Are you the password?
Fingerprints and iris scans have been at the forefront of “behaviour metrics” for a while. And according to HSBC’s “Trust In Technology” report, released in May, India tops the list of countries in the adoption of biometric techniques.
“On an average, people in India (9%) are three times more likely than any other country (3%) surveyed to have used ‘iris recognition’ to identify themselves,” said the report, which studied over 12,000 people in 11 countries on perceptions of technology and habits.
The next level of biometric user authentication, however, will focus on a different facial feature, or the way you walk, or heartbeat patterns. Even brainwaves could become passwords with the help of EEG, or electroencephalogram, systems. Of course, these systems are still in development, and much remains to be ironed out.
For instance, brainwave signatures may be unique but EEG readings can differ depending on where the electrodes are placed, says Nitin Vasanth, chief executive officer of the Bengaluru-based NeuroTech Labs, which specializes in consumer wearable electronics with a focus on the brain-computer interface. Price would be an issue too.
But even Tesla founder Elon Musk is keeping tabs on this one: His latest venture is Neuralink, an American company that is reported to be developing implantable brain-computer interfaces.
Is the notion that “you are the password” finally turning into reality?
The key: Hackers can recreate someone’s face, but can they mimic a person’s natural lip movement? Researchers with the department of computer science at Hong Kong Baptist University have created a “lip motion password” system that authenticates a person’s identity.
The technology, announced earlier this year, leverages the fact that every person’s lip movement is unique. The researchers, led by Prof. Cheung Yiu-ming, have developed a computerized learning system which captures shape, texture and movement to create a lip sequence.
The “lip motion password” system requires users to look at the laptop camera and repeat the password 10 times to create a sequence—just like you would record your fingerprints on a phone for the first time with multiple touches. Since the verification happens visually, even people with speech impairment can use this system. Still in the development stage, this new technology is expected to be used for financial transactions, electronic payments, and at ATMs.
Expert-speak: “Lip movement on its own cannot be a viable method for user authentication. However, it can be used to verify the liveness of a person (ensuring that the biometric being captured is real, not fake) as part of a face or iris authentication. We use the face to authenticate by allowing the user to enrol using their Aadhaar (photograph) and then using a selfie to authenticate against the enrolled Aadhaar face. We use a combination of face movement and blinking to check for liveness of a person. Lip movement is arbitrary in nature. Ageing and facial hair growth will make it harder for a system to accurately use it for authenticating purposes.”
—Shankar, chief executive officer, FRS Labs, a Bengaluru-based company that specializes in authentication and fraud prevention solutions for businesses.
Matching the beat
The key: The electrocardiograph (ECG)—a measurement of the heart’s electrical activity—is a useful medical tool to detect anomalies in the vital organ, but researchers at Binghamton University in New York have developed a unique way of safeguarding a person’s health records with their own heartbeat.
“We reused ECG signals for data encryption. Through this strategy, security and privacy can be enhanced while minimum cost will be added,” Zhanpeng Jin, assistant professor at Binghamton University, said in a press release. She is the co-author of a paper titled A Robust And Reusable ECG-based Authentication And Data Encryption Scheme For eHealth Systems. According to the university website, this new method is a combination of previous work by Zhanpeng, using a person’s brain-print instead of the usual passwords to access computers and buildings, and cybersecurity work by her co-researchers.
Expert-speak: “The heartbeat rhythm will be used to encode data, but the rhythm keeps changing over time due to various physiological parameters. They are not like fingerprints, which are stable. A reason it could be more effective than iris and fingerprint scanning is that it is not external. You can injure a person’s hands, damage their eyes, but there’s not much you can do with the heart. From that point of view, the signature or password created from the heart (ECG) will be far more secure.”
—Anand Madanagopal, founder and chief executive officer, Cardiac Design Labs, a Bengaluru-based company that provides cardiac monitoring and diagnosis through intelligent wearable devices.
The right walk
The key: You could one day just “walk” into your office cabin, without needing an iris or fingerprint scan. All you would have to do is walk as you would usually.
At the Commonwealth Scientific and Industrial Research Organization’s Data61 lab in Australia, researchers have developed a wearable that will not only utilize the kinetic energy created from a person’s walk to generate power, but also use it to create a unique authentication key.
The wearable device monitors the kinetic energy created by a person’s gait. The idea is based on the observation that if humans have unique walking patterns, then the corresponding patterns of kinetic energy should be unique too. The device keeps monitoring the energy patterns created by a person’s gait to register a one-of-a-kind signature. The team at Data61 tested the wearable on 20 different subjects and was able to authenticate a person based on their gait with 95% accuracy, according to their research paper.
Expert-speak: “Gait authentication in general can be effective, but not as a primary factor: in the sense that only this can’t be relied upon for user authentication. This system could be used for anomaly detection. If someone is getting authenticated and there is a difference in their walking style, then one could probably raise an alarm. That’s why I think it would be better as an anomaly detection system. I don’t think this could be used online. It would be more useful at physical gates (for entering an office building, etc.).”
—Vaibhav Gupta, a New Delhi-based security researcher who leads the Delhi chapter of null and Open Web Application Security Project (OWASP), which are two separate non-profit, registered communities established to promote information security knowledge across the globe.