Apple’s use of a fingerprint scanner on its new iPhone 5S has ignited a frenzy of debate over biometric security – not to mention some of the most laborious “hacks” ever invented, where hackers use CSI-esque forensic techniques and latex printers to gain entry to stolen phones.
But biometric security can be much more than simply measuring an iris or a fingerprint – and some researchers believe that systems which continuously monitor human behaviors could be even more secure.
One day, your smartphone might “recognise” you by the way you walk, the way your fingers tap on a touchscreen – or even simply where you go during the day.
The idea of a password as a “key” that unlocks a device might soon seem antiquated – researchers around the world are investigating “implicit identification”, where the computer recognises you through your behavior, not by challenging you for a password. Business magazine Quartz describes such systems as “always on” security.
SilentSense, announced in the wake of iPhone 5, works in the background on smartphones, and can identify a user within 10 taps of the touchscreen with 99% accuracy, according to Cheng Bo of the Illinois Institute of Technology. The system works with a smartphone’s gyroscope and accelerometer to identify users, and even takes account of their gait as they walk, acccording to New Scientist.
“While using mobile devices, most people may follow certain individual habits unconsciously. Running as a background service,SilentSense exploits the user’s app usage and interacting behavior with each app, and uses the motion sensors to measure the device’s reaction,” says Bo.
A previous proposed system, Touchalytics worked in a similar fashion, but had a 4% error rate.
Many “implicit identification” systems are not “bulletproof” on their own, but researchers suggest that they could be augmented with other data. The researchers behind Touchalytics suggested augmenting such systems with location data, or even images from the front-facing camera.
Our own daily routines could even be used as “passwords”, some researchers believe. Google’s “predictive” Google Now system already offers Android users reminders to go to work (by monitoring their movments by GPS), and to go home. Could such data be used as a “password”?
“Most people are creatures of habit – a person goes to work in the morning, perhaps with a stop at the coffee shop, but almost always using the sameroute. Once at work, she might remain in the general vicinity of her office building until lunch time. In the afternoon, perhaps she calls home and picks up her child from school,” says Markus Jakobsson of the Palo Alto Research Centre.
Jakobsson analyzed several techniques for identifying users via smartphone use, and found GPS to be the most reliable.
Jakobsson claims that by combining teqhniques, it’s possible to lock out up to 95% of adversaries, even, “an informed stranger, who is aware of the existence of implicit authentication and tries to game it.”
Other systems specifically target users who may have difficulty using current passwords – and researchers at Lebanese University in Tripoli, are designing a system which monitors hand movements and stability, to securely identify impaired patients who may have difficulty with other password systems.
“Elderly and physically impaired users need to have their medical profile secured and easily accessed withoutpassword limitation.Behavioral data chosen are keystroke analysis, touchgesture analysis and hand stability recognition. Each user have a different type of impairment, thus a different profile of using the smartphone,” the researchers write.
Security questions remain over how such systems might work in practise. Apple’s fingerprint ID system, for instance, stores the biometric information in its M7 chip, and it is not available to Apple’s servers or other apps. Systems which relied on gathering more complex data constantly may not be able to safeguard the data in this way, and thus may raise privacy concerns, according to Quartz.
In other contexts, such “always on” systems may provide a level of safety that password or one-time biometric systems cannot match.
A brainwave scanner could be used to increase safety in cars, according to researchers at Tottori University – and even prevent carjackings, unlicensed drivers taking the wheel, or accidents caused by drivers falling asleep.
But for certain systems, authentication methods such as iris scanners and fingerprint recognition are insufficient, Isao Nakanishi of the Graduate School of Engineering argues in a paper in the International Journal of Biometrics.
Many companies are offering biometric and two-factor solutions to replace and/or augment current password systems – such as the Bionym bracelet, which uses your unique heartbeat pattern as a password.
Stephen Cobb, Senior Security Researcher with ESET says that we may be on the verge of widespread deployment of biometrics. Cobb says, “Successful implementation of biometrics in a segment leading product could bode well for consumer acceptance.”
He adds, “I have been a fan of biometrics as an added authentication factor ever since I first researched multi-factor and 2FA systems 20 years ago, however, user adoption is very sensitive to performance; in other words the iPhone 5S could advance biometrics, or put a whole lot of people off biometrics.”
Author Rob Waugh, We Live Security