Will This Security Innovation Make Biometrics Obsolete?

A new security technology, one with widespread technical and growing business support, will almost certainly bring problems to the speech industry.

This innovation gets rid of passwords and two-factor authentication entirely. The system uses public/private key cryptography to authenticate users; its specification is called FIDO, for “fast identity online,” and the FIDO Alliance has over 260 members. The problem, for the speech industry, is that FIDO could supplant biometrics.

The need for security innovation is clear. Passwords, for their part, provide terrible security. Users choose poor ones that can be guessed easily, or forget them and require resets. Institutions impose out-of-date, counterproductive security rules. Case in point: My local bank fears password managers. When I attempt to log in to the bank’s phone app with my password manager, it rejects the password because it was pasted, not typed. I can get around this, but others as a result may avoid strong passwords, such as “NmV87HZZ&dzKP!P,” in favor of easier to type—and guess—passwords such as the ever popular “123456.”

With two-factor authentication, users have to know their passwords and also prove they have their phones in their possession. Everyone has one, right? When I attempt to log in to a website, it challenges me via text message with a number. I can prove who I am by entering it—unless a thief has stolen my phone. Worse, the thief calls the phone company, impersonates me, and transfers my phone number to his phone. Now the thief gets the text message.

Some companies provide two-factor authentication through “tokens”—a device with a shared secret known to the device and to the company. The device might be a card or a key or an app on your phone that displays passwords, one per minute, that appear to be random. Without the secret, you can’t know the next password even if you have a history of previous numbers.

But people lose cards and keys and phones, or accidentally erase phone apps, as I did recently. I had to wait two weeks to regain access to my account in a process that required physical exchange of paper mail, because some companies take security very seriously. So speaking from experience, two-factor authentication introduces a great deal of friction.

FIDO works with a simple principle. You have a device such as a phone, laptop, or computer that you want to use to access a website. The website sends you a challenge encrypted with your public key—only you can decrypt it. Your device decrypts the challenge, signs it with your private key, and sends this result back.

Notice that this system depends entirely on the exchange of encoded messages. I enter my name, my device receives a challenge, and my device responds. No password leaves my device. My private key never leaves my device. Each login attempt relies on an exchange of unique data.

This system removes a major incentive for biometrics at a distance. In a world of insecure passwords, users might send voice snippets over the web to confirm a password. But now passwords have vanished. Or someone who calls into my company’s call center might speak a passphrase, or I might use passive biometric detection to verify the caller’s identity. But now this becomes less attractive with a little engineering work. I can imagine a phone app that, while I’m speaking, responds to a cryptographic challenge from my bank, mortgage company, or local utility. No biometrics over the phone or web means no equal error rates, no problems with background noise or head colds, and no secret phrases.

In other words, the combination of smartphones and a secure method of non-password access will help make biometrics less appealing if not obsolete.

Of course, that’s “remote” biometrics, performed by a distant server. Some smartphones will likely use biometrics to unlock the verification apps—facial recognition, fingerprints, or voice. A laptop might use facial recognition, voice, or a physical “key” that connects to the laptop to unlock the verifier.

But for now, I believe this is cold comfort in the niche of telephony. Biometrics come built-in on many phones. Verifier apps might include their own tested and trusted biometrics; but that’s an embedded market, not a telephony market. I can spin tales of voice biometrics to detect calls made by coercion, use of stolen phones, and the like—but I wonder just how wide and deep that market will be. 

Moshe Yudkowsky, Ph.D., is the president of Disaggregate Consulting and author of The Pebble and the Avalanche: How Taking Things Apart Creates Revolutions. He can be reached at speech@pobox.com.