Opinion: How we can finally kill the password
Innovative biometric technology that relies on human traits as security measures is the answer to beating back threats from malicious hackers.
We're reaching the end of the password era – and it can't come soon enough.
If you need more evidence that the credentials we use to log into accounts are among the greatest cybersecurity weaknesses, the 2016 Verizon Data Breach Investigations Report noted that 63 percent of confirmed data breaches involved “leveraging weak/default/stolen passwords.”
Even after years of education and awareness, people still use “123456” as their passwords (often across multiple devices and websites), share passwords with friends, or leave devices unprotected altogether.
While it’s easy to blame users for being lazy or blasé when it comes to securing passwords, the reality is that the deck is stacked against us. The problem is not that consumers do not know that they should use strong and unique passwords; it’s that it’s really hard to remember long strings of numbers and letters. It’s particularly difficult when asked to remember multiple passwords across all of our various accounts.
In many ways, our reliance on passwords turns human nature into a security vulnerability. But there's a way of using human nature to our advantage, too.
The theory of passwords is that users create a secret string of letters, numbers, and symbols that validates their identity. Ultimately, it's used to establish trust between a user and a network. When approached from this perspective, it opens the door to other ways to authenticate users.
Fortunately, the tech industry is rapidly innovating on that front. It's looking for ways of using human behavior and characteristics – how we speak, our location, the way we type, our walking patterns, or facial features – to authorize users and ultimately create a safer and more secure internet.
These changes won't replace the static password overnight. But some of this is already in use. Credit card companies and banks, for instance, are monitoring users' patterns to seek out potential fraud. That's why a transaction in Florida by a customer from Kansas raises suspicions and could trigger an account freeze.
Similarly, social media companies often ask users to verify their location when they detect someone is logging in from an unknown location or on a different device.
But the tech industry needs to do more to ensure biometric technology can effectively make us more secure. One solution is to take advantage of the technologies on our smartphones to improve authentication.
For example, the financial giant USAA recently announced an authentication scheme that uses facial recognition via the camera in a smartphone with an added twist. The app looks to see if you actually blink to make sure you're human before it grants access.
While passwords can be stolen, mimicking facial expressions – or so-called liveness detection – is a much tougher challenge. And the task for malicious hackers gets even tougher when you combine live facial recognition with other traits such as typing patterns or speech patterns.
Google is currently working on security technology that aims to combine that kind of multifactor authentication when granting users access to apps. Hopefully, other tech companies will follow their lead. It already seems like there's an appetite for it. Nearly half of millennial respondents polled already use biometric authentication in some fashion.
My guess is that few people would mourn the passing of the password. Another recent poll found up to 52 percent of people would prefer something other than passwords to access an account. In addition to being an imperfect and flawed system, remembering passwords has become a burden of the Digital Age.
So, let's work together to make passwords obsolete by embracing innovative techniques that increase our security. The future of cybersecurity doesn't need to be some deep dark secret code; it could simply be you.
Michael Kaiser is the executive director of the National Cyber Security Alliance. Follow him on Twitter @MKaiserNCSA.