Google biometrics tests show there's no magic pill for passwords

While passwords fall short of the tight security businesses would like, the use of electronic tattoos and pills that Google is experimenting with would introduce a new set of problems, experts say.

Regina Dugan, who leads special projects at Google-owned Motorola, disclosed at the All Things Digital conference last week that the company was experimenting with the new forms of biometrics. The technologies are a long way from adoption, but they reflect the boldness with which Google is looking for password alternatives.

Password weaknesses are well documented. Once stolen from a company's database, hackers have the tools to crack many of them, even when they are encrypted. Users add to the problem by choosing passwords that are easy to decipher, such as "password," "123456" and "12345678," which are among the most popular passwords, according to SplashData's 2012 list.

As alternatives, Google has partnered with company MC10 in experimenting with electronic tattoos, said Dugan, the former head of the Defense Department's Defense Advanced Research Projects Agency (DARPA). Separately, the pill form of authentication would essentially turn a person's whole body into a password.

While praising Google's willingness to experiment at the outer edges of biometrics, experts pointed out Monday that the technologies would create a unique set of challenges. For example, criminals would have to add kidnapping to hacking computer systems in order to get the information they seek.

"Criminals will want to take your body and bring it to their login place or maybe make you login under duress, which is scary," said Mark Risher, chief executive of Impermium, which protects Web sites against account compromises and counterfeit registrations.

[Also see: Brainwaves as passwords a boon for wearable computing]

To counter such a scenario, another layer of technology would be needed to make the authentication mechanism unusable if the person was under extreme stress.

Another problem would be in transmitting the password. If people using the technology were in close quarters, then the receiving computer could have difficulty separating the right password from the rest, Risher said.

Convenience would certainly be a major plus with tattoos and pills, since the authentication would be automatic and would not require remembering a password. Nevertheless, both biometrics would be far move invasive for the user than using a fingerprint reader, said Eve Maler, an analyst with Forrester Research.

The creepiness of having an electronic tattoo or swallowing a pill to log into websites is likely to turn off most people, Maler said. In addition, it would be difficult to reset the authentication, if the technology was compromised.

Nevertheless, Google deserves credit for pushing the envelope. "Google, unlike a lot of other big companies who are in the authentication game, is organically doing a lot of experimentation, which I think is good," she said.

Last month, Google released a draft of a five-year plan for exploring technologies that could replace passwords. Many of Google's ideas, meant to foster discussion with security pros, ties authentication to mobile phones, cloud-based services and Web browsers.

Read more about access control in CSOonline's Access Control section.

Join the CSO newsletter!

Error: Please check your email address.

Tags MotorolaDefense Advanced Research Projects AgencyIdentity & Access | Access ControlNetworkingDARPAtattooaccess controlIdentity & AccessmanagementGooglesecuritypasswordsAccess control and authenticationbiometrics

More about Defense Advanced Research Projects AgencyForrester ResearchGoogleMotorola

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by 34 Plympton Street, #2

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place