If not passwords then what?
By Davey Winder
In the first six months of 2019 alone, there were more than 3,800 publicly disclosed data breaches according to a report from Risk Based Security. In total, these breaches exposed 4.1 billion compromised records. In 65% of those breaches, passwords were included within the leaked data. Passwords alone are – as regular readers will know – about as secure as storing your valuables in a tent.
The problem is most people remain blissfully unaware of that fact and continue to use, and reuse, those same passwords that are now in criminal circulation. Stolen passwords quickly end up on the dark web, to be sold or freely circulated within the cybercriminal community. When Google was beta-testing its Password Checkup extension for the Chrome browser, in a single month it found 316,000 compromised passwords that were still in use. The Verizon Data Breach Investigations Report 2019, meanwhile, determined that weak or compromised passwords were used in 80% of all hacking-related breaches.
The passwordless promise
“There will likely always be a need for passwords to some degree,” says Javvad Malik, security awareness advocate at KnowBe4, “whether that be as a backup mechanism or a means to initially pair physical devices”.
Sam Curry, chief security officer at Cybereason, agrees: “We’ve tried for 25 years to get there, and the clock is still ticking. The closest we’ll come in the short term is potentially an interstitial proxy layer that presents to the user both something easier to use and more secure than human-managed passwords while managing large, complex, frequently changing passwords on the back end.”
Microsoft obviously sees that proxy layer as a biometric one, facial recognition specifically. In May 2019, Microsoft’s crypto, identity and authentication team group manager, Yogesh Mehta, stated that “nobody likes passwords, except hackers” and announced that Microsoft was moving the 900 million people who use Windows 10 “one step closer to a world without passwords”.
Ever since 2015, Microsoft has been headed in this passwordless direction, notably with the introduction of Windows Hello. In November 2018, Windows 10 users started being able to securely sign into their Microsoft accounts on the web using facial recognition, without a password having to be entered. With the release of Windows 10 v1903, Windows Hello became a fully FIDO2-certified authenticator.
Google also signalled an intent to move into biometric territory when, in August 2019, a Google Online Security Blog announcement informed Android users that, when visiting certain Google services online, “you can verify your identity by using your fingerprint or screen lock instead of a password”. Another example of FIDO2 authentication in action, this marked the first time that Google had enabled the same biometric credentials to be used by native Android apps and online services. The big question is: are the technologies that are being used in that “proxy layer” role actually any more secure?
How secure are biometrics?
The obvious replacement for passwords comes in the form of what you can collectively refer to as biometrics: any technology that uses the metric of individual human characteristics. For the longest time, fingerprints were the cutting edge of biometric security. However, there’s been something of a pivot away from the fingerprint scan of late as companies such as Apple with the iPhone, and now Google with the Pixel 4, have removed the option from their smartphones in favour of facial recognition.
There are as many design aesthetic and production cost reasons for this as there are security ones. But fingerprint technology has been notoriously flaky from the get-go. Germany’s Chaos Computer Club (CCC) first described a method of fooling fingerprint ID systems back in 2004. This involved photographing a fingerprint and laser-printing it to a transparent sheet using a thick toner before covering in a layer of latex “milk” to produce a fake print. By breathing on this latex print (yes, seriously), it became moist enough to fool most fingerprint sensors at the time. In 2013, CCC used the same technique to fool the iPhone 5s Touch ID. More recently there have been reports of neural networks generating “DeepMasterPrint” artificial fingerprints that could successfully imitate one in five prints in biometric systems, where the error rate should be no more than one in a thousand.
However, you don’t always have to go to elaborate lengths to bypass the fingerprint scanners. Like the discovery that a cheap, £2.70 gel screen protector could leave the ultrasound-scanning, 3D ridge-detecting, fingerprint security of the Samsung Galaxy S10 as good as useless. If the user registered a print with the screen protector in place, anyone else could then unlock the phone. Samsung soon fixed this issue via a patch sent directly to affected users, but it shows the flaws in fingerprint tech.
Which isn’t to say that facial recognition is foolproof, either – far from it. One Forbes journalist managed to fool a number of facial recognition systems using a 3D-printed copy of his head, for example. There are far less outlandish ways to trick facial recognition, too. The Google Pixel 4 smartphone has a face unlock system and no fingerprint security. Shame, then, that early reviewers found it allowed access to the device even if the user had their eyes closed! It doesn’t take a genius to work out how this could be a security flaw, as we all have to sleep.
Apple’s Face ID is supposedly not so easy to fool, yet at the Black Hat Las Vegas hacker convention in 2019, security researchers demonstrated how a pair of spectacles, some tape and a sleeping iPhone user were all that was required to do just that. This was because the “liveness” part of the Face ID process didn’t extract all the 3D data if the owner wears glasses; rather it looked for a black area for the eye with a white dot for the iris. The hackers recreated this by covering the specs in white tape with black in the middle and then making a hole in that black tape. Dutch researchers found that 42 out of 100 smartphones tested could be fooled just by holding up a photo of the owner’s face.
