The days of storing passwords in your brain are numbered. In a few years' time you may be able to log into your online bank account using an electronic tattoo on your arm, or a pill that, once swallowed, broadcasts a password through the wall of your stomach.
Functional prototypes of these products already exist. The tattoo has bendy and stretchy components—sensors and an aerial that lie flat on your skin. It works by the aerial transmitting your password to an electronic reader when you pick up your phone or sit at a computer. Stomach acid in place of battery acid powers the pill. This tiny device is being designed to pulse a code that would be picked up by a sensor in a laptop, shortly after it exits the oesophagus.
The motivation for developing such bizarre technologies comes from a widespread and growing problem: the existing authentication systems that log you into online services rely on passwords, and passwords aren't really up to the job.
‘Nonsensical and unrealistic’
There are many reasons why. Passwords can be ‘phished’, which happens when users are tricked into revealing them to fake sites made to look like legitimate ones. About 50,000 unique sites get phished each month, which leads to online thefts totalling an estimated $1.5 billion each year. People also tend to choose passwords that are easy to remember. This means they are easy to guess. Of 32 million passwords revealed during one security breach, more than 290,000 turned out to be ‘123456’, according to Imperva, a Californian security company.
Moreover, when criminals hack into a online storeroom of passwords - a
service provider’s encrypted list of all of its users’ entry codes - they can crack potentially many thousands of passwords at once with the aid of special software. A password containing six lower case letters takes just a fraction of a second to crack in this way. But a longer and more complex one with 11 random upper and lowercase letters, numbers and special characters could take hundreds of years. It presents many orders of magnitude more combinations for the software to work through. The rule with passwords is simple: the more complex it is, the better the level of security it provides. But expecting people to remember long, nonsensical combinations is unrealistic.
Often, users pick the same password for many different services, which is ill-advised. If you sign up for an account on an unimportant website and that website gets hacked, your password could find its way into the hands of criminals who would then be able to access your online bank account. The problem is that people simply have too many passwords to remember, says Michael Barrett, Paypal's chief information security officer. "When I talked to consumers ten years ago, they would tell me that they had four or five usernames and passwords to remember. Now they give me a glazed look, and tell me they have 35 of the damned things." A typical adult between 25 and 34 years of age has 40 online accounts, according to a 2012 study by credit-checking firm Experian.
One way around these drawbacks is to beef up existing password-based authentication systems by providing more than one kind of hoop for users to jump through. This already happens when you use a number-generating security token, or have to input a random number that was sent via SMS to your phone. Paypal has offered this ‘two-factor authentication’ for some years. And recently, many other high profile internet companies such as Google, Apple, Facebook, LinkedIn and Twitter have included it for those who choose it.