Total Pageviews

Tuesday, September 10, 2013

Beyond Passwords: New Tools to Identify Humans

As everything around us becomes connected to the Internet, from cars to thermometers to the stuff inside our mobile phones, technologists are confronting a tough new challenge: How does a machine verify the identity of a human being?

Authentication has been a tough nut to crack since the early days of the Web. And despite the notorious risks they carry, user names and passwords have held on.

Now comes a new generation of authentication alternatives. Apple is said to be incorporating a fingerprint sensor in the new iPhone that it plans to introduce this week. Motorola executives have said they were experimenting with electronic tattoos as a way to authenticate users for its future phones.

Technologists are toying with a variety of other ways to verify identity. Some involve the immutable properties that we are encoded with: irises, heartbeats, voices. Others are developing new techniques that use our mobile devices to verify who we are.

The new efforts come at a time when existing ways of doing things have become notoriously risky. Buckets of user names and passwords have been stolen from a variety of popular sites. Last month came news that even passwords as long as 55 characters can be broken.

A start-up in San Francisco, called Clef, has developed a mobile app that lets you send an encrypted key from a mobile app to a desktop computer. The Web site you are trying to enter can effectively recognize you based on your phone, instead of a typed-in password.

LaunchKey, a start-up in Las Vegas, is also trying to use your mobile phone as your authentication device. It requires that you register a user name along with your cellphone. When you are trying to log into a Web site or mobile app that accepts LaunchKey’s authentication service, it sends a push notification to that phone. You open up the LaunchKey app and slide your finger to authorize authentication. It creates a unique password for each site and app. You are not required to remember it. LaunchKey’s service is in beta and not widely adopted.

In Redwood City, Calif., a start-up called OneID is offering a single sign-on for a variety of Web sites and devices. In a video, an engineer at OneID demonstrated how he used it to open his garage door at home.

Jim Fenton, an engineer with OneID, demonstrated how to open a garage door using his company’s technology.

“The Achilles’ heel of the Internet of things is, how do you secure access to all these things?” said the engineer, Jim Fenton. “If you connect all these things to the Internet you need to have good ways â€" good from a security standpoint and a convenience standpoint â€" good ways to control access to things. Having user names and passwords is not a good solution for every device.”

Trouble is, not very many things â€" online or off â€" have yet adopted the OneID system, which means Mr. Fenton must still use a lot of user names and passwords. He keeps them in a couple of password managers on his computer, along with an encrypted USB stick. “It’s not fun,” he said.

Potentially more fun â€" also potentially more strange â€" is a new wristband developed by cryptographers at the University of Toronto. It contains a voltmeter to read a heartbeat. “You put it on. It knows it’s you. It communicates that identity securely to everything around you,” says Karl Martin, one of its co-creators. Security is a primary selling point of the wristband, called Nymi, which is available for preorder. While a heart can be broken, Mr. Martin promises a heartbeat cannot.

A promotional video for the Nymi wristband.

It faces the same problem as OneID’s product. Its success in the market depends entirely on how many companies adopt it as a way to verify identity. Mr. Martin envisions it as a way to eventually unlock cars, homes and Internet-enabled devices of all sorts.

A more fantastical solution has been developed in a lab at the University of California, Berkeley. Computer scientists there say a simple and cheap headset can read your mind to verify your thoughts â€" and save you the work of typing in a password.

Facebook has arguably had more success than anyone in becoming a one-stop identity verification service. Millions of Web sites allow users to log in with their Facebook credentials, which also, of course, is a way for Facebook to get to know you better â€" and serve you more tailored ads.

Mozilla has been trying to popularize an alternative to that single sign-on system, called Persona. Mozilla makes sure that your e-mail provider verifies that the account belongs to you. Then for every site that accepts a Persona log-in, you can log in with the original verified e-mail. Passwords are not required.

Mozilla’s identity product is linked to only a small number of Web sites â€" “thousands” is all a Mozilla spokesman would say â€" compared with several million sites that support Facebook log-in.

Johnathan Nightingale, a vice president of engineering at Mozilla, said the emergence of Internet-connected devices all around us brings a new urgency to the need to develop alternatives to passwords.

“The idea that all the things around us are going to be intelligent is great but they don’t all have screens and keyboards and password managers,” he said. “They can’t always count on 12 upper-case letters, three lower-case letters, two punctuation marks and a percent symbol.”

He regretted that his fellow tech colleagues had been stymied by the problem for so long. “We tell ourselves as a group we are predicting the future,” he said. “Mostly we are hoping for the future.”

A coalition of hardware and software companies, calling itself the Fido Alliance, is working on a set of specifications for password alternatives that the industry can rally around. Their guidelines are expected to be released at the end of the year. Already companies affiliated with Fido are testing products, from fingerprint readers to software that recognizes faces and voices. One day, you could log into, say, your favorite e-commerce site by speaking into your computer, and when you’re ready to buy something gaze at the PayPal app on your phone.

Yubico, a company affiliated with the Fido Alliance, has been testing a new authentication device, called the YubiKey.

PayPal is a member of the alliance, as is a Palo Alto software start-up that has developed the facial recognition and voice software, called Nok Nok Labs.