The digital password as we know it quietly marked its 60th birthday earlier this year. Back in 1962, MIT professor Fernando Corbató came up with the system in order to allow four colleagues to access the then-new IBM 7090 in a “time-sharing” environment. For context, it would be another seven years before ARPANET – which would eventually morph into the internet and World Wide Web – was turned on.
After six decades, the traditional password is in decline. Growing security risks brought about by the introduction and growth of the Internet of Things (IoT) mean a new breed of AI-powered biometric identification services is going to be needed to keep the world safe. Your first pet’s name is no longer required. Instead, expect faces, fingers and voices to be called upon more often as we navigate the new networks.
Prove – a US-based provider of authentication services – surveyed 2,000 consumers and asked them what they felt about passwords and how they used them. Less than 10% offered biometric authentication as their preferred way of proving their identity in the future, while 30% were happy to continue with traditional passwords.
However, the survey also noted that three-quarters of respondents agreed biometric authentication is more secure than a traditional password. A move away from traditional passwords is essential now the Internet of Things (IoT) means the world is awash with opportunities for cyber criminals.
FIDO sheds AI light on IoT cybersecurity blind spots
“The more points of entry to a network, the more potential there is for hackers to break in, so it’s not hard to imagine how quickly the vulnerabilities stack up in an IoT system,” says Roland Atoui, Security Certification Secretariat with FIDO Alliance.
“As IoT matures, there’s a desperate need for standardisation to help organisations remove these cybersecurity blind spots costing them billions – not least in reputational damage.” Atoui’s concerns are echoed by research from Gartner, which predicts that 45% of organisations worldwide will have experienced attacks on their software supply chains by 2025, a three-fold increase from 2021.
Domestic IoT devices have the potential to collect and access a large amount of personal information about users and sensitive data relating to their environment, says Steven Furnell, IEEE Senior Member and Professor of Cyber Security at the University of Nottingham: “Devices, such as smart speakers and TVs, are often linked to the accounts that consumers use on other devices. The difference is that on these other devices they are more readily protected against unauthorised use.
“On the smart device people may set them up initially and forget that they are essentially ‘logged in’ all the time,” explains Furnell. “Without further precautions, this may mean that others can come along and access other content via the linked account, such as cloud-synchronised contacts, schedule information, and photos.”
People are often less mindful of the security risks posed by IoT devices, as they do not necessarily think of devices as storing and communicating data in the same way as traditional computing devices, says Furnell.
“If you ask people to characterise a smart device, they are likely to do so by referring to it being ‘online’ or simply ‘connected to the Internet’. However, the wider implications of what this means – and what the device may be collecting and sharing – is often lost.”
AI biometrics need to stay simple says SailPoint
Biometrics done well can nudge people towards the adoption of good security practices without imposing an additional burden, explains Mike Kiser, Director of Strategy and Standards, SailPoint. Facial recognition on mobile devices involves simply looking at the phone or screen, for example, something done in the course of regular interaction. Users are not asked to adopt a new approach.
“In this way, security is improved, all while accelerating authentication as compared to some older approaches,” explains Kiser. “For IoT devices, biometric authentication might be a more appropriate form factor as well: not every IoT device will have a screen or keypad — biometrics could use a fingerprint or voiceprint reader to authenticate the user rather than adding additional, unwieldy technology.”
IEEE’s Furnell agrees this level of convenience is essential if biometrics are going to be adopted quickly. No one wants to type a password into a smart TV or speaker, whereas being recognised by face or voice is a natural way to interact with each type of device, he says.
“Users control the smart speaker via voice commands and are typically sitting in view of a smart TV when they use it. The process of being authenticated by the device becomes transparent and non-intrusive from the user perspective. As a result, it feels more usable or frictionless.”
We may not see the kind of password inflation that has emerged in the past 20 years – according to the Prove research, respondents had six “go-to” passwords which are used across the broad range of accounts in their lives – but there is unlikely to be one biometric to rule them all.
“It is useful to have multiple solutions because the same biometrics are not equally suited to different devices,” says Furnell. “For example, face recognition would not work well with smart speakers. At the same time, there will be some classes of IoT device that do not have any suitable sensors as standard, such as a smart thermostat or washing machine; neither could be relied upon to have a camera or microphone.”
In these cases, devices would be required to work together, with the biometric captured on one being shared with another in a secure, trustworthy manner.