A new survey shows that we’ll give up our passwords only when they’re pried from our cold, dead hands.
That’s more or less the conclusion of a new study conducted by Yougov on behalf of email portal mail.com.
In a recent survey of 1,119 US people, the preferred method, by far, to log on to online services was the password, chosen by over half – 58% – of respondents.
Biometrics weren’t even close.
Fingerprints were the most popular of the body-as-authentication methods, at 10%. Scanning people’s eyes, their voices or their faces were the preferred methods for a skimpy 2% each.
When it comes to biometrics, only 9% of those surveyed thought that collecting data in this way is risk-free. In fact, 26% said that they found biometric authentication methods flat-out risky.
That’s a healthy dose of skepticism, and it’s certainly not unfounded.
When it comes to authentication via facial recognition, it’s too easy to spoof static authentication by holding up a 2D picture to a camera, as Google found out after filing a patent to let users unlock their phones by, say, sticking out your tongue or wiggling your eyebrows…
…or, in the case of fingerprints, by making a dummy fingerprint out of wood glue or a 2D inkjet printout.
Google went ahead and filed a patent for “Liveness Checks,” but researchers using the most basic of photo editing tools managed to fool it with just a few minutes of editing and animating photos to make them look like subjects were fluttering their eyelashes.
Similarly, a few months ago, researchers came up with a way to mimic the swipey touch gestures we use to get into our phones. They did it by whipping up a Lego robot and equipping it with a finger sculpted from Play-Doh.
At any rate, to get back to that we-love-our-passwords survey, these are some of the specific reasons why some people don’t like biometrics:
- 42% worry about not being able to access online accounts through these biometric authentication methods in case of a malfunction.
- 42% don’t want companies to collect, save and use their personal data for logging on to online services. (Note: you’re pretty much out of luck if the Feds want to use it after you’re dead!)
- 33% worry that third parties could access their biometric data if they lost a device. (Or, say, if a judge forces you to unlock the iPhone of your boyfriend/alleged Armenian gang member. Bear in mind that courts nowadays consider passwords to be covered by Fifth Amendment rights against forced self-incrimination because passwords are something you know. However, biometrics aren’t protected by the Fifth Amendment, since they’re considered to be something you are.)
- 32% worry that hackers could overcome biometric authentication methods to log on to their online accounts. (They’re right! We’ve seen fingerprints, facial recognition and iris recognition all fooled by hackers.)
- 30% don’t think the technology is fully developed to support these biometric authentication methods. (Which is quite likely why we keep seeing ever more new biometrics tested as authentication methods, including, for example, brainprints.)
Digital Trends quoted mail.com CEO Jan Oetjen on the survey results:
The survey shows that biometric login methods are far from becoming a mass market. Nevertheless, for more security throughout the internet it is very important that alternative authentication methods like biometry are being further researched.
In order to meet the concerns of users, providers have to fulfill high data protection requirements concerning the storage and use of biometrical data.
But is it a foregone conclusion that biometrics are the way to go, to get us out of our reliance on passwords that are, all too often, horribly flimsy?
As it is, we’re seeing other, non-biometrics work being done to replace passwords. One example is Google’s so-called Sign-In Experiments, in which it was trialing a method of password-less sign-in that involves interaction with your phone.
One reader told us back in January that he’s been using a similar Microsoft sign-in app on his phone for some time: whenever he signs in on an “untrusted” device, his phone displays the attempt immediately and asks if he wants to approve or deny the request.
Other readers are interested in SQRL (Secure Quick Reliable Login): a draft open standard for secure website login and authentication.
Does online authentication need to get better than passwords? Oh, yea.
Are biometrics the only way to do that?
Not by the looks of it.
And judging by the attitudes expressed by a representative selection of US people, that’s a good thing, given that so many of us really, really don’t like these authentication methods.
Kyle Saia
suck it up buttercup, passwords are dying
Vog Bedrog
Can’t change your fingerprints if they’ve been compromised*. That’s where passwords still have the edge.
(* reminds me of an old joke about an experimental ‘morning after pill’ for men – they take it the next day and it changes their blood type.)
TonyG
Biometrics in principle sound great but in practice have a few issues. It is much harder to revoke biometrics – I can change my password, if compromised but not my finger. They are also “fuzzy” – my password is either right or wrong. However, my fingerprint scan is somewhat variable – on my Samsung Note 4 the fingerprint always fails for a few minutes after I have washed my hands, or got my finger wet. The airport scanners work for my face about 1 time in 10 – not helped by the fact they instruct me to take of my glasses when the comparison picture is with glasses on.
Spryte
Bang On!!
I have disabled the fingerprint scanner on one of my older laptops and the internal camera on the newer one (without a fingerprint scanner, perhaps the manufacturers are already getting the idea).
Biometrics must be stored someplace… How would you store them on your own computer?Sometimes a manufacturer or provider wants to store them for you.
What could possibly go wrong????
Bryan
The prospect of biometrics was failing even in the 80s when fingerprint authentication was a pipe dream, but it was still rather cliche on TV to see a secret agent (or cartel henchman) lose a hand since it’s easier to carry it** than to drag him along.
** quite convenient if the hand was the same one cuffed to the briefcase in the first place; he only lost one hand. Bonus points awarded if the cuff still maintains grip and keeps it dangling from the handle.