NPR

The Most Secure Password In The World Might Be You

The iPhone 5s includes a fingerprint scanner that can be used in lieu of a PIN or password. Some tech giants say finger or voice recognition is the wave of the future. (iStockphoto.com)

You're probably well-acquainted with one of life's little annoyances: the password.

Your voicemail. Your email. Your smartphone. Maybe you've got a different one for each — which means you're bound to slip up.

Or maybe you use the same one for everything — a security no-no. The number of sites and services that demand a password or PIN seems to have grown exponentially. And keeping track of the ones you've got? Forget about it.

Well, Silicon Valley titans are getting tired of them, too. At the Tech Crunch Disrupt conference in September, Google's top security executive, Heather Adkins, declared that passwords are dead. And that's straight from a founding member of the security team at Google, home to 425 million email accounts.

Adkins says startups tying their future to passwords might as well give up now, given how much work it takes to keep customers' passwords secure.

But if passwords are a thing of the past, what will replace them?

Biometric Prints

Wall Street is betting on biometrics. Now that Apple is adding a fingerprint sensor to its newest iPhone, companies that make similar technology have seen their share prices jump. And industry analysts say the market for fingerprint scanners could top $10 billion in the next five years.

Other biometrics companies are looking more competitive as well. Take one of Apple's partners, Nuance Communications, a voice recognition company. You've probably heard their technology if you've called an airline or reserved a hotel room — particularly if you've heard, "Your call may be monitored or recorded for quality purposes."

Nuance Communications is gathering data to improve its voice-recognition technology. The goal is to eventually do away with the whole username and passcode business altogether, says Robert Weideman, one of the company's executive vice presidents.

Imagine a system that will let you tell your bank to pay a specific bill at a specific time, with a virtual assistant responding to your voice commands.

Frankly, it's not quite at Star Trek-level responsiveness right now, but Weideman says it would be much more secure than usernames, PINs and passwords.

For example, he says, it wouldn't matter if someone passing by hears your password, because the system adds another fundamental element to password protection: a voice print.

"That doesn't change, no matter what words I'm saying. It's like your fingerprint. It's that unique," he explains. "There will come a time where you're not going to be using PIN and password as your password. You'll be speaking and touching the device, and that will become your password."

Potential Problems

What about fraud — someone trying to fake out the system? Weideman says voice-print technology is getting better all the time at preventing it. "We go through a lot of effort of making sure that people can't spoof it," he says.

Essentially, he says, the system can detect if someone is trying to use a recording to impersonate someone, as, unlike a recording, a true human voice will always sound a little bit different, even when saying the same words.

But privacy advocates are wary. Every few months a company reveals that it has lost or has had millions of customer passwords or other data stolen.

There are even skeptics among biometrics experts, like James Wayman of San Jose State University. Wayman says people have been claiming that biometrics are going to be the "next big thing" in consumer electronics for decades.

Yet good old-fashioned passwords endure, he says, and for a reason: They don't require your computer or phone to have any additional hardware. So PINs and passwords that just require a keypad or touch screen "are very durable in that respect," he says.

And, he says, "they don't need to reveal any personal information about you — they don't need to connect directly to your body.

"We're all told that we should have a different PIN or password for every one of our accounts and that we should change it regularly," he says — which isn't possible to do with a thumb print.

"And then what happens when your computer or your cellphone no longer recognizes your right thumbprint?" he asks. "How do you reset that? What if your right thumbprint no longer becomes usable?

"There are levels of complexity here that have to be carefully examined. This is connecting the authentication with a body. It's your body, and I think that has great implications."

Local Security

And, let's face it: Consumers are still nervous about this stuff.

But not Michael Barrett. "It's a heck of lot better than where we are now with passwords, which are just a dismal experience," he says.

Barrett used to head up security for PayPal. Now he runs the Fast Identity Online Alliance, a coalition of companies — including Google, MasterCard and BlackBerry — that wants to create industry security standards to encourage password alternatives.

For example, the alliance wants fingerprint scans to be scrambled and then stored locally on a device, so that they can't be pilfered from a central database.

"If somebody wants to mug us, they bash us on the head on the street and steal our wallet or purse. That's an intrinsically unscalable approach to crime. I can't mug 100 million people simultaneously," he says, "whereas on the Internet, there absolutely have been cases where companies have lost databases of 100 million or more consumers' details."

So far 53 companies have signed up for the Fast Identity Online Alliance.

In the meantime, though, you can improve security by beefing up the passcodes you already have. Industry research on stolen passwords posted by hackers shows the most popular one is: "password."

Copyright 2014 NPR. To see more, visit http://www.npr.org/.

Transcript

MELISSA BLOCK, HOST:

This is ALL THINGS CONSIDERED from NPR News. I'm Melissa Block in Washington.

