The great password dilemma has been a perennial topic here.
I've argued that the need to remember 40 or 50 passwords for different purposes inevitably pushes us toward choosing repetitive, simple formulations, and encourages us to write them down -- or, worse, store them online. Stephen Gallagher made the case that the need to defend passwords from "brute force attacks" has led to the imposition of 15 or more character minimums, practically guaranteeing that people have to keep password records.
One thing seems clear: We're not going to fix the password problem. The faster computers get, the clearer it is that passwords can't be both unbreakable and easily remembered. We need an alternative.
In the past, I've considered the possibility of using biomarkers such as fingerprints as surrogates for passwords. This seems superficially attractive: fingerprints are hard, if not impossible, to steal. Unfortunately, such a system would rely on a biomarker database, and databases -- as we know -- exist to be breached. What's more, getting a population to re-set the fingerprints following a breach would be harder, even, than getting 24 million Zappos customers to re-set their passwords.
We do, however, have a biomarker which is almost as distinctive as our fingerprints, and I'm not even talking about DNA. We have faces. That's the direction in which Apple and Google have recently been looking in order to better secure smartphones.
If password security is generally shabby, the state of smartphone PIN security is laughable. Perhaps because a false sense of security is created by carrying smartphones about with us, we have a demonstrated tendency to use such cryptic inventions as "0000," "1234," and "2580" as PINs.
That may be one reason Apple applied to the US Patent Office, earlier this month, to register facial recognition software for smartphones and tablets. Google too has been playing around with something called "Face Unlock."
Now, there's one fairly obvious loophole in facial recognition security -- show the phone a photo. Google has bluntly denied that this works, saying "give us some credit." That issue seems unresolved, but it occurs to me that there's a much more important one.
Let's say that unlocking your smartphone with your face requires you -- really you -- to be present. That's helpful when it comes to losing your smartphone. A bad actor, finding your abandoned device, is not going to be able to unlock it, perhaps not even if he or she happens to have a photo of you, too.
But is this really the problem? News Corporation this week began settling countless phone hacking lawsuits. Sixty claims have been brought against the company so far, but the police say there may be 6,000 victims. Are we to suppose that 6,000 people dropped their smartphones in pubs? Of course not.
Phone hacking, for the most part, depends on remote access. Hackers obtain unprotected phone numbers from a variety of sources -- Facebook must be a favorite -- or by social engineering. PINs, for the most part, are easy to guess. Hacking typically takes place in the legitimate user's absence.
Unless Apple or Google plans to bar remote access to devices, facial recognition security surely only solves a small part of the problem. Back to the drawing board.
— Kim Davis , Community Editor, Internet Evolution