SAN FRANCISCO-It's been a bad year for passwords, as attacks on social networks, e-mail services and even shoe stores have proven the weakness of this method of authentication.
Given the vulnerability of usernames and passwords-not to mention the friction of having to use multiple passwords for different programs-new authentication techniques are advancing quickly, such as biometrics and tools that take advantage of technology already existing in newer mobile phones, tablets and laptops.
Researchers at Intel, for example, have developed new mobile tech that combines software with a biometric sensor that recognizes the vein patterns on a person's palm, allowing access to banking sites, social networks and other account-based services.
Sridhar Iyengar, director of security research at Intel Labs, who helped demonstrate the new technology at Intel's recent developer forum in San Francisco, contends that making laptops, smartphones and tablets responsible for identification removes the need for websites to perform authentication via password.
"I wouldn't say that passwords are antiquated, but they are cumbersome," he said. "And the fact that man-in-the-middle attacks have increased as people eavesdrop on passwords...all of this may come to a head," Iyengar told American Banker, an affiliate of Credit Union Journal.
Combination of Software, Sensor
Intel's new authentication method, which is still in development and may not be in the market for another year or so, uses a combination of software and a biometric sensor that's embedded in the computing device. In Iyengar's demonstration in San Francisco, the device was a tablet. Palm prints are used to authenticate the user, because Intel considers palm prints more reliable than fingerprints, which can more easily become stained. In addition, the Intel Labs product is contactless, while older biometric sensors require the finger to come into contact with the reader.
Once the user is identified as the computing device's proper user by waving his or her palm in front of the sensor, the computing device can communicate that person's identity to banks, social networks and other sites. An embedded accelerometer senses when the device has been put down, at which point the session automatically logs off.
Making The Problem Worse
Iyengar argues the growth of mobile banking has actually made the password vulnerability problem worse. He says Intel research has found that people log into their smartphones more frequently than PCs-about 35 times per day-and often do so from public locations, which are more vulnerable.
Intel says it plans to work with service providers to take advantage of palm reading technology to expand the availability of biometric sensors on devices, and Iyengar says the new versions of smartphones, tablets and laptops are increasingly including the scanning and recording technology that can enable contactless palm screening and other authentication techniques that verify the device's owner before he or she attempts to log into a site.
"The trend is toward adding more sensors to the devices, whether they be cameras, microphones, gyroscopes or sensors, tablets, smartphones and other devices are getting smarter and smarter about determining who you are," Iyengar told American Banker.
Other firms, such as InAuth, are also touting biometrics as an authentication tool. In InAuth's case, it's voice biometrics-or recognizing the user's vocal patterns. While biometrics, or the use of a personal characteristic such as fingerprints or voice to identify someone, has existed for years, it's always been considered a frontier technology for mass authentication.
Avivah Litan, a vice president and security specialist for Gartner Research, says that while usernames and passwords aren't going away anytime soon, there's traction for biometrics given the security risks and improvements in enrollment for biometric services. "Usernames aren't considered private data, and passwords are getting compromised more and more. Biometrics is becoming much more palatable."
Other firms are using the actual computing devices as the authentication tool to eliminate usernames and passwords. A startup called OneID has built an authentication tool that replaces usernames and passwords with one digital identity that's stored in the end user's device-a mobile phone, laptop or tablet. The identity would allow banks, retailers and other electronic commerce organizations to recognize the device as belonging to a particular user-so that user would not have to log in to sites for most transactions, though extra authentication for certain transactions could be required.
How Encrypted IDs Work
To build the encrypted identity on the device, OneID uses what's called "public key cryptography," or the downloading of "secret" cryptographic information to a user's device that identifies the user, then creates digital signatures that are accessible by the banking or other site. These digital signatures cannot be used to steal the users' identity, though the devices are still prone to theft, malware or hacking.
OneID, whose backers include Khosla Ventures, with a $7-million stake, did not disclose financial users, but did say it was in talks with a financial services industry group about an endorsement-which OneID said could be announced within the next few weeks.
"Usernames and passwords are designed for the mainframe world of the past. We need a new approach to take advantage of the capabilities that we have on personal computing devices. Passwords are subject to being guessed, and it gets worse as computation gets faster. It's easy to build a machine that can guess passwords at a greater and greater rate," said Jim Fendon, chief security officer of OneID.
Remote Signature Capture Offered
INDIANAPOLIS-Bradford-Scott Data Corp., an owner/distributor of the Sharetec System, is now offering Remote Signature Capture to its 300 client CUs. Remote Signatures makes it possible to service members who are unable to visit an office to use a secure and legally binding signature required for loans and forms.
Once approved, the loan officer sends a message with a link to the appropriate documents and in a separate message the PIN access code as one of the steps in validating their identity.
For info: www.bradfordscott.com.
Platinum, SharperLending Integrate
ALISO VIEJO, Calif.-Platinum Data, a provider of collateral valuation technologies, said its technology has been integrated within SharperLending's systems. The integration will provide seamless access to Platinum Data's suite of products, including RealView, an automated appraisal quality verification technology.
ProfitStars Launches New Category
MONETT, Mo.-ProfitStars reported it is introducing a fifth solution category, Online and Mobile solutions that is inclusive of website design and hosting, Internet banking, mobile site conversion, online security services, and forthcoming mobile products and platforms. It also encompasses the fully integrated retail bill pay, small business tools, P2P payments, and smartphone applications from the newly rebranded iPay Solution, the company said.
For info: www.profitstars.com.
Cardtronics Offers 'FeeAlert'
HOUSTON- Cardtronics has launched a new service, "FeeAlert," which is designed to help members avoid ATM fees by raising account-holder awareness of their in-network ATM options "in a personalized way."
Upon analyzing an individual's real-world ATM usage behavior, FeeAlert enables financial institutions to deliver a list of nearby surcharge-free ATMs-including surcharge-free network ATMs, the company said.
For info: www.cardtronics.com.
Voice Authentication Intro'd
LOS ANGELES-InAuth, a provider of mobile security software has introduced a Voice Biometrics Authentication Module that runs unobtrusively on the mobile device of an account-user and dynamically identifies the user based on unique voice characteristics.
Teachers Implements HelpSTAR
OAKVILLE, Ontario-HelpSTAR, a provider of help desk software, said Spokane Teachers Credit Union has implemented HelpSTAR 2012 to elevate efficiency across multiple departments.
For info: www.helpstar.com.
Visit www.cujournal.com for additional resources