AUDIE CORNISH, HOST:

And I'm Audie Cornish here at NPR West. And we're going to take a few minutes to talk about one of life's little annoyances...

UNIDENTIFIED WOMAN #1: Please enter your passcode then press pound.

CORNISH: ...the password.

UNIDENTIFIED WOMAN #1: Sorry, 1-2-3-4 is not a valid passcode. Sorry, please try again later.

CORNISH: Your voicemail, your e-mail, your smartphone - maybe you've got a different one for each and you're bound to slip up. We did a casual survey recently on the streets of downtown Berkeley, California.

Hi, excuse me. We were..

And it was clear plenty of people are frustrated. For instance, the sheer number of places that demand a password or PIN these days has grown exponentially.

Facebook.

STEVE GOODMAN: Oh, my bank, my e-mail...

CORNISH: Gmail?

GOODMAN: My e-mail for sure. Wow. Phone. Wow.

SONJA HERBERT: And Pinterest, sometimes.

If you look at your bank statements online, don't you have to put a password in? It's all upsetting.

CORNISH: And keeping track of the ones you've got, forget about it.

HERBERT: I have like probably 15. And I do a bad thing. I use the same one because I just don't have enough floss in my memory to remember.

GOODMAN: I used to use the same one over and over again. Probably isn't very good.

ALOK ROCHELEAU: Friends' names or family members' names or different variations...

JUSTIN ANGELO MARTIN: Nicknames and stuff I have had from my past and...

GOODMAN: I write them down on a piece of paper...

MARTIN: Vary it a little bit but it's pretty much...

GOODMAN: You're not supposed to.

(LAUGHTER)

GOODMAN: But everyone does the same thing because there's no way to keep track of them.

CORNISH: Steve Goodman on the streets of Berkeley along with Sonja Herbert, Alok Rocheleau, Justin Angelo Martin, and Jason Belling.

Well, Silicon Valley titans are getting tired of them, too. At the Tech Crunch Disrupt Conference in September, Google top security executive Heather Adkins said.

HEATHER ADKINS: Passwords are dead.

CORNISH: Seriously, Google home to 425 million e-mail accounts and a founding member of their security team declaring....

ADKINS: Passwords are dead. Our relationship with passwords is done.

CORNISH: Adkins says start-ups tying their future to passwords might as well give up now given how much work it takes to keep their customers' passwords secure. But if passwords are a thing of the past what will replace them?

Wall Street is betting on biometrics. Now that Apple is adding a fingerprint sensor to its newest iPhone, companies that make similar technology have seen their share prices jump. And it's profitable. Industry analysts say the market for fingerprint scanners alone could top $10 billion in the next five years. And other biometrics companies are looking more competitive as well. Take one of Apple's partners, Nuance Communications.

NINA: Please say your passphrase.

ROBERT WEIDEMAN: My voice is my password.

(SOUNDBITE OF TONES)

NINA: Welcome back, Robert.

CORNISH: Nuance Communications is a voice recognition company. And that voice belongs to Robert Weidman, one of their executive vice presidents.

WEIDEMAN: If you have called, your airline, if you've reserved a hotel room and you have been able to speak to those systems, that is our technology almost certainly.

CORNISH: In fact, you know when you hear...

UNIDENTIFIED WOMAN #2: Your call may be monitored or recorded for quality purposes.

CORNISH: Nuance Communications is gathering data to improve its voice-print technology, and, in the future, create systems that will do away with the whole username and passcode business, and just get what you need to do done.

(SOUNDBITE OF A TONE)

WEIDEMAN: Pay my Comcast bill in full next Thursday from savings.

CORNISH: Weidman gave us a little demonstration with his virtual assistant Nina. .

(SOUNDBITE OF A TONE)

CORNISH: And frankly it's not quite at "Star Trek" level responsiveness but Weidman says it is more secure.

NINA: I will pay the minimum due from your savings on October 10th. OK?

(SOUNDBITE OF A TONE)

WEIDEMAN: Yes, go head.

CORNISH: So when you said my voice is my passcode was that your pass phrase? Did I, as a passer by, just hear what your passphrase is?

WEIDEMAN: You did.

CORNISH: Is that OK?

WEIDEMAN: That is OK because there's two fundamental elements to a voice password. One is my voiceprint and that doesn't change no matter what words I'm saying. It's like your fingerprint and it's that unique. And the passphrase is another element. So they might be able to overhear what my passphrase might be but they don't have my voiceprint and so it keeps it very secure. And much more secure than usernames and passwords.

There will come a time where you're not going to be using pin and password as your password. You'll be speaking and touching the device and that will become your password.

CORNISH: But privacy advocates are wary. Every few months, a company reveals that it has lost or has had millions of customer passwords or other data stolen. And what about fraud? What about trying to fake out the system? Weideman says voice print technology is getting better all the time at preventing it.

