Few technologies are as universally loathed as passwords. For the end-users, frequent password resets and draconian complexity policies are a source of never-ending frustration. For administrators, password synchronization issues and a steady stream of requests to reset forgotten passwords can be huge wastes of time. Thankfully, recent years have given rise to several password alternatives.
This, of course, raises the question of which alternative to traditional passwords is the best. The truth of the matter is that while everyone seems to have their own preferences, no one single password alternative technology is clearly superior to all of the others. All of the commonly used password alternatives have advantages and disadvantages.
One of the password alternatives that has become more popular over the last few years is the PIN. Rather than entering an actual password, a user simply enters a numeric code. These PIN codes are commonly either four digits or six digits in length, but depending on the system they can be longer or shorter.
On the surface, the use of a PIN seems far less secure than a password. After all, passwords are usually longer than a PIN, with most organizations requiring passwords to be at least eight characters in length. Likewise, Most companies impose password complexity requirements that require passwords to be made up of upper and lower case characters, numbers, and symbols. A PIN, on the other hand, is simply a short numeric code.
Under the right circumstances, a PIN can theoretically be more secure than a password. In Windows 10 for example, the PIN is paired to a specific device rather than being tied to a user account the way that a password is. If someone were to steal a user’s password, they could conceivably use the stolen credentials to log on from anywhere. If on the other hand, someone was to steal a user’s PIN then the PIN is useless by itself. To use the PIN, the thief would have to steal the user’s device too. When used in this way, a Windows PIN could be thought of as a type of two-factor authentication (with the PIN being the first factor, and the device being the second factor).
Incidentally, another thing that helps to make the Windows PIN secure is that the authentication process happens at the device level. The user’s PIN is not transmitted across the network during the authentication process.
In spite of its advantages, there are at least two disadvantages to the use of PINs. First, not every device uses PINs in the same way. A Windows device, for example, might not behave the same way as an Apple device (this is a hypothetical example, not a statement of fact).
The other disadvantage is that using PINs can be as burdensome as using passwords. There have been several examples of organizations that try to treat PINs as passwords and impose length and complexity requirements to the point that the PIN essentially becomes a password. This, of course, completely negates one of the primary benefits of using PINs.
Biometric devices such as fingerprint readers hold several advantages over password-based authentication. For one thing, the user doesn’t have to worry about trying to remember a password. Likewise, administrators don’t have to worry about stolen credentials.
I’ve always been a little bit skeptical of fingerprint-based authentication. I had some bad experiences with it early on. Early in my IT career, the company that I worked for decided to begin experimenting with fingerprint-based authentication. We set up a pilot deployment program and enrolled a couple of dozen people so that we could begin testing the technology. What we found, however, was that the authentication engine could not tell the difference between myself, my administrative assistant, and half a dozen other people.
I will be the first to admit that this was a really long time ago and that the technology has been vastly improved since that time. Today’s fingerprint readers have a very low probability of falsely identifying someone, although some readers are more accurate than others. Even so, fingerprint-based authentication is not infallible.
If I am to be perfectly honest, I have always had a nagging fear that the pervasive use of fingerprint-recognition technology would eventually lead to criminals cutting people’s fingers off to gain access to their devices. In reality, though, such drastic techniques have proven to be completely unnecessary.
A couple of years ago, a 6-year-old child managed to circumvent the fingerprint reader on her mother’s smartphone, and then use the phone to go on a shopping spree. This criminal mastermind used a decidedly low-tech, but extremely effective method for gaining access to the phone. She simply waited until her mother went to sleep, and then held her mother’s finger to the fingerprint reader.
I have also heard people talk about the fear that someone might be able to compromise a fingerprint reader by stealing a fingerprint off of a drinking glass or a similar item. While I have not heard of such an exploit being successfully used in the real world (at least not yet), someone was able to allegedly fool a fingerprint reader by using Play-Doh.
Facial recognition is another authentication technology that has been gaining traction over the last few years. Facial recognition seems to work extraordinarily well, but admittedly not all facial recognition devices are created equally.
I use facial recognition to log into my Microsoft Surface Book 2 device. The nice thing about that particular device is that it is equipped with a 3D camera. This means that you can’t full the facial recognition feature by holding up a photograph of someone, as is possible with some devices.
My guess is that facial recognition cameras of the future will incorporate thermal imaging. That way, the computer can verify that it is looking at a living person, and not at a sculpture or a 3D print of someone’s face.
I also think that for facial recognition to fully mature, artificial intelligence will have to be used to train the facial recognition engine to overlook certain things. The Windows facial recognition feature already does this to some extent. For example, it can be trained to recognize somebody who wears glasses, even if they take their glasses off. Based on what I have seen, the Microsoft facial recognition engine is not fooled by things like makeup or forgetting to shave for a couple of days. What I think could fool the facial recognition engine (causing it to deny access to an authorized user) however, are things like a significant change in weight or growing or shaving a large beard.
Password alternatives: A vote for recognition technology
So which authentication technology is really the best alternative to traditional passwords? I think that facial recognition technology is the best option right now, but that’s assuming that the underlying hardware is sophisticated enough to tell whether it is looking at an actual person or a photograph of someone. It is also worth noting that in the case of Windows, biometric authentication cannot be enabled without also enabling PIN-based authentication. Windows reverts to using a PIN if biometric authentication fails. This keeps someone from being permanently locked out of their device simply because their physical characteristics change.
Featured image: Freepik / macrovector