The password is dead. Long live the password.

Passwords are becoming ‘the’ security problem that needs to be solved.

Password prompt
Will we ever see the password put to bed?

As security breaches become more commonplace, passwords are getting longer and more complicated. Take a mixture of your pets name, mother’s maiden name & your favourite holiday destination, shake them around a bit with some upper and lower case, numbers and symbols – and you’ve got a more secure password.

It’s a shame you can’t possibly remember it.

Multiply those passwords across multiple sites and log-ins and unless you use the same one on them all, or keep a list of them all on your computer (which is more of a security risk than anything else), you’ll be continually hitting the ‘forgotten your password?’ button.

Everyone’s trying to find an alternative, but like cockroaches – the password is hard to kill off.

So what else is there?


Fingerprint or ear scanners on your smartphone, iris scanners at work, vein scanners at the supermarket – there are a raft of biometric solutions out there promising unique authentication by using something that’s unique to you.

Like most things in authentication, it’s a case of horses for courses. Biometrics have more of a place in the workplace for proving your identity than in the consumer world. Unless you’re purchasing that DVD on your smartphone, for example, they’re useless for logging into your online store.

Also, they aren’t immune to hackers. The iPhone 5S’s fingerprint scanner was successfully fooled two days after its launch, as was the subsequent Samsung Galaxy SF. All the more worrying is the fact that the Galaxy SF’s scanner is being used to authenticate PayPal transactions. Read our previous blog.

2. Implants.

We chip our pets, so why not humans?

PC Advisor has just run a fascinating online poll:

If you could have a chip implanted or carry around an ID card that meant you never had to remember passwords or log-ins again, would you do it?

Out of 4098 votes, 39% said yes, 50% said no and the rest weren’t sure. Now the ‘yes’ vote was way higher than we would have expected.

It sparked off a great debate from the voters. Those against in the main were concerned about:

– privacy (Big Brother knowing your every move and location)

– the opportunities for crime (hacking out the implant and stealing your identity, then leaving you to bleed to death)

– the medical procedure of getting it under your skin in the first place (will it hurt?).

Others just didn’t fancy being bleeped every time they passed through the supermarket checkout.

But some were fully for the idea, seeing the benefits of having one means of identification that you can’t accidentally leave at home. The convenience ruled out any concerns – especially if it’s an implant you can remove.

As one tongue-in-cheek comment rightly pointed out, “kids are already chipped, they never leave home without their smart phone.”

3.  A colour wheel?

Mnemonic password
Would you prefer colour, sound or a story?

One design student at the Royal College of Arts in London thinks she may have an alternative. Renee Verhoeven’s graduation project ‘ID Protocol’ creates a series of password tools that does away with letters and numbers in favour of personal, mnemonic memory codes.

ID Protocol uses the 3 main pillars of mnemonic memory: movement (muscle memory), synesthesia (interpreting code as a texture or sound) and making a story from existing words.

It works something like this: the user selects an ID Protocol pass that plugs into their computer. Passes can use different sensory cues such as colour, pattern making, memory or storytelling: allowing you to use a colour wheel or a story mechanism rather than a set of numbers and letters to log in.

It’s just a concept for now, but as secondary authentication measures become more popular, maybe we’ll be identifying ourselves with a gesture or a story soon. Read more

4. Your heartbeat?

Just one of the latest pieces of kit around that promises a new way to log-in or prove your identity is the Bionym Nymi. It looks like a simple watch, but it’s actually a piece of technology that authenticates your identity by measuring the rhythm of your pulse. Your heartbeat is unique and can’t be faked, so they say. It’s only available for pre-order at the moment; watch this space.

A more realistic answer

The reality is it’s likely to be a combination of these things. Multi layer authentication is set to be the future, where we use two or more factors to prove our identity, depending on the perceived risk. So we may use a biometric method (a fingerprint for example) with a simple password or pin, or scan the information on our smart cards and follow-up with a mnemonic prompt.

We’re already using biometric methods on our smartphones, and their GPS or NFC capabilities add yet another layer.

One-time use passwords and PINS are also likely to feature strongly, as is pre authenticating mobile devices. However this only works if the device has been registered in the first place.

Passwords and PINS will probably never fully go away. But one thing’s for sure – they  won’t be replaced by one definitive solution.

Biometrics in schools: big win or big brother?

“If you don’t know the password you can’t come in.”

It’s a phrase often heard in school playgrounds up and down the country, as children play games with their friends.

But frankly, passwords could soon be irrelevant if biometrics continue to take off in the way that they have.

A piece of research carried out by Big Brother Watch based on data from the 2012-13 academic year, and published earlier this year, revealed that an estimated 40% of schools in England are using biometric systems. It therefore surmised that fingerprints have already been taken from more than one million school pupils; many without their parents consent.

These fingerprints are the necessary ‘password’ to access many of the school’s services, from paying for their lunch to checking out a library book.

