The Death of Passwords and the Rise of Smiley Faces
In this digital age, we can shop online and manage our money with the click of a mouse. We’ve come so far that some people can’t remember the last time they stepped foot inside a department store or bank. Of course, as technology evolves and we acquire more options for managing our life digitally, there’s a greater need to tighten the security that protects our information.
Passwords are the first line of defense for keeping our data secure and confidential. We use passwords to authenticate our online identities; and the stronger our passwords, the less likely our information will end up in the wrong hands. This is why some companies require customers to create passwords that include at least one uppercase letter, one lowercase letter, numbers and special characters—basically, a password that no one can remember.
But even if you take steps to keep your online identity safe, there are no guarantees. I make a practice of choosing complicated passwords and changing my passwords at least once a year, yet I’ve been hacked three times in the past five years.
Between our inability to remember complicated passwords and the ability of criminals to hack our data, we have to ask: Are traditional passwords a dying model? Or an even bigger question: What will replace them?
Fingerprints are a common physical biometric for authenticating identify. This technology has been used by organizations for years, and many iPhone and iPad users use Touch ID to unlock their devices and make online purchases. But fingerprint sensors have proven expensive, hard to use and unreliable. So what else is there.
Facial recognition technology
The U.S is responsible for 47 percent of the world’s card fraud, according to a 2015 Barclays report. Fraudulent activity can occur after a major data breach, such as the 2013 Target security breach which affected as many as 40 million shoppers. It can also occur when criminals hack passwords. Skilled thieves know how to get around secret codes. Face scans, however, could possibly improve the security of our accounts.
MasterCard recently introduced a “pay by selfie” program where customers can use facial recognition technology for online purchases. The technology isn’t available to the masses just yet, but the pilot program does allow 500 customers to use the software. If the project is a success, facial scans could become the next big thing in credit card security.
The process is simple. Download the MasterCard identity theft app to your phone. Enroll in the program and take an image of your face. The scan maps out your face and converts your features into ones and zeros. After you make an online purchase, you’ll receive a push notification which opens the app on your phone. Hold the phone up to your face, blink and you're done. Blinking stops a criminal from using a photo of your face and tricking the system.
“Biometrics are likely the future of credit card security," says Matt Schulz, a senior industry analyst. “They're a major step in the right direction, because when your face is your password, you can't forget it, and it's much harder to steal than a PIN."
Use your heartbeat as your password
Everyone has a unique heartbeat. So when it comes to finding a unique way to authenticate your identity, what better way than your cardiac rhythm. The concept isn’t as far-fetched as you might think. Nymi—a wearable device developed by Toronto-based startup Bionym—can remember passwords and unlock devices using your heartbeat’s signature.
“You put it on once a day, touch it with your opposite hand for a few seconds, it measures your heartbeats, it confirms that you – the rightful owner are wearing it, and then it’s able to communicate that identity to whatever system or service you use,” says Bionym President Andrew D’Souza.
And you don’t have to worry about the device not recognizing your rhythm if your heart rate speeds up or slows down. “Your heart can beat faster but electrically your beats look the same. So, whether it beats faster or slower, it doesn’t really matter. It’s really about the shape of the waves, and what that signal looks like when it comes off your heart,” explains D’Souza.
Unlock your devices with your brain’s pattern
Imagine sitting at your computer, reading a few words and seamlessly signing into your apps and programs. Unfortunately, this awesome technology isn't available. But given our brains ability to respond and react to certain words, brain waves could become a future biometric for human identification, says the study Brainprint published in the academic journal Neurocomputing.
Researchers at Binghamton University asked 45 participants to read a list of 75 acronyms. According to the study, “they recorded the brain's reaction to each group of letters, focusing on the part of the brain associated with reading and recognizing words, and found that participants' brains reacted differently to each acronym, enough that a computer system was able to identify each volunteer with 94 percent accuracy.”
The results suggest the possibility of using brain waves to confirm identity. But with only a 94 percent accuracy rate, it’ll be a while before this technology comes to a computer near you.
Emoji passwords may be harder to hack
Passwords are some of the hardest words to remember. But what if you could log into your bank account using emoji? (Emoji -- the word is plural -- are ideograms and smiley faces you see on electronic messages.) Do you think it’ll be easier to remember your PIN?
Intelligent Environments, a British digital banking service, has taken emojis to another level with its emoji passcode system. Rather than use a traditional numerical PIN, users can create a unique emoji PIN. Unlike 10-digit number codes that only allow for about 7,200 possible combinations, emoji PINs offer more than three million unique combinations—making it harder for hackers to decode.
IE’s system is meant to appeal to millennials—the vast majority of twentysomethings routinely use emoji, according to Tech Times.
"We've had input from lots of millennials when we developed the technology," David Webber, managing director at Intelligent Environments, told the Tech Times.
"What's clear is that the younger generation is communicating in new ways. Our research shows 64 percent of millennials regularly communicate only using emojis. So we decided to reinvent the passcode for a new generation by developing the world's first emoji security technology."
Research also shows people tend to remember pictures more easily than words, symbols more easily than sequences of random numbers and letters -- in other words, passwords. "This picture-inclination can also be noticed by the way people these days use emojis when sending and responding to messages.," the Tech Times reported. "They think that a single emoji is enough to express a thought and that using emojis somehow stimulate the mind's imagination and that it encourages creativity and individuality."
Observes Alan Woodward, a cybersecurity expert: "If we persist in using passwords, which seem to be here for a while yet, we need to recognize how humans think and make these as easy to remember as possible.
"The combinations and permutations present a would-be hacker with having to run through a number of cycles that is even greater than they do for so-called dictionary attacks."
Not all experts agree.
If anything," Erik Cabetas, managing partner at Include Security told the New York Observer, emoji systems are little more than a "marketing move catered to millennials.”
Indeed the system carries its own set of flaws as Cabetas outlines:
1. “You can guard a PIN number from view when entering it into a physical ATM, but if you’re selecting emojis from a touch screen then that isn’t as easy.”
2. “With a PIN number, you can verify identity over the phone. You can’t with an emoji.”
3. “Both emoji and PIN numbers will fall into the same pattern of use—'1234'--will become 'top row of emojis left to right.'
“It does have a bit more entropy," he said, meaning lack of predictability when compared to current methods. "But I don’t think switching to an emoji based system adds that much more to the security of the system."
For instance, Cabetas noted that the best emoji security system would be insufficient to authentic a bank account.
“It’s fine for replacing a PIN number," he said, "but it’s not fine for replacing a password. ”If it’s one factor in a multi-factor authentication system, then that’s OK. If it’s the only factor in authentication, then that’s not OK.”
Emoji passwords may be fun, simple and provide added protection, but we’ll have to wait and see whether this becomes a mainstream security alternative.