FRANCISCO — The things that make human beings unique
— fingerprints, irises, facial features — have
become the preferred way to sign onto banking accounts
online or other sensitive websites, the newest solution
to the problem of hackable and forgettable passwords.
your fingerprints can be stolen, your photo replicated.
Now cyber experts are looking at the next security step:
cellphones and computers that actually recognize you
from a variety of factors.
smartphone now gathers more information about you than
you probably realize.
amazing how many sensors there are on a modern-day
smartphone. You have motion sensors, like an
accelerometer, a gyroscope and magnetometer," said
John Whaley, chief executive of UnifyID, a startup that
offers what it calls revolutionary authentication.
you have other sensors, such as GPS, Bluetooth and Wi-Fi.
All told, an average smartphone has 10 or so sensors
measuring precise details about location and user
can tell what floor of a building you’re on. We can
tell if you are inside or outside of a building,"
Whaley said. "Just with a few seconds of your
walking data, from your phone sitting in your pocket, we
can actually identify you based on that."
told, smartphones can measure the angle that your cradle
your devices, the pressure you put on the screen, how
much of your finger touches the pad, the speed at which
you type, how you swipe, your physical rhythms, the
times you normally stir in the morning, some 100 or more
indicators that in combination can give near total
accuracy in identifying you.
you combine a large number of these factors together, we
can actually get to 99.999 percent accuracy about it
being you versus not you," Whaley said. "At
that threshold, you can actually use this for
authentication and you don’t have to use passwords
passwords become a thing of the past, it is likely due
to what computer scientists describe as machine learning
— which allows computers to find hidden insights
without being explicitly programmed where to look — as
well as improvements in sensors that measure our lives
and actions with precision. What Whaley calls
"implicit authentication" may change the way
humans interact not only with phones and websites, but
maybe the world at large. ATMs may recognize us as we
approach. Clerks or cash registers at stores may greet
us by name as their computers recognize our smartphones.
who has a master’s degree in computer science from MIT
and a doctorate in the field from Stanford, is catching
attention. His company competed with scores of others as
the most innovative startup in the field of
cybersecurity at the RSA conference in San Francisco
last week, which drew 43,000 attendees, and won in a
unanimous decision of the judges.
to ensure authentication of users would have
repercussions in banking and finance, e-commerce,
cybersecurity, transportation security and in fraud
detection, sectors with a value that nearly reaches $2
need for extended authentication technology is going to
be great," said Robert Capps, vice president of
business development at NuData Security, a Vancouver
firm that uses behavioral analytics to help clients
identify good users from bad ones.
downside to using biometrics, such as fingerprints, in
computer security is not widely understood.
definitely is a gap in the perceived value of biometrics
and the true value," said Daniel Ingevaldson, chief
technology officer at Easy Solutions, a Doral, Fla.,
company that helps banks fight electronic fraud.
noted that a billion smartphones are now equipped with
fingerprint sensors, and consumers clamor for banks to
accept biometric proof.
fingerprints are not secure. In the hack of the federal
Office of Personnel Management in 2015, the fingerprints
of 5.6 million people were stolen. And prints can be
lifted off surfaces such as glass doors. High-resolution
photos can also fool facial recognition software.
your biometric credentials are stolen, they are stolen
forever. There’s no way to easily change your face.
There’s no easy way you can change your voice. And
definitely not an easy way to change your
fingerprints," said Ricardo Villadiego, Easy
Solutions’ chief executive.
the areas of authentication for users are something you
know (such as a password), something you have (say, a
cellphone or an electronic key) or something you are (a
the need for passwords has proliferated, users have
grown fatigued. Many users choose ever simpler
passwords. They repeat the same password on multiple
sites, or make minor modifications.
advantage of what UnifyID calls implicit authentication
is that a user doesn’t take conscious action to verify
his or her identity. The smartphone, using a data bank
of patterns of a given user, is continuously testing
against those patterns.
instead of being up front, like, ‘what’s your
password?’ is going to be passive, in the background
and happening all the time," Whaley said.
devices will recognize you. Your car will recognize you.
Your house will recognize you, and so security will
become much more seamless," Whaley said. "It
wasn’t possible just a few years ago. It’s because
of a proliferation of sensors, the fact that they are
all connected, and machine-learning technology.
how such data are stored, and who has access to it, may
play out differently in different parts of the world.
perception in the U.S. is that consumer data (are) fine
in the hands of private industry but not fine in the
hands of government," Capps said. In Europe, the
opposite is true.
can occur either on a smartphone itself or in the cloud,
and there are tradeoffs. If data is stored on a phone,
then the phone itself recognizes a fingerprint and only
sends a simple message on to institutions like banks,
which cannot conduct further analysis. But if companies
collect a large repository of sensitive user data, it
becomes a honey pot for hackers.
of the data is actually sensitive," Whaley said,
"things about even where you are at a certain time
of day. These are examples of data you may not even want
your spouse to know."
Somerville, chief operating office at UnifyID, said
companies compiling the vast data that can be extracted
from smartphones must be "totally transparent"
with users about what they are collecting and what it
will be used for, opting in or out for each data point.
they are not comfortable with us using their GPS, where
they physically move, they can turn that off and all the
other factors will essentially re-weigh
themselves," he said.
said the passive biometric data would be kept on the
smartphones themselves, not by the company.
always want to be in the position that even if somebody
hacked into our servers or we got a subpoena from a
government or otherwise were compelled to give up data,
we can legitimately say there’s no way for us to give
that data because we don’t have it," Whaley said.