The argument ‘for’

biometrics in schools
One upside can be the increase in library books being checked out

Supporters of using biometrics in schools are quick to point out a number of benefits. The most obvious one being security – a fingerprint can’t be copied or lost in the way that an ID card can. Then there’s the speed and convenience: no more queues at a card scanner when arriving at school or rummaging around for coins, holding everyone up, at lunchtime.

Let’s not forget the ‘cool’ factor in all of this as well. Opponents to fingerprinting in schools tend to be the parents, not the kids themselves, who generally welcome the idea, and look forward to the whole ‘sci-fi’ deal that goes with it.

One of the unexpected benefits was found in the library. Some schools reported a big jump in books being borrowed – the kids liked using the fingerprint scanner so they took out more books. Always having the means to check out a book ‘on them’ meant they were more likely to do so.

The solution also helps to ensure equality at meal times. With everyone using their fingerprint to ‘buy’ their lunch, it’s impossible to tell who qualifies for free school meals, which means no-one is singled out.

The argument against

For all its supporters, there are certainly those who are passionately against the use of biometrics. The concerns range from worries over privacy and the ability to ‘steal’ and misappropriate personal data, to the fact that these systems normalise the act of tracking and monitoring pupil’s behaviour.

Some of those responding to the report released by Big Brother Watch talk about the danger of biometric information lying on a database somewhere, at the mercy of hackers or lost by those clumsy enough to leave a laptop on a train. Biometrics providers are quick to point out that records of the actual fingerprint aren’t stored; rather it is encrypted into a series of digits. This is what’s used to confirm ID against the fingerprint presented.

One comment, left by Anonymous, sums up the concerns around privacy in the future:

Future generations will not have any privacy or know what it is like to have privacy if we do not stop the erosion of privacy now… Yes it might be easier for kids to provide a fingerprint to get a library book out now but can they really be sure that it won’t come back to bite them in the future removing any possibilities of choice and privacy that they might want?”

The Freedom of Information Act

One of Big Brother Watch’s major issues is the fact that as many as 31% of the fingerprints were taken without gaining consent from the parents. With the introduction of the Protection of Freedoms Act 2012, which was passed in 2013, this should be a thing of the past.

The legal framework states that colleges and schools must follow these rules for biometric recognition systems:

– For all pupils in schools and colleges under 18, they must obtain the written consent of a parent before they take and process their child’s biometric data.

– They must treat the data with appropriate care and must comply with data protection principles as set out in the Data Protection Act 1998.

– They must provide alternative means for accessing services where a parent or pupil has refused consent.

A moot point for many schools

Let’s not forget that installing a biometric system doesn’t come cheap, so it simply won’t be realistic within some school’s budgets. But for those who can afford it, what will be the real price?

You can read the full Big Brother Watch report here

Does your school use a biometric solution? What kind of feedback have you had from parents and the children themselves? We’d love to know what you think.

Smartphones and biometrics: we’re all ears

The iPhone 5S was the first. Their Touch ID fingerprint scanner on the lock-in screen heralded the beginning of biometrics security as part of smartphone furniture.

But it was easily hacked just two days after the phone went on sale in September last year.

Germany’s famous hacker team, the Chaos Computer Club, were able to create a fake fingerprint from a rubber mould that could then be used with a real finger to unlock the phone.

Another German team, Security Research Labs, have just done the same with the Samsung Galaxy SF, released earlier this month. You can see the video here.

More serious consequences 

Unlike the iPhone, the new Galaxy’s fingerprint scanner does more than just unlock the phone – it can also authenticate payments via PayPal. Which is all the more worrying from a security point of view, as the hacker could be successfully making payments directly into their own bank account.

And there is no limit to how many times you can try to fake it, like there is with the iPhone.

The point being that it gives a would-be-hacker a much greater incentive to create a fake fingerprint in the first place.

But is it really likely?

Is your average Joe really going to lift a high quality fingerprint from clean glass, scan it at high resolution, clean it up and then print it on to latex rubber?

Probably not. As evidenced by the fact that there haven’t been any recorded cases of the method being used beyond the hacker’s tests. Yet, anyway.

So do the ears have it?

Not content with fingerprint or iris biometrics, DesCartes Biometrics has just developed an ear biometric lockscreen app designed exclusively for Android smartphones. The president and CEO of the company, Michael Boczek talks about the convenience of the ‘most natural of phone gestures – lifting your phone to your ear’:

An individual user simply lifts the device to their ear and presses their ear to the touch screen to authenticate and unlock the device. By combining the most natural of all phone gestures – lifting your phone to your ear – with the unique geometry of your ear, Descartes Biometrics has created a robust and reliable mobile device security solution that is easy to use, non-invasive and non-distracting.”

Currently you can get it on Amazon apps and Google Play.

We can definitely see the logic and the benefit of a different biometric approach to fingerprints. Especially as, in the words of Frank Rieger, spokesmen of the Computer Chaos Club, “it is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token“.

But do we really care that much about biometric smartphone methods in general? Is it still just a bit too early for adoption – especially at $3.99 a pop? It’s one thing if it comes as part of the phone, another if you have to fork out hard cash for it.