One emerging new technology that I’ve been looking at recently, or rather an established biometric technology with a twist that could see it become more mainstream, is what Hitachi refers to as “hand gesture biometrics”. This couples the well-established biometric of finger vein recognition with a system that works on any device that has a camera; smartphone, laptop, desktop or standalone entry system. While you might not have heard of finger vein biometrics, it’s been a thing since 1997 when the technology was used in Japanese ATMs; many banks around the world have already replaced passwords for transaction authentication using it. It differs from fingerprint scanning in that instead of mapping the external surface of the finger to register all the ridges that make your fingerprint unique, it reads the patterns of the veins inside the finger using ambient or infrared light instead. It’s also much harder to fool than fingerprinting as this type of scanning demands dynamic blood flow rather than a static copy.
Harder isn’t impossible, of course. I have written before about how vein authentication that reads your palms has been bypassed. Researchers at the Chaos Communication Congress in Berlin demonstrated a method making a wax hand from 2,500 photos taken with the infrared filter removed from the camera in order to capture the vein pattern. By printing the patterns and layering over them with beeswax, the researchers simulated human tissue well enough to fool some vein-recognition systems. How easy it would be, in the real world, to capture those 2,500 images without the target being aware of it is a whole other debate.
Ravi Ahluwalia, general manager at the Hitachi Security Business Group (EMEA and NA), told me that there are “several methods of detecting the presentation of pictures and fake hands,” although wasn’t inclined to reveal what these were for obvious reasons. The technology is compliant with ISO/IEC 30107-3, the industry standard for testing of “Presentation Attack Detection”, though. What’s for sure is that capturing and cloning an internal biometric is much harder than an external one.
Then there’s the usability and cost argument for such a technology, which is where most new biometric developments falter; it’s hard to get an easy-to-use technology into something like a smartphone at a cost that makes it economically doable. The hand gesture technology utilises the existing smartphone camera without the need for any additional sensors and works by the user simply waving their hand in front of it. No hardware tokens, smartcards or biometric readers required. The Hitachi system then creates a dataset description with a proprietary one-way algorithm to produce an encrypted template rather than an image of the vein patterns. An encrypted template that’s useless to an attacker as no usable biometric data is stored within it is an important consideration following the recent breach in the biometrics system used by banks and the police, which exposed the fingerprints of more than a million citizens. The camera might be seen as a weak point here, but even if that were compromised all the attacker would get is a video stream. To exploit the authentication process itself, an attacker would need a level of access to, and control of, the device; and that would mean security was totally compromised already.
Bill Lummis, technical program manager at bug bounty platform HackerOne, said that “passwords are the worst option for secure authentication,” adding “except for all the others”. He’s convinced that, for the foreseeable future, we will just have to continue trying to make passwords work. “Organisations can do their part by implementing and pushing, or even mandating, two-factor authentication so that even if passwords are breached, the damage is contained,” he said.
Robert Capps, vice president at NuData Security, is also of the opinion that passwordless is a way off yet. He sees most additional authentication layers such as single-use codes created by an app, or sent via text message, as “patches to an outdated authentication framework in dire need of replacement”. Until there’s a replacement for user authentication that allows them to assert their true identity, we’ll continue to use username and password solutions, “albeit with more features tacked on, such as physical biometrics”.
I spoke to Aaron Cockerill, chief strategy officer at security vendor Lookout, who talked of the one thing that needs to be more effectively dealt with as we move to a passwordless world: what he calls continuous authentication. “If we are to make changes to the way we identify people through authentication,” Cockerill said, “we need to ensure the new systems continuously assess identity.” Smartphones are ideally suited to this, being a little box of sensors, and could “continuously analyse whether the person that originally authenticated to a system is the same person using it now”.
Samsung might have the first technology that will make this viable. A recent patent reveals that it’s developing a technology that would essentially allow “instant” two-factor authentication. As a user enters their password or PIN, their fingerprint is simultaneously being scanned as a secondary authentication method. This isn’t as daft, or insecure, as it sounds. By reading the fingerprint(s) of the user inputting the password, that second layer of authentication ensures it’s the actual user rather than someone with access to the device.
It’s not yet clear when the tech will come to market as the patent includes a number of options. A single, small, fingerprint reading input area where the numbers or digits scroll across and are input when pressed, being one of them. Given that Samsung is already talking up larger in-screen fingerprint sensors for the next-generation of Galaxy devices, I prefer the option of having a large authentication area that reads the fingerprint whenever the user is typing, entering a PIN or even a “swipe” pattern. I doubt this is something we’ll see in 2020, but 2021 certainly seems more than doable.