Today there are millions of websites and applications and billions of users with a single user having multiple accounts on various websites and mobile apps. The estimated number of passwords that are used by humans and machines is approximately 300 billion! We all use so many websites and try to remember each password or keep similar passwords on every other website. The only way of authenticating a user is through passwords or Personal Identification Numbers (PINs).
In a study, it was reported that close to 59% of users use the same password everywhere! This means if one of your accounts is compromised, all other accounts can easily be hacked too! Also, 95% of the cyberattacks are due to human errors, which include setting easy passwords (like dictionary words), using the same password on every site or even keeping passwords in plain sight. One of the most shocking facts about passwords is that more than 91% of the passwords can be cracked in less than 6 hours! This can be done through dictionary attacks, brute force, social engineering, etc. This is why when choosing a password, websites follow a strict protocol or a set of rules that the user is required to adhere.
Why Making Passwords is a Nightmare?
To make passwords more difficult to crack, the users are required to choose passwords of a specific minimum length (certain sites require a minimum of 13 characters to prevent brute force attacks), a combination of uppercase and lowercase letters, digits and special characters. They are also required to use distinct passwords on different websites and are not allowed to use common phrases and words to prevent breaches through dictionary attacks. Although this thereby increases security significantly, it turns out that the user often forgets these passwords and is forced to write them in plain sight.
Therefore, the whole purpose of making authentication more secure turns useless, not because it’s the user who is stupid, but the actual security mechanism that is a lot less useful for an average user. Therefore, we need to look at various ways to make the process of authentication both secure and easily usable. This will prevent compromising the user’s identity along with data and will not be challenging to use.
An Alternative To The Password Mess
One of the methods used to tackle authentication complications through legacy systems is by using biometric authentication. We are increasingly replacing passwords, tokens, and PINs based authorization systems with security mechanisms that consider the biophysical characteristics of users. This is due to the fact that the user’s biometric credentials i.e. iris, palm or fingerprint patterns, etc. are strongly linked to the user’s behavioral or physiological characteristics and are hence hard to duplicate in a highly networked society. They are also more usable (that is less tedious when compared to passwords), fast (only require microseconds to validate), accurate and secure for real-time multiple access control systems where security is critical (e.g. credit card systems).
How Biometric Authentication Works?
To implement biometric authentication, the user first has to register in the system by giving their biometric credentials. These credentials will act as a reference template when authorizing the user next time. When the user uses his or her credentials for authentication, the credentials are first entered in the system, which is called a fresh template, and are then matched with the reference template (which was saved the very first time the user entered their credentials). How this works is that the user will only be allowed to continue if the fresh template entered recently is similar or adequately close to the reference template. If the fresh template does not match to a specific extent with the reference template, the system would not authorize the user.
Issues Related to Biometric Authentication
But there are a few challenges to this approach of biometric authentication. The main problem with this type of biometric authentication is that once the user’s credentials are stolen, it can lead to identity theft or even to learn personal information of the user and there is no way of guaranteeing security after the breach. In addition to this, if the user’s physiological characteristics change (a very rare case, e.g. burnt or cut finger), then it is a largely tedious task to validate the user.
Advancements to Biometric Authentication
Due to these shortcomings of biometric authentication, privacy-preserving biometric authentication systems were designed while keeping the accuracy intact. BioHashing, Cryptography, Security Multi-Party Computation (SMPC) and Cancellable Biometrics are examples of privacy-preserving biometric authentication. In BioHashing, the biometric reference template vector is projected into a random subspace by a seed value and this, in turn, is binarized, whereas, in cancellable biometrics, the credentials can be distorted and are unique to every application. SMPC is a part of cryptography that distributes a computation within multiple parties and no single party can see the data of any other party. The use of privacy-preserving biometric authentication will not only ensure high security but will also promote usability and will help overcome the security challenges that legacy systems and simple biometric systems cannot offer.