WEIDEMAN: We go thru a lot of effort of making sure that people can't spoof it. You can get a recording and just imagine a Xerox of a picture. It's the identical - like dot by dot by dot it's the exact same picture. Well, if you get a voice prompt and it's exact same to the dot then we know there's something wrong here, because humans don't behave that way. So there's lots of different things that we do inside the system in order to protect against spoofing.

CORNISH: Meanwhile there are much wilder ideas floating around the industry than voice recognition. How about jewelry that acts as a wearable key for logging into devices, or electronic tattoos, or even a pill you swallow to put a biometric tag inside your body?

Of course there are skeptics, even among biometric experts. Take James Wayman of San Jose State University. Wayman says people have been claiming that biometrics are going to be the next big thing in consumer electronics, well, for decades. He says good old fashioned passwords endure for a reason.

JAMES WAYMAN: Passwords have the advantage that they don't require additional hardware. Generally you have some type of an input device to your computer system. It's got to be a key pad or some way of getting digits and characters into your computer. So you already have that. So pins and passwords are very durable in that respect.

Secondly they can be reset remotely. Thirdly they don't need to reveal any personal information about you. They don't need to connect directly to your body. You can transfer your pins and passwords if you wish to do so. None of those characteristics are true of biometrics.

We're told that we should have a different pin or password for every one of our accounts and that we should change it regularly. You cannot use a different right thumb print for every one of your accounts and you cannot change it regularly. And then what happens when your computer or your cell phone no long recognizes your right thumb print? How do you reset that? What if your right thumbprint no longer becomes useable?

And so, what if you have somebody my age who has really crummy fingerprints, right? What do you do? Well, you still have to have a pin and password for those people. So there are levels of complexity here that have to be carefully examined. This is connecting the authentication with a body, and I think that has great implications, but there's a very big difference of recognizing your body and recognizing something you know in your mind - a password. I think the psychological differences and privacy differences and are profound.

CORNISH: And let's face it, consumers are still nervous about this stuff. When we canvassed our informal group in downtown Berkeley about biometric technology, we got a lot of raised eyebrows.

UNIDENTIFIED MAN #1: That is way too ridiculous. Fingerprints, that's way too ridiculous...

UNIDENTIFIED MAN #2: Fingerprinting seems pretty easy, not as invasive as maybe eyes or voice.

UNIDENTIFIED WOMAN #3: Bioscans to me just seem clumsy, like a lot of problems.

UNIDENTIFIED MAN #1: Retina scans, that's way too ridiculous...

UNIDENTIFIED WOMAN #3: It's also so new that I don't know enough about it yet.

CORNISH: Except for this guy.

MICHAEL BARRETT: It's a heck of lot better than where we are now with passwords, which are just a dismal experience.

CORNISH: That's Michael Barrett. And while he lives in Berkeley, he was not a random pick. Barrett used to head up security for PayPal. Now he runs an alliance of companies including Google, MasterCard, and BlackBerry that want to create industry security standards to encourage password alternatives. And yeah, he knows all your worries about a thief faking your fingerprint or copying your voice but he's not buying it. Companies, he argues, are not worried about one or two stolen passwords, they are worried about millions.

BARRETT: If somebody wants to mug us, you know, they bash us on the head on the street and steal our wallet or purse. That's an intrinsically un-scalable approach to crime. I can't mug a hundred million people simultaneously. Whereas on the Internet, there absolutely have been cases where companies have lost databases of a hundred million or more consumers' details.

CORNISH: When we talk to skeptics about this, we hear that while the companies building this technology will tell you it's amazing and doing great things and it's come really far, that it still has a way to go. I mean are people overselling biometrics?

BARRETT: You know, let's not look at this as though there is some utopian vision of security because we're coming from a pretty bad place today. But then the second thing is there is no such thing as perfect safety and there's no such thing as perfect security either. It's only a question of how good is it and is it good enough to get the job done?

You know, I also liken this to well how much security do you want on your house? Have you replaced the locks on your front door? Do you have good window locks? Do you have an alarm system? Do you have a video camera system? It's like, you can do many things if you're worried about that, or you can just leave the locks on from the last owner who had the house when you bought it and not doing anything. So, you know, in the real world, we make conscious tradeoffs as to how much we want to do to make ourselves safer. I think the same analogy is true online. It's just today, we don't have any vocabulary to even really be talking about those kind of tradeoff decisions.

CORNISH: Michael Barrett, he's head of the Fast Identity Online Alliance, a trade group of companies looking to create new security standards and an alternative to the password. So far, 53 companies have signed up. But for now, we're still stuck with passwords and some of you out there might want to work on beefing up the ones you've got. Industry research on stolen passwords posted by hackers shows the most popular one is the word password. Transcript provided by NPR, Copyright NPR.

Most Popular