Will biometrics "active authentication" help do away with passwords?
The average computer user has 27 passwords, and it can be tough to keep track of them all. But a solution may be at hand in our devices, with sensors that can read all kinds of identifying information about us. That could make biometric data the key to our online world, putting an end to the password.
Professor Vishal Patel asked a student to walk across campus at Rutgers University, then hand his phone to another student, who walked back. The difference in how they walk was "enough to identify who the person is walking," Patel said.
To the phone's accelerometer -- every smartphone has one -- the walking signals looked different, reports CBS News' Brook Silva-Braga.
Just two years ago, in "Mission: Impossible - Rogue Nation," this was science fiction. But researchers like Patel are making biometrics real and trying to use them to make our devices more secure with a process called "active authentication" that constantly and passively monitors the user.
The phone was also trained to recognize the unique way its owner scrolls down the screen. The time between specific keystrokes also gives you away, as well as the words you choose and the way you punctuate them. Move a mouse and the path of the pointer can identify you, and so can the way you click.
No one method works well enough, but combining several should, as Google showed in a 2015 test claiming "a new method of authentication that may prove to be 10-fold more secure than the best fingerprint sensors."
Much of this work has been funded by DARPA, the research group within the Department of Defense. Angelos Keromytis oversees the project.
"We have a lot of passwords, and as you've seen in the news, we get targeted same as everybody else, and we think we can do something better than passwords," Keromytis said.
So DARPA called on a dozen universities and private companies for creative solutions. Some are hard to believe.
"Your phone has a number of radios: wifi radio, cellular radio, Bluetooth radio. These emit signals, the signals from a close up distance reflect off your skin. Well, it turns out they don't actually reflect off your skin… they actually penetrate the skin a few millimeters," Keromytis said. "So one of our performers figured out a way of not only sensing heartbeat but also extracting a high-fidelity signal that could be used to authenticate a user based on their individual heartbeat."
So why isn't this active authentication active yet? It could drain our batteries too quickly or fail to work in certain settings – and some of the methods, like tracking our pattern of life, could turn off users.
"Once you have this information you can sort of learn where the person will end up in the afternoon or at night," Patel said.
"To a lot of people this is just going to look creepy," Silva-Braga said.
"That's right, it is creepy, but it is very powerful," Patel said.
Joseph Atick helped invent facial recognition technology 25 years ago. Today, he said tracking users is so valuable to marketers that tech companies can't be trusted to self-regulate their use of biometrics.
"You broke my password, I'm going to change it," Atick said. "I can't change my face, I can't change my fingerprints. I need some mechanism to protect me."
That mechanism would be a guarantee that all the biometric information stays on the device.