First the good news: “password” is no longer the most widely used password. Now the bad news: it’s been knocked off the top spot by “123456.” Banks and online retailers—who have the most to lose from hacks—know that no matter how much they ask users to think up a password with capitals, numbers, characters, and obscure phrases in Tagalog, passwords will always remain weak and prone to hacking.
So if thoughts from inside your head won’t cut it, perhaps actual body parts will. Here what some people think might replace passwords for good:
Barclays announced last week it will provide biometric readers to its corporate banking clients from next year. The biometric reader looks like a bank-branded pulse oximeter, the sort of medical device you’re hooked up to when rushed to the hospital. It looks for unique vein patterns in the finger to ensure the person brokering a big deal is, in fact, who they say they are.
It’s not the first newfangled technology that Barclays has deployed to try and bolster security. Last year it introduced “voice biometrics”—analysing speech patterns—for its wealth and investment management clients. That system is provided by Nuance, a company best known for producing the Dragon NaturallySpeaking voice-to-text software. It has a 95% success rate in correctly identifying customers (standard security questions are used as a fallback option).
Alibaba, the giant Chinese online retailer, is integrating fingerprint scanning into its Alipay Wallet app. Foxconn, the Taiwanese manufacturer of the iPhone and iPad, threw nearly $5 million at Norway’s NEXT Biometrics, which develops fingerprint scanning technology, back in May. And earlier this month it took a 10% stake for $2 million in AirSig, a Taiwanese company that uses smartphones’ built-in gyroscopes to track air handwriting. The company says AirSig provides three-factor authentication: your signature, your phone, and the way you sign with a flourish in mid-air.
If you don’t particularly care for the idea of using your own body parts, why not use a friend’s? Researchers at the University of York recently tested the theory behind a system that they call “Facelock.” Users pick people known to them but not to the general public. Pictures of these familiar faces replace the password; users are given a selection to choose from. Lab tests show that hackers guess the correct face less than 1% of the time, while legitimate users rarely failed in their recall.
None of these systems are as innovative or infallible as their makers boast. Fingerprint scanners have been attached (pdf) to mainstream consumer electronics for more than a decade, and have often proved temperamental or prone to fakery. Apple’s TouchID on the iPhone 5s was hack-free for a grand total of 48 hours after its release. Signatures can be forged, even if they’re written in mid-air.
But at least nobody’s going to be chopping off fingers: For Barclays’s finger vein technology to work, the finger must be attached to a body. One way or the other, the future of passwords is clear, and it doesn’t involve passwords.