Is This the Death of Passwords?

By on

This post comes from Bob Sullivan at partner site Credit.com.

Is it possible that your next password might be as simple and subtle as the way you type or hold your smartphone? If you hate trying to fill out those CAPTCHA forms with impossible-to-decipher characters, a new strategy for telling the difference between people and computers might give you some hope.

Secrets are used to keep our stuff safe on computers; for nearly three decades now, that secret has chiefly been a password or, in security lingo, “something you know.” Advanced security systems can deploy an added layer, such as a token (or at banks, a debit card), which is “something you have.” And really high-tech systems involve biometrics, such as a retina or fingerprint scan, known as “something you are.”

So far, none of these techniques has proved robust enough to stop hackers’ endless efforts to steal critical information, whether it’s millions of Target credit card numbers or access to computers that control national infrastructure. Passwords are notoriously unreliable – too hard for users to remember and too easy for determined criminals to guess. Tokens get lost. Fingerprints can be replicated.

In other words, to cyberthieves, credit card numbers and other personal information are still “something you steal.”

From our Solutions Center: Find a better credit card in seconds

A key that can’t be hacked?

The continued race to stop high-tech crooks has led researchers to try yet another security frontier, and this time, they hope to be creating something that is so unique that it cannot be copied, yet is so easy to use that it doesn’t have to be remembered. They are trying a strategy known as “something you do.”

All computer users type at a unique speed, creating a pattern that is perhaps more personal than the way they sign their name. Smartphone users tilt their phones when they type, or scroll, or watch, in very personal patterns. It’s now possible to measure these things people do, turn the patterns into an algorithm, and create an authenticator that users simply can’t forget.

It’s also so unique, researchers hope, that criminals won’t be able to impersonate it.

William Scheckel is chief marketing officer at one of the companies trying to solve this riddle: Oxford BioChronometrics, which spun out of the ISIS Software Incubator set up by Oxford University. He says the method has real promise.

“Phone manufacturers can identify you based on information from the gyroscopic device in your handset,” Scheckel said. “Say your bank uses this technology and you hand your phone to another person. Using this method, the bank would shut the (transaction) down.”

Oxford BioChronometrics puts together a number of these “something you do” patterns into a mathematical formula it calls electronically defined natural attributes, or e-DNA. Scheckel says that using the set of highly personal characteristics creates an authentication tool that’s hard to defeat.

“The information is so specific to you it can’t be hacked,” he said.

That’s a bold claim, sure to be tested. Many “unhackable” login strategies have been foiled by criminals. One potential method: a “man-in-the-middle” attack, which essentially enables a criminal to trick a user into logging in, then lets the hacker joy-ride into the now-authenticated account to steal money or commit other forms of ID theft.

But it’s pretty clear that passwords are passé. Several high-profile hacks in recent years, including companies such as LinkedIn, have seen millions of users’ passwords exposed. Researchers have used those hacks to prove that passwords are terribly insecure anyway, with a high percentage of users opting for obvious “secret” words like “password” or “123456.”

“Simple passwords are too easily hacked and there’s too much incentive for hackers to try. Identity theft is a growing problem because it’s profitable and simple passwords make it easy as well,” Scheckel said.

If you’re worried about identity theft, you should monitor your financial accounts regularly for charges you don’t recognize. You should also keep an eye on your credit, you can monitor your credit scores for free every month on Credit.com. Any major, unexpected changes in your scores could signal identity theft, and you should pull your credit reports (which you can get for free once a year) to confirm.

Telling computers and humans apart

Scheckel wouldn’t disclose clients the Oxford-born company is working with, though he said it was working on a “proof of concept” test with a “major household name.”

But he would talk about the interesting side benefit of Oxford BioChronometrics’ product: It is particularly good at discriminating between real people and “bots” that try to automatically log in to websites around the Web and wreak havoc, bots that have typing patterns that are obviously computer-generated.

Right now, most websites use CAPTCHA forms to root out annoying bots, but they mostly annoy real people. So in May, Oxford BioChronometrics began offering a free plugin called NoMoreCAPTCHAS to WordPress users, which Scheckel says eliminates the need for CAPTCHA tests. A brand-name travel company that struggles with bots scraping its site for data is now testing the system, he said.

Forget worries about credit card hacks: If the firm can reduce the number of times users must guess what those squiggly characters are, the entire Internet will cheer.

More on Credit.com:

Sign up for our free newsletter

Like this article? Sign up for our newsletter and we'll send you a regular digest of our newest stories, full of money saving tips and advice, free! We'll also email you a PDF of Stacy Johnson's "205 Ways to Save Money" as soon as you've subscribed. It's full of great tips that'll help you save a ton of extra cash. It doesn't cost a dime, so why wait? Click here to sign up now.

Check out our hottest deals!

We're always adding new deals and coupons that'll save you big bucks. See the deals to the right and hundreds more in our Deals section.

Click here to explore 1,319 more deals!

Comments & discussion

We welcome your opinions, but let’s keep it civil. Like many businesses, we reserve the right to refuse service to anyone. In our case, that means those who communicate by name-calling, racism, using words designed to hurt others or generally acting like an uninformed bully. Also, comments that include links to email addresses or commercial websites typically aren't posted. This isn't a place to advertise your business.

  • Elle

    “Smartphone users tilt their phones when they type, or scroll, or watch, in very personal patterns” ?? Possibly but certainly not consistantly. It changes depending on whether you’re traveling in a vehicle or walking down the street, in a dimly lit area or overly bright with glare, whether you’re sober or inebriated, whether you’re lying down, sitting or standing up. Talk about being a slave to technology when it wouldn’t even allow you access to your own information if you happen to turn your hand an incorrect way. There must be more to this otherwise this is certainly a BAD idea.

    • Patrick Seitz

      That’s true, but may I suggest not performing any financial transactions that require a login while you are inebriated.

      • Elle

        LOL! now that would be funny

      • http://ecofrugality.blogspot.com/ Amy Livingston

        Fair enough, but what about if you sprained your wrist?

  • nonya bidness

    yes and I have a bridge I would like to sell you…