Bill Carey is Vice President of Marketing & Business Development at RoboForm
Back in 2005, when I first started working in the password management industry, the internet was only around 5% of the size it is now. But even then it was clear that the internet was still in its’ infancy. . What occurred to me at the time was that people would soon reach a point where they simply wouldn’t be able to recall the range of unique passwords for each of the websites they accessed. This is why I saw such an opportunity in password management, and the ability to have one secure password that would unlock all the others.
However, many companies saw it differently, most notably those working on biometric authentication solutions. They viewed this rapid proliferation of internet usage as an opportunity to revolutionise the way we log into our computers, websites, and business applications. The future of authentication as portrayed in futuristic films, with fingerprint scans, voice recognition and retina readers dominating our everyday lives, appeared imminent.
However, what quickly became clear was that the devices being developed at that time were not yet ready for widespread application. For that reason I continued down the password manager route, with confidence that the sci-fi era of authentication had not yet arrived.
Fast forward to today and people are still talking about biometrics which is growing in popularly, particularly in the finance sector. Recently a number of banks and financial services organisations have been dabbling in the biometric space, largely in an attempt to create a superior customer experience to their competitors. In February, HSBC launched voice recognition and touch security services in the UK, a service that will be offered to 15 million customers. The bank’s head of retail banking and wealth management, Francesca McDonagh has called it “the largest planned rollout of voice biometric security technology in the UK.”
Similarly, earlier this year MasterCard confirmed that it will accept selfie photos and fingerprints as an alternative to passwords from customers verifying IDs for online payments. Atom Bank, the new digital-only bank launched in the UK recently announced that it will be using face and voice recognition technology to allow customers to log in to their accounts. Clearly, established and new financial brands alike are gambling heavily on biometric technology as a way to better serve their customers.
However, while the years have passed and the Internet has evolved, I would argue that the challenges faced by biometrics a decade ago are still remarkably similar.
Chief among them is simply the human factor – for better or worse, most of us just don’t value our security over our convenience. Biometrics may be secure, but we have yet to find a way to create fingerprint scanners and other pieces of technology that are simple and reliable enough to be used by a mass audience.
Further, in my opinion there’s an even more basic issue that the biometric industry has to solve before you’ll see widespread adoption of biometric devices. After each of the various data breaches that have occurred over the past couple of years at companies such as Carphone Warehouse, Ashley Madison, and financial brands such as JPMorgan Chase, the advice from the compromised company and security experts alike is to change your password. While this is a bit of an inconvenience for most of us, it is not the end of the world, particularly if you use a password management solution.
However, this is something you simply can’t do if you are using biometrics. Indeed, the primary selling point of biometric products is that they cannot be changed. Your eyes and fingerprints are unique to you, and unfortunately that uniqueness comes at a price. If your biometric data is compromised, it is permanently lost to hackers, and cannot be changed.
It is pointless to argue about which security solution is the ‘best’. As I see it, the future lies in individuals using a range of security authentication options in combination, with each one working to cover the weaknesses of the other. This is referred to as ‘multifactor authentication’, and comes in three parts:
- Something you have – such as a piece of hardware or software
- Something you know – such as a password, or answer to a security question
- Something you are – such as a fingerprint or retina scan
Rather than trying to present a particular technology as the Holy Grail of security, and a replacement of the password, I think we should be educating internet users about the benefits of multifactor authentication. Ultimately, using more than one factor will certainly increase a user’s security, no matter how secure a single factor may appear to be.
Passwords aren’t going away anytime soon. While it is certain that we will continue to see new biometric technologies enter the marketplace, each offering a new way to access our computers, apps and websites, passwords will continue to be a part of the multifactor process. It was true back in 2005 and it will continue to be true for many years to come.