Bench Talk

In mid-January, many Hawaiians were stunned to receive a smartphone notification suggesting that their island paradise was under attack. The official notification of an incoming missile strike came from the Hawaii Emergency Management Agency (HI-EMA) via social media and other channel notifications.   

Fortunately for the islanders (and possibly the rest of the planet), the scare turned out to be a false alarm. Tech publication The Verge reported that the error was caused by a technician using a ‘live’ template instead of an intended ‘test’ version when originating a notification for a routine drill—which led to the mass distribution of a message ending with the ominous statement: “SEEK IMMEDIATE SHELTER. THIS IS NOT A DRILL.”

A few knew quickly that the end was not nigh, such as US Representative of Hawai’i, Tulsi Gabbard, who informed her Twitter followers shortly after the original notification from military officials, who sent confirmation that the alarm was false, within just two minutes of the alarm being raised. Others were not so fortunate: Followers of the Governor of the State of Hawai’i, David Ige, waited seventeen long minutes for the “all is clear” from the governor, and ironically, HI-EMA took thirty-eight minutes to confirm that the message was an error and that Hawaii faced no threat. That’s a long time to hold your breath.

In this age of instant communication, it didn’t take long before journalists were asking why Governor Ige took fifteen minutes to tweet the good news after he was told the skies were clear. Somewhat sheepishly, the politician admitted that the delay was a result of forgetting his Twitter password.

While the Hawaiian missile scare thankfully proved to be a false alarm, delays in communication over matters concerning nuclear weapons are deadly serious. With many using Twitter, Facebook, and other social media channels as their primary source of information, Governor Ige’s memory lapse highlighted a major flaw in password security.

But we shouldn’t be too hard on the governor; it turns out we’re all not-so-great at remembering passwords, even without the pressure of dealing with a ballistic missile crisis. The temptation is to pick one that’s easy to recall (e.g., “password” or “password123” are remarkably popular), but this makes it easy to crack too. And because it’s also common for people to stick to one or two passwords for all their log-in requirements, if the bad guys find one that works for a single online account, chances are they’ll use software to try to access thousands of websites using the same email and password, potentially gaining access to the target’s whole life.

Worse still, it’s not just the hackers we should worry about—according to the welivesecurity blog, over fifty percent of people use the same password for their home and work accounts, and twenty percent of employees share their passwords with co-workers, leaving companies open to expensive data breaches triggered by their own careless staff.

However, companies and websites are fighting back. For example, many companies and websites no longer allow simple passwords, encouraging instead the use of alphanumeric versions of a minimum length together with frequent renewals.

Yet, even complex passwords are not immune to attack, considering only a relatively modest amount of computing power is required to mount a “brute force” strategy on an alphanumeric password of nine characters or fewer. Some tech-savvy websites repel these attacks by only allowing a small number of password attempts before locking access, but not all websites have followed suit.

The result is that security-conscious websites ultimately rely on the idea that you will remember a password that’s not particularly memorable. The alternative is a tedious and time-consuming password retrieval process.

Passwords have found favor because the systems are straightforward to implement and require simple technology. But the inherent flaws have forced a rethink.

An alternative is to carry passwords around in your pocket rather than in your head. One commercial solution uses a personalized USB key that plugs into a PC and loads the user’s profile. Once authenticated, the PC gains access to all the user’s logins. The drawback becomes apparent when the key is left at home.

Another option is a password formed using unique information. Some smartphone apps are available, for example, which display a unique image on the screen that is shown to the PC’s webcam to authenticate access.

But these and similar options are yet to gain mainstream adoption. In contrast, biometric technology has hit the mass market. The technology has proven a viable alternative to passwords because humans have unique, individual characteristics ranging from fingerprints and the pattern of the iris to the shape of the ear and even walking gait.

Fingerprint scanners have pioneered biometric security because they are relatively inexpensive, small, fast, and generally accurate. But you do get what you pay for. Cheap scanners can fail to react if dry skin, grease, or dirt is prevalent, yet it can be activated with a severed digit if the bad guys are desperate enough. Worse still, according to The New York Times, because cheap scanners only look at eight to ten features of a fingerprint, they can be foiled perhaps ten percent of the time by people with similar ridge patterns.

This is not the case with premium smartphones. The fingerprint scanners on high-end devices scan below the skin’s surface (making them less prone to contamination) and (reassuringly) pick up the electrical impulses that are only present in living people. They also consider many more fingerprint features than inexpensive scanners. The chance of a false match from a high-end smartphone scanner is more like one in 50,000 rather than the one in ten for cheap cell phones.

But fingerprint scanners do have one big drawback—they consume screen real estate and every millimeter on today’s smartphone is highly prized. Some smartphone models overcome the problem by moving the scanner to the back, but such a move makes access less convenient. Devices like Apple’s iPhone X have eliminated the fingerprint scanner altogether and replaced it with facial recognition. Users say the system works well but is slower and less convenient than the previous front-mounted fingerprint scanner. Next-generation smartphones promise to overcome the challenge by embedding the fingerprint scanner into the screen, but that feature will be limited to flagship devices for the immediate term because of the additional cost.

Apart from fingerprint and facial scanning, many other biometric alternatives for accessing secure devices exist. Iris scanning is one. Iris scanning on a smartphone, for example, uses the camera and an app to compare the patterns formed in the iris with those previously stored by the mobile’s rightful owner (Note: Iris scanning is not to be confused with retinal scanning, which looks at the pattern of capillaries in the back of the eye and is considered more intrusive.). The iris scanning technique works well, but its downsides include the inconvenience of holding the mobile phone close to the face and the time it takes to authenticate compared to a finger scan or even typing in a passcode.

Another biometric technique under investigation is ear shape recognition. The technology works by identifying the pattern created by the ear when it’s pressed against the smartphone screen. The key advantage is that it can be made to work with the current crop of touch-sensitive smartphone screens, without hardware modifications. The drawback is the tedium of having to lift the device up to the ear to gain access to features that wouldn’t normally require the user to raise the device (i.e., just about everything other than a more private, ear-to-device voice call).

Beyond the smartphone, other security concepts leveraging biometrics include measuring walking gait using a wearable, transferring the information wirelessly to a PC, and comparing the information to a recorded sample for authentication. An alternative is a wristband that records the unique rhythm of an owner’s heart and again uses the information to authenticate PC access by comparing the heart rhythm reading with a sample.

A novel variation on the theme of biometric comparison—and increasingly the focus of attention as voice assistants, such as Siri and Alexa, extend their reach—comes from the University of Michigan and takes the form of a necklace, ear buds, or glasses. The chosen device records the unique speech-induced vibrations of the user’s body that are then compared with a sample stored on the PC.

While passwords offered a decent and inexpensive solution during the early days of the Internet—when there were fewer websites to visit and hackers weren’t quite as smart—their time is nearly done. Biometric signatures are unique, tough to hack, and can’t be forgotten or left at home. But, which biometric method will prevail is still unclear. The deciding factors will be technology, cost, aesthetics, and convenience.