” he says.

Ritesh Chopra, director, sales and field marketing, India and Saarc at Norton, uses 26 passwords and some of them need to be changed every three months. Password managers and lockers do help, but there could be chances of getting hacked while using an e-commerce site or a food-delivery app. “The complex scenarios that biometrics enable make them compelling alternatives,” says Chopra.

Securing the future
The use of biometric authentication is expected to explode. From accessing your bank account or e-governance services to even logging into e-mail accounts or your own home, your body will hold the key going forward.

The early signs of this big shift are already evident. Cars makers such as Tesla have adopted keyless entry via smartphones and provide customers with a key card for emergencies.

Shyam Motwani, executive vice-president and business head, Godrej Locks says, “We are moving towards a keyless world”. Recently, the company launched a new lock that combines fingerprint and passcodes to allow access. The product, designed and manufactured in-house by Godrej, is priced at INR40,000. Cheaper alternatives from China are priced at INR25,000.

Motwani sees the use of biometrics expanding to household appliances as well.

But it comes with its own set of challenges including regulatory aspects and privacy concerns. Since biometrics are stored in irreversible formats and are not collected without the consent of people, the concern over privacy, according to experts, may be unfounded.

And as the world gets ready to embrace biometric authentication — nearly two decades after the Minority Report hit the silver screen — we need to stay a step ahead of hackers, always.

(Graphics byMohammad Arshad)

The latest from ET Prime is now on Telegram. To subscribe to our Telegram newsletter click here.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s