How many times have you forgotten a password, only to realise that it’s nothing to be concerned about, because you only use two different passwords across all your accounts. Don’t feel too guilty if this applies to you – research has shown a whopping 97 per cent of people use the same two passwords over as many as 12 different sites.
That’s an average of one password per six accounts. Even if someone is able to hack your password for a website that carries no personal or financial information, they’re going able to get into five of your other accounts as well.
And if one of those accounts is your primary email address, they can probably get your Paypal or online banking password sent to them.
But, again, with 97 per cent of the world being guilty of password laziness, it’s clear that people aren’t the problem, passwords are.
So what’s to be done? Well Australian researchers at the CSIRO’s Data61 (nee NICTA) are working on a method of identification that does away with words, PINs and even fingerprints, as all of them can be guessed and replicated.
Instead, the ‘passwords’ of the future will identify you based on your totally unique personal movements.
“It’s a new form of identification, something that we call ‘implicit authentication’ or ‘implicit continuous authentication’,” Data61 scientist, and lead researcher on a paper examining the technology, Dr Dali Kafaar told Techly.
“What we have been able to show is that when you type and you’re touching the screen of your mobile device, there are very unique behavioural biometrics that you leave – a behavioural fingerprint that you are leaving.
“Essentially, the way you’re tapping the touch screen, the way you do your forward, backward, double swipes – the different interactions with the touchpad – are very unique.
“We take a combination of those and we calculate a very unique gesture pattern for you, and that will constitute something that we call ‘implicit authentication’.
“So rather than typing your password, all you have to do is interact with the device a couple of times, and then [the device will] realise if it’s you or not, and give you access to the machine or not.”
How it works
All devices require a set-up phase, and devices which are implicit authentication enabled will be no different. But rather than spending minutes getting the system up and running, implicit authentication will be much quicker.
“[Setting up] the implicit authentication we designed doesn’t take that long, it takes about 15 seconds or less,” said Dr Kafaar.
“It’s a way of us asking you to do a downward swipe, a backward swipe, a forward swipe, a tap and then a couple of other taps, just to measure the forces and the magnitude that you have on the touchpad, and a number of other parameters like the acceleration you have when you’re making the swipes and so forth.”
With the system set up, you unlock your device in much the same way as many devices are unlocked now – by drawing a pattern. However, rather than an easily guessed pattern that you yourself choose, your device will ask to draw a random pattern with your finger, and based on how heavily you press, how quickly your finger moves and other small nuances your device will know about you, it will unlock – or not, if it’s not you.
The system then continues to monitor your first dozen or so interactions with the device, just in case you are able to fool the initial pattern-draw, making absolutely sure based on a number of more touches and interactions that it is indeed the device’s owner using it. If it’s not, the device will automatically lock.
“You’ll be continuously authenticated. There is something in the background that will be monitoring the way you interact with your touchpad that is trying to recalculate the probability that you might not be the one who is supposed to be using the phone,” Dr Kafaar explained.
If you want to share your device with another person, you can be the one to do those first through interactions, then hand it to a different person. However, Data61 are also working on an ‘always on’ feature, meaning that if at any point the device recognises it’s being used by anyone else, it will lock.
You can also have the best of both worlds.
“If you want to add a user to the system, you just register them by asking them to interact with the machine for a few seconds and that’s it,” said Dr Kafaar. “We’ll link that to the fact that you authorise this by logging in to the system just a few minutes before, or allowing this new user to use your device…
“Each of them will have their own particular pattern, and that has major monitoring effect – if something bad is done on the machine, the owner of the device knows exactly who is responsible based on who was logged in at that particular time.”
Devices it will work with
Without naming any specific brands or makes – Dr Kafaar said Data61 are “in negotiations with a number of partners from different sectors”, including mobile and wearable manufacturers, and banking providers – the team have successfully used implicit authentication on “smartphones, smartglasses and three different OSs of smartwatches”.
“The hardware is there, we don’t change the hardware – we don’t even change things in the way the operating system is doing, we only extract information the operating system allows us to. Nothing needs to be rooted or changed in the OS,” said Dr Kafaar.
“The machinery is happening at the software level, where we combine the different features to get this ‘fingerprint’ to be uniquely identifying you, and that’s it.”
Perhaps most importantly, the technology is set to be implemented in ATMs.
“Essentially the ATM now is actually relying on a huge touchpad and that makes it really cool for us, because when we talk about big touchpads that means way more possibilities for the user to have this fingerprint more and more recognisable and more and more unique.
“The next step for us is to get it into that.”
As for concerns people would be reluctant to change how they access their cold-hard cash from ATMs, after decades of the same system, Dr Kafaar said the aim was for a smooth transition.
“We’re exploring getting there slowly with hybrid versions. The way to get in is not by being disruptive, we’re trying to get in there smoothly by using an intermediate step where we will have both.”