Beyond passwords with biometric technology

Tired of having hackers guess your password in three tries and break into your most critical systems?

Well, first, stop using "password" as your password.

Then, consider investing in some alternate means of authentication. Biometric technologies can supplement or even replace passwords entirely when used in conjunction with a password management program.

The following biometrics vendors, for example, can turn almost any physical aspect of your body into an authentication mechanism.

Most are also members of the FIDO Alliance, a standards body for authentication technologies.


According to the folks behind the Nymi Band, your heart has a unique signature -- the ECG wave has a special shape that identifies you as you.

The signature is measured by the wrist band, which then uses Bluetooth to authenticate you to other devices.

As long as you're not too excited or relaxed when you put it on, that is.

It works in conjunction with a partner app on your computer or mobile device, and could be used, say, to unlock your smartphone without having to type in a password. Or for any other purpose that requires confirmation of your identity. For example, they recently announced a pilot payments project with the Royal Bank of Canada and Mastercard.


The EyeLock Myris collects 240 points of data on your iris, which, the company says, results in a false positive rate of 1 in 1.5 million.

They claim more than 3 million transactions over the past two years, in sectors such as security, border control, government and the financial services.

You plug the device into your USB port, connect sites and applications to the Myris app, and then just look into the device to log in, the same way you would look into a hand mirror.


Sclera, or the white part of your eyeball, gets all the attention with the EyeVerify. You pick up your smartphone and take a selfie. The EyeVerify app looks at the blood vessels in your eyes to confirm your identity.

And you're in.

There are free demo apps on the iOS and Android app stores, but the company is really focusing on the other side of the authentication mechanism -- with the banks and other institutions. According to the company, several banks in Australia are already using it for their employees, and the technology is part of the mobile device management platforms from Good Technology and AirWatch.


There's a lot happening with fingerprints. Smartphones now include fingerprint readers, as do some laptops and other devices.

There are also a variety of key fobs, dongles, and other peripherals, such as the IDKey from Sonavation and the Yukey from Egistec.

But you can also scan a fingerprint without any special hardware. The Onyx, from Diamond Fortress Technologies, uses the camera on your smartphone. Free demo apps are available for both Android and iOS.


We're all used to talking on our phones, and, more recently, talking to our phones. What's more natural than to use that for authentication, as well?

Agnitio's Kivox platform allows app developers to do just that.

And, in case you're worried about criminals secretly taping your voice, Agnitio claims that its patented anti-spoofing technology caught 97 percent of spoofing attempts -- while their competitors caught none of them.

Another benefit of their platform is that the software is resident on the phone and doesn't require an Internet connection.


The beta release of AppLock by Sensory is in the Google Play store if you're looking for an application that uses your phone's camera to see your face.

The app's security setting have a "liveness" mode for extra security, to keep the badguys from trying to spoof your face with a picture.

For even more security, the app can also check your voice.


Did you know that the shape of your ear is unique?

Did you know that's there's an app that reads the shape of your ear where it touches the screen?

It's called Ergo, and it's available now on Google Play from Descartes Biometrics.

And it's as easy to use as lifting your phone to your ear. Which you do all the time, anyway.

But it only has a rating of two-and-a-half stars, and reviewers complain about not being able to get it working.

So put this into the "not quite yet" column.

Finger vein

No, it doesn't draw blood. The VeinID from Hitachi uses infrared light to painlessly scan the veins inside your finger.

The scanner is already used at ATMs in Japan and Poland, and Barclays plans to deploy it this year in the UK.

According to the company, it's difficult to spoof because it doesn't read the exterior of the finger, but the inside, and the false rejection rate is lower than with fingerprinting.

It takes about a second to do the scan and authenticate someone.

Worried about bad guys chopping off your finger? Don't be -- according to the company, dead fingers have no blood flow, so wouldn't be readable by the device.

Brain waves

Yes, there are consumer devices that read brainwaves. Unfortunately, none of them can be used as authentication devices out of the box just yet.

The Emotiv Insight, for example, is scheduled to hit the market this March, after raising more than $1.6 million in a successful Kickstarter campaign.

Like its closest alternative, the MindWave headsets from NeuroSky, these collect EEG measurements through easy-to-use dry-contact sensors.

In 2013, researchers at UC Berkeley asked users to perform simple mental tasks, such as mentally singing a song, or focusing on their own breathing. They were able to identify users with an error rate of less than 1 percent.

Unfortunately, the specific headset the researchers used -- the NeuroSky MindSet, which also includes regular headphones and a microphone -- is no longer available.

And both the MindWave and Insight headsets  are single-purpose. All they do is measure your EEG. Not really practical to get and use just for authentication. But if you already have one at your desk to help you relax after a long day of network monitoring, then go ahead and adapt it to confirm your identity and become the coolest nerd in the office.

Join the CSO newsletter!

Error: Please check your email address.

Tags FIDO AlliancesecurityAccess control and authenticationIdentity & Access

More about BiometricsErgoGood TechnologyGoogleInsightMastercardOnyxRoyal Bank of CanadaTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place