We’ll be watching the downloads with interest.


One password your kids can’t memorise

Samsung are the latest to add a biometrics feature onto their new smartphone.

Galaxy S5 smartphone
New biometrics feature authenticates mobile payments

The Galaxy S5, which is currently available to pre-order, will feature a fingerprint scanner in the same way as the Apple iPhone 5 does, with the main button on the front doubling as a scanner to unlock the device.

The security feature won’t just help to protect the phone from unwanted access if it’s lost or stolen, it can also be used to authenticate payments, as Samsung has partnered with Paypal to offer ‘payment-by-finger’.

That’s one way to stop the kids from buying something they shouldn’t on your Ebay account.

Is biometrics the future in mobile payments?

This new feature is a talking point, but can we expect this type of techology to become commonplace?

Mobile payments as a concept is proving to be slower to catch on here than was predicted. Market analysts have been saying ‘this is the year’ for nearly a decade, but in the US, only 3-7% of consumers currently use their phones to buy goods in a shop.

Mobile banking is popular, but actually making a mobile payment, for example paying your bill in a restaurant via PayPal, is taking a while to get off the ground. But making person-to-person transactions via your mobile phone is growing, and nearly twice as many consumers are using mobile payments now than they did last year.

Is biometrics the stumbling block?

The kids don’t mind

There is still a real reticence amongst consumers about the use of biometrics technology, particularly when it comes to payments. Iris scanners, fingerprint scanners and even the newer palm & vein scanners all generate concerns that primarily revolve around privacy and the potential for misappropriation of data.

Those with a darker side worry about the lengths thieves might go to in order to steal your biometrics password: severed fingers, gouged-out eyeballs etc.

But is it merely a generation thing?

For those who have grown-up with the technology, a fingerprint scanner is commonplace. The fact that it’s now part of the latest smartphones makes it part of the furniture. Much in the way that they’re used to being able to stop and rewind live TV (“you mean there was a time when you couldn’t?”), it will become normal to authenticate payments with their own body.

School rules ok?

Many schools, particularly in the US, are looking into biometrics methods to ensure the safety and security of their students. A biometric solution brings a whole host of advantages in terms of access control. Unlike smart cards that can be passed around, stolen or misused, a fingerprint can’t.

There is naturally caution over the introduction of such a system, but most opposition comes from the school administration and parents – not the kids themselves.

After all, using the fingerprint scanner on your smartphone to pay for lunch, take out library books and get in the building isn’t just convenient, it’s kinda cool.

Get used to it, it’s the future

As the oft-quoted Douglas Adams said, in describing our reactions to technologies:

1. Anything that is in the world when you’re born is normal and ordinary and is just a natural part of the way the world works.

2. Anything that’s invented between when you’re fifteen and thirty-five is new and exciting and revolutionary and you can probably get a career in it.

3. Anything invented after you’re thirty-five is against the natural order of things.

So it’s only a matter of time.

Pay for your milk using your veins?

Forget fingerprint and iris scanners. You could soon be able to pay for the week’s groceries using the veins on your hand.

The Biyo: no wallets, no receipts – all you need is yourself

The next thing in biometrics payment authentication?

US Biometric company Biyo (formerly Pulse Wallet) have created a revolutionary way to make payments for everyday purchases.

Rather than opting for the mere fingerprint to authenticate payments, like so many other biometric specialists, Biyo have gone for the whole hand.

How does it work?

To set it up, you swipe your credit card as you normally would on the Biyo reader in store, then scan your palm and enter your phone number to link it to your account.

The unique vein patterns in your palm create your own secure biometric password for all future transactions. One of the key benefits being, as Biyo points out, that this is a password ‘you never have to remember.’

Then the next time you pop into a shop (one that supports the Biyo technology of course), all you have to do to authenticate your purchase is wave your hand over the reader. Job done. No more shielding your PIN from the person behind you.

You can then track your transactions online or via the Biyo app.

Will it take off?

The problem as far as we can see it, is ensuring enough merchants sign up to the technology to make it accessible. The fact that you can forget your wallet and still pick up tonight’s dinner by scanning your palm is great, but what if the Take Away doesn’t have a Biyo terminal? You’ll have to drive back home to pick up your cards. Which goes against the benefit of ‘convenience’ somewhat.

It’s only available in the US at the moment, but if it’s successful, you can probably expect it to roll out to other countries.

What’s wrong with a finger – why do we need the whole hand?

Biyo points out that their palm vein pattern recognition uses near infrared light to capture your own individual vein pattern which is more than 99% accurate. The sensor is contactless, so you won’t be leaving traces of your pattern like you can do with fingerprints. Also, the technology isn’t affected by any blemishes or cuts on your hand as it’s looking underneath the skin.

We know what you’re thinking. What if someone chops off your hand and whips it out at the till?

Ignoring the inherent problems of getting a severed hand past the shop assistant, Biyo are quick to put you at ease on this one – it wouldn’t work due to the lack of blood flow.

So that’s a relief.

Find out more at