The Washington PostDemocracy Dies in Darkness

We know the password system is broken. So what’s next?

Apple CEO Tim Cook introduces the new Apple Pay product in Cupertino, Calif. (AP Photo/Marcio Jose Sanchez)

A second round of sensitive celebrity pictures -- presumably from the same trove of photos taken earlier in targeted attacks on iCloud accounts -- hit the Web over the weekend, reminding us yet again about how quickly the line between public and private can be breached. The leaks, revealed earlier this month, made consumers and analysts wary about how much data we store in our online accounts and prompted many of us to ask: Can companies do more to protect me?

For all the talk about clouds and encryption, the weakest link in securing data is really the password system itself. As many, many people have said over the past few years, the password system itself is broken. The system places too much demand on the memories and patience of people who aren't trained to think about computer security all day. Even when companies offer advanced options -- such as two-factor authentication, which sends people a second, onetime-use code to add to their log-in information -- many don't use it because it makes an already annoying process even more complicated.

The point is not lost on technology companies, who are chipping away at methods to make it easier for users to sign into accounts by using their fingerprints, voices or faces, so that they won't have to memorize a million different passwords. Most of these options are centered on the smartphone, since that's increasingly the most common device people use. But as promising as some of these solutions are, they also carry their own problems.

"Consumers should not always believe all of the hype about biometrics," said Tony Lee, a principal security consultant for the security firm FireEye. "There are varying levels of security in the products. For example, the facial recognition hardware and software contained on a laptop or phone will not be as robust as one that protects a bank vault. However, that laptop or phone may possess some very valuable and important information."

Fingerprint recognition

Lorrie Cranor, a professor at Carnegie Mellon University focused on privacy, security and usability, pointed to fingerprint authentication as one way that companies such as Apple and Samsung are working on that problem. "The notion of the fingerprint authentication is simple. People get it," she said. "Is it the most secure? That doesn't so much matter [to consumers]. People get it, and so it does win as far as simplicity and usability for locking and unlocking cellphones."

There's no doubt it's simpler for users to press or swipe a finger over a sensor in a phone then to type in a password. But that requires some upfront investment from device makers to put the sensors in, as well as some backend work to make sure that there are partners who will support the fingerprint data being scanned. Apple and Samsung, for example, worked out deals with banks and services such as PayPal so that those who use these services have the option to scan their fingerprints to confirm purchases. Otherwise, there's little point to it. If Apple hadn't worked out deals with all of the major credit card firms and many major banks, who would consider using Apple Pay?

There are also still lingering security concerns about fingerprints -- even though they can't be changed like a password can.  Sen. Al Franken (D-Minn.) has asked both Apple and Samsung to outline how they plan to keep fingerprint data safe. (In both cases, the companies don't store fingerprint images on your phone, but rather a mathematical model that stays encrypted on the device.) And data fears aside, there's also the chance of having your fingerprints copied: determined hackers can lift your fingerprint and make a fake with something as simple as a gummy bear, Lee noted.

Voice recognition

Voice recognition is not  a new technology.  But in terms of consumer applications, there really aren't that many places that use voice recognition as a way to sign in. It is expanding, thought. In Britain, Barclays has laid out plans to include technology from Nuance, a leading voice and speech recognition firm, as part of its normal security protocols. In 2013, the company gave users of some of its services the option to use voice recognition rather than answer the standard security questions that normally accompany sign-in; the method earned high ratings from those early users, according to the Telegraph.

The main question about the security of voice recognition, of course, is how banks or other people looking to verify information can distinguish between a person talking and a recording of that person talking. One way companies get around this is by having you repeat your pass phrase multiple times to check for small changes in your voice. Or, they just ask you to have a short conversation with a call center agent.

Here, too, the main holdup may be in getting partnerships lined up. Voice recognition is resource-intensive, especially if consumers opt to be verified by chatting with a consumer service representative. Even if consumers are just repeating a phrase, however, that still requires companies to set up a way to compress and send the audio to servers hundreds (perhaps  thousands) of miles away for verification.

Facial recognition

Several companies have also looked into facial recognition as an authentication option for unlocking cellphones: Turn on the camera, have the phone read your face, and -- presto! -- you're in. Here, too, there are some obvious questions. How can my phone or tablet know that image it sees is me and not just a picture of me? That's, in fact, exactly how one blogger cracked the security on Google's  Android operating system in 2011. Google acknowledges that facial recognition is not as secure as other methods. (You may also find that your company's IT department has disabled the option on your phone, if you use it for work.)

Facial recognition has also raised privacy concerns in a way that other forms of identification haven't, perhaps because people are not comfortable with the idea of companies having databases of people's faces on file. The growing interest in using facial recognition data, however, has prompted the Obama administration to hold several meetings about how to protect and regulate the storage of facial recognition data; there are currently no laws that deal specifically with the use and sale of facial recognition data.

Representatives from the Electronic Privacy and Information Center outlined some of their concerns in a letter to the Commerce Department earlier this year. "Ubiquitous and near-effortless identification eliminates our ability to control our identities," the letter said. "It also degrades an essential aspect of personal security by undermining our ability to know under what circumstances others are seeking access to our identity and to make a determination as to whether to reveal our actual identity. Additionally, there are privacy and security concerns associated with the collection, use, and storage of facial geometry measurements used for identification."

Right now, all of these methods -- fingerprint, voice and facial recognition -- are mostly being used as secondary identification, which means that consumers still have to keep track of many primary passwords. There may come a day when people can use just biometrics to log-in to a phone or a service. But Lee says that day is still a ways off.

"One would hope that we are beyond the days of using photos to fool facial recognition software and gummy bear thumbprints to fool fingerprint scanners," Lee said. "However, there are always new companies and new products being introduced to the market.  Thus, both the manufacturers and the consumers need to do their due diligence by maintaining a skeptical eye."