Passwords are passe, log in with a touch

Passwords are passe, log in with a touch

Passwords are a pain to remember. What if a quick wiggle of five fingers on a screen could log you in instead? Or speaking a simple phrase?   Computer scientists in Brooklyn are training their iPads to recognise their owners by the touch of their fingers as they make a caressing gesture. 

After years of predicting its demise, security researchers  on the iPad project led by Nasir Memon, Computer Science Professor at Polytechnic Institute of New York University in Brooklyn are renewing efforts to obliterate the password.

Many people would agree. The password has become a monkey on our digital backs — an essential key to our many devices and accounts, but increasingly a source of exasperation and insecurity.

Still, despite recent advances, it may be premature to announce the end of passwords, as Bill Gates famously did in 2004, when he said “the password is dead.”

“The spectacularly incorrect assumption ‘passwords are dead’ has been harmful, discouraging research on how to improve the lot of close to two billion people who use them,” Cormac Herley, researcher at Microsoft, wrote in a recent paper.

Herley suggested instead that developers try “to better support the use of passwords” by helping people protect their wireless connections from eavesdroppers. “Passwords,” Herley continued, “have proved themselves a worthy opponent: all those who have attempted to replace them have failed.”

The touch-screen approach of Professor Memon in Brooklyn works because, as it happens, each person makes the same gesture uniquely. Their fingers are different, they move at different speeds, they have what he calls a different “flair.” He wants logging in to be easy.  In his research, most popular gestures turned out to be the ones that feel most intuitive. One was to turn the image of a combination lock 90 degrees in one direction. Another was to sign one’s name on the screen. In principle, the gesture can be used to unlock a device, or an application on the device that safely holds a variety of passwords.

Despite their resilience, passwords are weak, notably because their users have limited memories and a weakness for blurting out secrets. Most people need dozens of them, and they tend to pick ones that are so complex they need to be written down, or so simple they can be easily guessed. Recently, criminals have become adept at stealing passwords by sneaking malicious software onto computers or tricking users into typing them into an illegitimate site.

Companies like Facebook and Twitter have sought to address the frustration with passwords by allowing their usernames and passwords to open the door to millions of Web sites, a convenience that brings obvious risks. A thief with access to a master username and password can have access to a host of accounts.

Many companies use a smart card or a security “dongle” — a small piece of hardware that plugs into the computer and functions as a key — as that second step of verification to allow access to internal networks.

As mobile phones become bodily appendages for people worldwide, they too are emerging as instruments to verify identity. Google introduced its two-step process earlier this year.

“I think we’ll start to see people using their mobile devices as their pervasive identifiers,” said Brendon Wilson, security researcher at Symantec. “The password will no longer be the final arbiter that you are you. You will see layers on top.”

The New York Times

DH Newsletter Privacy Policy Get top news in your inbox daily
Comments (+)