Some people would say "not much." But some others, who are closer to the industry, would say a lot is happening.
A couple of years ago, the emerging idea of biometrics as a replacement for strong password designs were, even then, on the way out. From today's vantage point, we see that passwords in general are actually being replaced (or augmented) as a primary method of security.
As for biometrics, the idea of using someone's biological information has not yet been rolled out in most consumer platforms — it's not something that we see very much on the street. But that could change soon.
Let's go over some of the most notable changes.
Even back in 2017, we saw that cryptologists had been refuting the idea that you can stave off password crackers with a combination of weird alphanumeric digits like you used to see in the funny pages.
Now, in 2019, NIST password guidelines for that year did not include any references to using capital letters or exclamation points, or numbers, or any of the rest of it.
To be specific, here are some of the 2019 NIST password guidelines (as presented to you by Security Boulevard):
• Eight-character minimum.
• Password dictionary checks.
• Allow at least 10 password attempts before lockout.
• No password expiration.
• No complexity requirements.
• No password hints.
We still know now what we knew then — that despite the "strength" of your passwords, it's all for nothing if you leave your passwords out where hackers can get them. Keyloggers are one significant way to get around strong passwords, and there are others as well.
So, has biometrics emerge to conquer this problem? Actually, there's another savior that's become pretty common these days. It’s something that generally comes at lower cost than most biometrics systems, and it’s very much in vogue right now.
Multifactor Authentication Replaces Password Systems
In fact, in the last two years, we've seen an abundant proliferation of multi-factor authentication (MFA) systems. You probably have this service in place for your online banking, and big companies like Google and Apple use it as well. It's quickly become a standard.
MFA is a third principle in addition to the idea of passwords, which are private keys, and biometrics, which is based on a person's unique biology.
MFA, or the other hand, is based on using an additional device as the verification agent.
As smartphone ownership became commonplace, companies realized they could innovate around password security by allowing smartphone holders to use their secondary devices for verification. If you’re at a computer, and your smartphone is in your pocket, you’re all set up!
It works simply — you set a request for access, and the system comes back with a secondary code on your smartphone that you type into your computer, and you're off to the races…
“There is nothing to remember, no action to be taken,” wrote Raz Rafaeli at TNW last February, suggesting the value of push notifications and characterizing some other types of MFA as well. “Because of the system’s ease of use and superior security, most vendors of authentication technologies in recent years have improved their solutions to support push authentication.” Rafaeli also noted that NIST has indicated the agency is “not a fan” of biometric methods either.
MFA of this kind ensures that no one can pose as an imposter and log on in your place, unless they have your actual physical smartphone in hand.
So while MFA is similar to biometrics it's not the same thing. For one thing, it’s a lot easier to implement then trying to use their fingerprints or other biometric information to unlock systems.
Issues with Biometrics and Facial Recognition
There are practical issues with using something like a thumbprint for system access. Every device would have to be equipped with a physical thumbprint reader, for starters.
There's another type of biometrics, though, that's catching on in a big way right now. We just don't see it yet.
Facial recognition is quickly being built into public systems, as well as consumer devices like your average smart doorbell or home security camera.
But we're not using it much for biometric identification yet on our own devices, and there's a reason for that.
Basically, facial recognition freaks some people out — it challenges their ideas of resisting uberveillance and retaining some measure of privacy as an individual. Facial recognition can feel intrusive!
“Unlike many other biometric systems,” write experts at the ACLU, “facial recognition can be used for general surveillance in combination with public video cameras, and it can be used in a passive way that doesn’t require the knowledge, consent or participation of the subject. The biggest danger is that this technology will be used for general, suspicionless surveillance systems…”
There's a reason that platforms like Facebook have made their use of facial recognition relatively subtle, even though they've had the technology for a while now.
People just don't like to think about computers identifying them everywhere they go – but at the same time, facial recognition could be a very effective and very easy tool for biometric authentication.
We'll have to see whether facial recognition catches on, and how quickly it replaces MFA as the norm. For now, we’ll keep entering those codes from our smartphones, because it has all the efficacy of a biometric solution, without the intrusion — instead of using our biology, which we see as our own private data, it uses our devices, which are so often seen as a sort of bionic prosthetic, but where we tend to think of the data as jointly held by ourselves and our telecom providers.