Some companies are trying biometrics as a second authentication factor, taking advantage of the cameras and microphones in smartphones to carry out face or voice recognition—or even for iris scans. But many users worry that biometric data brings its own suite of concerns. Unlike passwords, which can be changed, voice prints and faces cannot. The worriers say that if cybercriminals were to hack a website and steal biometric information, the same information could forevermore be used to break into other accounts that rely on biometric authentication. This is unlikely, however, because fingerprint data is typically combined with random data to create a biometric based on your fingerprint. So any hacker that gained access to a scan of your fingerprint would not be able to break into a biometrically secured site.
But there’s a problem, even with two-factor authentication. While is makes life harder for criminals, users don’t like the extra hassle. "What we have found at PayPal with our security key is that if you market it hard you get a take-up rate of about 1-2%. If you don't market it then only about 0.1% will take it up," says Barrett. "Consumers just want to go out and buy things and they expect you to take care of security."
In the hope of making life easier for users, a few companies have created a consortium called the Fast Identity Online (Fido) Alliance. PayPal, Google, and PC-maker Lenovo, are among its founders. First and foremost, Fido aims to reduce reliance on passwords.
The Fido system’s specifications are still being developed, but what is clear is that it will work using a piece of hardware called an authenticator. Users will be able to enrol this at each website that they wish to log into. The enrolment process will involve the Fido authenticator and the website exchanging digital keys that will allow each to recognize the other.
As the user, when you visit a site from a PC with an authenticator connected—or perhaps a mobile device with an authenticator built in—you will still have to identify yourself. What's different is that you will do so to your Fido authenticator, not to the website that you wish to visit. Once that is done, the Fido authenticator can vouch for you. Effectively, the device will tell the site “you know me because I can present a digital signature that proves who I am, and I can vouch for who is using me because I have authenticated them at my end”.
The researchers developing Fido authenticators intend them to work with all kinds of authentication: a simple PIN number, a fingerprint reader on a USB stick, or the camera on a mobile phone. The major benefit of this system is that no information will be stored remotely: the biometric data, or the PIN number, will remain on the Fido authenticator. And because it won’t be transmitted over the internet, this data won’t be stored on a remote site from which it could be hacked. The arrangement also avoids the need for a long and complex password to provide good security. If the wrong PIN is entered more than a handful of times on a Fido authenticator, the device would simply lock itself, as an ATM at a high street bank does today. Crucially, phishing could become a thing of the past because no one will ever need to enter a password on a website again.
Or would it? There are, of course, weaknesses in any system. In Fido’s case, the most obvious vulnerability is during the set up. To work properly, the Fido system will rely on you enrolling your authenticator at a genuine site. But what if you mistakenly enrolled it on a phishing site? "You have to go home or somewhere you trust when you register, and you need to be paying attention," says Mayank Upadhyay, a security engineer at Google. "When you are fixated on another task and not paying attention, that's when you end up getting phished.”