Using biometrics to replace passwords is supposed to enhance security, but it can also push the boundaries of privacy. Dozens of new personal tech products at the International Consumer Electronics Show (CES) 2014 use biometrics to scan fingerprints, palm prints and irises, utilize facial recognition, eye tracking, voice recognition and even monitor behavior.
While there’s nothing inherently evil about biometrics, who controls all the collected personal data? If passwords are replaced with biometric products that use FIDO authentication, then it was supposed to be “designed with a core focus on privacy;” all “biometric and/or personally identifiable information (PII) stays local on the user's device and is not shared to the cloud or over the network.”
The FIDO (Fast Identity Online) Alliance, which includes tech companies like Microsoft, Google, BlackBerry, PayPal and many others, intend to show off their FIDO-certified innovative authentication products at CES. For a device to be certified as FIDO Ready, it must conform to UAF (Universal Authentication Framework) standards.
“Up until now, everyone thought the smartphone was the key to the cloud, but everyone was wrong. The smartphone is a lock and a very smart lock with lots of sensors,” FIDO member Sebastien Taveau told the Washington Post. “Your human body will be your own key, and you will get an extremely customized experience on your device and feel more comfortable doing more on your device than ever before.”
While we are terrible when it comes to passwords, many companies are equally terrible when it comes to protecting those passwords. Even if you trust a company not to store your biometric data, to instead keep the info local on your smartphone, then what happens if you lose your smartphone or if it is stolen? Is the mobile device secure, or are your personal biometric identifiers at risk of being stolen? Regardless, we are marching ever closer to the end of passwords and embracing biometrics.
Here are a few of the password-alternative FIDO certified biometric products on display at CES 2014.
Yubico will show off YubiKey NEO dongle, which “offers military grade security out-of-the box, with no additional drivers or client software needed.” To authenticate, the user plugs it into a PC USB port, types a PIN or password and “touches YubiKey NEO to confirm that he/she is physically present and is attempting to log in.” For mobile devices, “the user just taps the YubiKey NEO to an NFC enabled smart phone or tablet.”
"The YubiKey NEO integrates with FIDO's open standards to provide you full ownership and security of your identity across all online services,” stated Stina Ehrensvard, CEO and Founder of Yubico. “As no information or secrets are shared between online service providers, the YubiKey NEO guards your privacy at all times, without you having to rely or be managed by any government, IT or financial organization."
AGNITiO wants you to replace your password with your unique voiceprint for authentication. With Voice iD [pdf], “consumers can speak into their smartphones and other mobile devices to log on hands free, securely access apps and documents, and make secure mobile payments, as well as use a voiceprint to identify themselves with call centers.”
FingerQ wants to read your fingerprint with its small and portable PrivacQ Triangle. The Q-key triangle plugs into a USB port, authenticates a user so he or she can “instantly enjoy authenticated Cloud services to store and sync files or media for your home and office.”
Nok Nok Labs, whose name is a play on “part of a knock-knock joke to signify authentication,” and Synaptics are also expected to participate in the FIDO Ready showcase with fingerprint authentication solutions.
Also at CES 2014, other FIDO Alliance members will showcase solutions that are in the process of incorporating the FIDO Alliance authentication standards:
Regarding fingerprints, Fingerprint Cards wants to “free users from the burden of using PIN codes and passwords.” The company will demo FPC1020, “the world's first capacitive touch fingerprint sensor for smartphones and tablets using Android.” EgisTec wants you to authenticate with your fingerprint via Yukey-eFIDO. It “gives users universal authentication capabilities for securely logging onto web applications, including eCommerce, mobile payments or wallets, as well as replacing PIN/passwords with fingerprints.”
CrucialTec has the BTP Aero Mouse, which is a remote control with an embedded fingerprint scanner. “The CrucialTec remote control with fingerprint recognition will give personalized access to a user’s favorite channels as well as offer parental controls that can block TV channels using the ‘Kids Lock’ feature.”
GO-Trust developed a microSD Java card to replace password authentication; Java? Yeah, it supports FIDO login and works with “99% of existing laptops and personal computers and the one billion Android devices.”
Sonavation unveiled its AXISKEY key fob to serve as a “personal ultrasound biometric identity device” with “better than federal-grade data encryption.” It provides “BYOB (Bring Your Own Biometric)” and “safeguards an individual's personal, social, and workplace accounts, as well as their online identity and transactions with a swipe of their finger.”
Eyelock wants to use your iris to replace your password. The company showed off myris, a USB-enabled iris identity authenticator that “virtually eliminates the need for usernames or passwords.”
Eye-scanning, however, can be used for purposes that have nothing to do with enhancing security. Tobii, a company that claims to be “the world leader in eye tracking and gaze interaction,” wants eye tracking tech to be part of our daily lives. Tobii eye-tracking software allows “computers to know exactly where users are looking” has been embraced by Amazon, PayPal and Google to analyze user behavior. It can tell where you are gazing, or what you ignore on a website, as well as read pupils to determine interests and moods such as if the user is aroused. Tobii suggested that one day “Netflix could use mood-sensing technology to recommend movies with better accuracy.”
It is these "other" uses for biometrics that is concerning. Privacy policies constantly change . . . and usually the user loses out. Whoever stores our biometrics had better secure it well as surely the NSA would love to hoover it all up and store it for eternity. The better to make sure you're not a terrorist, you know, just in case. Are you ready to embrace biometrics as a replacement for passwords?