What Comes After Passwords?
Steven NortonOctober 2017
For many companies, the goal is for the authentication of customer and employee identities to be nearly invisible, taking only a second as a shopper logs into the website, or running in the background as office staff do their work.
To achieve that, and be able to accurately verify that employees and customers are who they say they are, companies are embracing new technologies—including biometric scans of faces and fingerprints, and behavioral-monitoring systems that track such activities as what apps you open most frequently.
As hackers are getting more sophisticated, traditional passwords are starting to be seen as less secure. The recent data breach of credit-reporting agency Equifax Inc. EFX +2.73% is likely to raise further questions about using Social Security numbers and other personal data to authenticate a person’s identity, and to fuel the push for better authentication methods. While security is paramount, companies are also seeking to provide a seamless experience to employees and customers who don’t want to be burdened with multiple passcodes.
Mastercard Inc. is equipping some of its employees with laptops that have built-in fingerprint readers, and is testing technology that scans employees’ faces before allowing them inside an office building. Exploring another advanced capability, Mastercard in March acquired NuData, whose technology can recognize customers based on how they hold their phone and other behavioral biometrics.
“The driving force is the elimination of passwords,” says Ron Green, Mastercard’s chief security officer.
Companies walk a thin line as they work to improve security without disrupting the user experience. Some customers may perceive their data as less secure if a password isn’t required. But if behavior-based programs are too sensitive and act on a false positive, such as blocking access for a user who types differently due to a broken finger, that is cumbersome, too.
Similar challenges apply to facial recognition, even as the technology continues to improve, says Steve Wilson, who researches digital-identity issues as vice president and principal analyst at Constellation Research, a Silicon Valley-based firm that advises companies about disruptive technologies. A poorly lighted room or a day without shaving, for example, could keep a person from being able to access an application, Mr. Wilson says.
Like any authentication measure, such tools also remain susceptible to spoofing by hackers. A high-quality photo or animation, or in some cases an animated avatar, can fool some facial-recognition systems.
“It’s an arms race between biometric designers and the criminals that are trying to fool the systems,” Mr. Wilson says.
Companies are coming up with creative ways to combat the problem. Vasco Data Security International Inc., a maker of cybersecurity technologies, uses “liveness detection” technology which asks users to blink their eyes or turn their heads to verify that they’re a living being, says David Vergara, the company’s head of global product marketing.
Despite their limitations, biometric authentication measures such as facial recognition continue to become more mainstream. Indeed, Apple Inc. has said facial recognition will be used as the primary way to unlock its latest smartphone, the iPhone X, which could significantly popularize the technology.
A number of firms are turning to technology powered by machine learning to constantly authenticate people as they use an app. Such measures, which are largely behavior-based and look at a person’s typical patterns of technology use, are relatively new, but corporate interest is high, says Forrester Research analyst Andras Cser.
Automatically analyzing users’ behavioral patterns, which can include hundreds of disparate data points such as typing speed, is the Holy Grail for authentication, Mr. Vergara says, because it allows firms to monitor security in real time rather than relying on a one-time password.
Behavior-based authentication is focusing on consumers first, Mr. Vergara adds, because of the potential to improve the user experience, and therefore a company’s bottom line.
Health insurer Aetna Inc. is rolling out behavior-based security measures for its mobile and web applications, which also will include options for biometric factors such as fingerprint swipes. The technology collects the attributes of Aetna members, such as how they move through an application or how quickly they type, and feeds that data into a risk engine. Based on data about a customer’s behavior on the app and what device he or she is using, the engine can create a picture of “normal” behavior in about two weeks.
Then, if someone’s actions deviate significantly from their typical behavior, the system takes note. If a customer gives her phone to a friend, for example, the app may recognize the friend as a different person and ask for another form of authentication, such as a finger swipe across the screen.
Voice is currently the hot area for startups, says Mr. Wilson. There are voice-identification systems that can learn and verify speech cadence, accent and pronunciation, and other factors to create a unique “voiceprint.” Some companies are building algorithms that use voice to determine contextual clues, such as whether the speaker is under duress.
Other biometric authentication measures being developed or explored include tools that recognize handwriting, scanners that authenticate users based on their ear shape, and even ID markers obtained through a person’s DNA. No matter what forms future authentication methods take, Mr. Wilson observes, “what really matters is getting a biometric that consumers can use.”
Companies shouldn’t rely on a single authentication tool, analysts say. Experts recommend taking a layered approach to security, one that uses a combination of biometrics, behavior monitoring and, yes, even passwords.