Beyond passwords: taking cybersecurity to the next level

Image 1 of / 1 Caption Close Beyond passwords: taking cybersecurity to the next level 1 / 1 Back to Gallery

The password has failed.

That ubiquitous annoyance of the digital age - the computer password - has proved itself to be profoundly unsafe. People forget them, or worse, use the same one over and over, for everything from buying a book on Amazon.com to protecting a bank account. Hackers half a planet away steal them by the thousands, if not millions.

And hackers use those purloined passwords to steal other things. The most recent example: nude photos swiped from the Apple iCloud accounts of 100 celebrities.

Security experts have argued for years that the password, at least as it's used today, must go. They are less certain about what should replace it.

Apple and Samsung phones come with a fingerprint sensor - an increasingly popular approach. Some companies are developing eye-scanners, or programs that can identify people from the way they hold, type on or scroll through their mobile phones.

'Do the work for us'

Others say the solution is better security software that eliminates the need for any firm to store passwords en masse.

"If you look out five years, passwords won't work," said Brennen Byrne, chief executive officer of Clef, an Oakland startup that uses a mobile phone to verify identity. "We're moving from a world where we log in to a hundred things a day to a world where we log in to a million things a day. And our phone, or something like it, will have to do the work for us."

Many of the password's problems lie in human psychology.

Most of us can't remember a separate password for every online service we use. We prefer short, easily memorized words or numbers, not the long and complicated strings of characters that are harder for hackers to crack.

Even worse, the troves of customer passwords amassed by Web services, online retailers and banks have become tempting targets for thieves. In perhaps the best-known example, cybercriminals in June 2012 stole passwords for 6.5 million LinkedIn accounts.

"It's not that passwords per se are evil - it's that we've been treating them as shared secrets," said Steve Kirsch, founder of OneID, an authentication startup in Redwood City. "I know the secret, and someone else knows it."

Given the password's inherent flaws, many companies have turned to biometrics, using the unique details of the human body as the ultimate source of identification.

Apple's iPhone gives people the option of recording their fingerprint to unlock their phones with a single touch. They can also use their fingerprint to approve purchases on iTunes or the App Store. The Cupertino company introduced the feature last year.

McAfee's LiveSafe security system recognizes its customers by voice, and by sight. The system records each user's face and voice, then uses the cameras and microphones built into computers and phones to verify their identity.

Brain monitors

UC Berkeley Professor John Chuang argues for going even deeper.

He and his colleagues have used the brain's electrical activity to verify identity. The process requires people to envision a task, such as singing their favorite song or performing a sport they enjoy, while wearing a relatively inexpensive EEG (electroencephalography) monitor. The devices - made by several companies for about $100 - look like a telephone headset with a small arm touching the forehead rather than angling toward the mouth.

Granted, wearing a headset and performing a mental exercise to log in to a website may seem cumbersome. And buying a brain monitor may be asking a bit much of consumers. But Chuang says the process takes about as long as typing a password. And people are already dabbling with other forms of wearable tech.

"I guess this looks a little silly, but it's something you can easily put on or take off," said Chuang, with the university's School of Information. "It looks a little like Google Glass."

Easy changes

The idea is still years from implementation, if it hits the market at all. But Chuang says the process is accurate 99 percent of the time. Like a fingerprint, the pattern of brain activity is a little different for everyone.

"We realized this approach has an additional benefit - you can change your song, your password, whenever you want," Chuang said. "And this makes it different from traditional biometrics. You can't change your fingerprint."

But fingerprints, and brain waves, aren't foolproof. If they are recorded and stored in a central location, they could become just another pool of passwords that are targets for theft. And if someone steals your fingerprint, they have it forever.

"It's all a question of implementation," said Roel Schouwenberg, principal researcher at Kaspersky Lab, a digital security firm. "In the end, your fingerprint or your retina scan is just a blob of information that can get intercepted and used. ... You only have 10 fingerprints. After that it gets more complicated. "

Many companies try to get around that problem by making the user's phone, tablet or computer the arbiter of identity. OneID's system, for example, lets users confirm their identity to any participating website with just one button click. The website will examine two identification "keys" - one sent from the user's phone, the other from OneID's servers - to verify that the user is who he or she claims to be. OneID's servers don't know the phone's key, and vice versa.

"OneID fundamentally says that your identity is determined by a secret code that is on machines that you control," Kirsch said. "There's no possibility of a mass breach."

Protecting phone

Of course, the phone itself should be protected - by PIN, password, or thumbprint - in case of theft, just as any phone should be. OneID's system also gives users the ability to add a PIN for an extra layer of protection, if they want it. And if their phone is stolen, they can access their OneID account from another computer or device and lock out the missing phone.

That basic idea, making a phone or mobile device central to verifying online identity, may be about to take off. It's being pushed by the Fido Alliance, a broad coalition of tech and financial companies that includes traditional rivals Google and Microsoft.

"We start with the idea that you have a device, you authenticate to it, it authenticates to the (web)site, and your identity sits on the device," said Michael Barrett, the group's president. "Sure, I could steal your phone, and I could get your phone to pretend to be you, but I can't do that at scale."

Fingerprint scan

Fido, which stands for Fast Identity Online, has developed a set of standards for companies to pursue the idea. In February, PayPal and Samsung announced a collaboration blessed by Fido that lets PayPal users make payments with a swipe of a finger on a Galaxy S5 phone. The phone recognizes the user by a fingerprint scan, which is not transmitted over the Internet. The print is recorded, but it stays on the phone.

"If usability is not addressed properly, you're not going to get buy-in," said Ramesh Kesanupalli, one of the alliance's founders. "A single touch, a single swipe, or a single blink is a very natural user experience."