J003-Content-Long-Goodbye-Password-Auth_SQIn my recent End of Year Security Overview, I mentioned that one trend that’s finally gaining traction – after many years of all talk and no action – is a move away from the traditional username/password authentication scheme to alternative ways of verifying the identities of users.

Pattern recognition, whether that be the patterns created by the loops and whirls of fingerprints, those that make up the features of a face, or a random pattern that we “draw” on a photo or grid, is the hottest new method of proving to a computer, network or web site that you are who you claim to be. Here’s a look at how that trend is starting to come into its own, and where we can expect it to go in the next year.

A few years back, phones and tablets started offering a new way to log on, by drawing a pattern to connect a grid of dots on the screen. You could make your pattern as simple or complex as you wanted, then you repeated it to unlock the device. Windows RT and Windows 8 introduced the “picture password,” whereby you choose a photo and then use gestures to draw shapes or tap specific areas of the picture in the right order to log on. For example, you might set it up so that to unlock the OS, on a photo of your three children you have to tap the left eye of your oldest, draw a circle around the head of your middle child and tap the right hand of the youngest.

When you think about how we have always identified people in the “real world,” it’s really all about patterns. Facial patterns, voice patterns, gestures, gait, etc. – that’s how we know the guy who just walked into the room is Bob, not George. Even with identical twins who look practically the same, those who know them well can (usually) distinguish between them because one might have a unique walk, or talk a little faster, or exhibit other subtle behavioral patterns that the other doesn’t.

When we want to get more serious about identity, we look at physiological patterns that can’t be changed or easily faked: fingerprints, iris or retinal patterns, facial recognition, or even the patterns in the shape of your ear or your hand geometry can be used. Of course, DNA patterns are one of the most definitive.  Other patterns that can be analyzed with more or less reliability to identify persons include handwriting, typing cadence, and speaking patterns.

Even the venerable and much-maligned password is, in essence, a pattern of alpha, numeric and symbol characters typed in a particular order. However, as we all know, passwords are very easy patterns for someone else to duplicate. That’s why the password is regarded as a less secure means of identification and the reason, in an era when we all have sensitive information stored on computers and passing across networks, that alternative means of authenticating identity are being implemented.

Fingerprint readers have been around for a long time, with the fingerprinting of criminals beginning in the 1800s.  Fingerprint recognition started to become an automated process in the 1960s but was still used primarily in law enforcement. Today it’s commonplace as a login option on high end smart phones.

Fingerprint readers have been available as add-on peripherals for computers for well over a decade. IBM introduced one of the first laptops with a built-in fingerprint scanner in 2004, the ThinkPad T42. Biometrics were supported in Windows XP, and Microsoft introduced the Windows Biometric Framework (WBF) in Windows 7, but using it was dependent on third party enrolment software and drivers. Although quite a few computer makers offered fingerprint scanners in their hardware, it didn’t really catch on for a long time.

One reason was unreliability. I do use fingerprint authentication on my current phone and it works pretty well. On the previous model, I gave up on it because it so often didn’t recognize my print when I swiped it. I found that if my finger was the least bit moist, or if the weather was cold, I got a “No Match” error. I loved the idea of biometrics and the practicality of a quick swipe vs. typing in a password on a small phone keyboard, but it only recently became useable enough for me to depend on it.

When I got my Surface Pro 4 and bought a new keyboard for it, I opted for the more expensive model that has the built-in print scanner. I really like this system because instead of swiping, you simply press your finger pad onto the little scanner screen. I’ve rarely had a failure to recognize with this. However, not long after I got familiar with the new Surface, I found myself rarely ever using the fingerprint logon feature. Why? Because it has something even better.

Hello, Windows. The new Windows Hello feature in Windows 10 encompasses three different types of biometric authentication for logging onto Windows: fingerprint recognition, iris recognition or facial recognition. As nicely as the fingerprint rec works, you still have to take the time to press your finger to the pad. The first time I used the facial recognition option, I was hooked. I open up my Surface, look at the screen, the built-in camera looks back and “sees” me, sees that it’s me, and I’m in. Tedious typing of passwords is a thing of the past.

I’ve been using it for a couple of months and I’m still amazed at how fast and accurate it is. Whether I have my hair down or pulled up, whether I’m wearing my glasses or not, “Hello” knows it’s me. But let my daughter or my husband be the one looking at it and it says “Couldn’t recognize you. Sign in with your PIN.” I can make it do the same thing by putting on a mask or distorting my face – then I straighten it out and pop! There’s the desktop.

If you’re not sitting close enough or your head is turned sideways, you’ll see the little “eye” searching around for you, and it will even tell you to move closer to the camera or to look straight at the camera. It has an infrared sensor so it even works in the dark. It’s pretty cool – and a little bit scary. Considering just how good that camera is, you might want to do what I do and keep a sticky note over the camera after you get logged on. It’s simple enough to slip it over the curious little eye(s) so that just in case a hacker took remote control of the system and camera, he wouldn’t be able to watch what you’re doing.

Setup of Hello facial recognition is easy, and – at least for me on the Surface Pro 4 – it works flawlessly.  But how secure is it, really? Can it be fooled? Probably, if you put enough effort into it, but I tried holding a high def head shot of myself on my tablet up to it and that didn’t work, and also tried a print picture and it was having none of that, either. 

So what’s the catch? Well, Windows Hello doesn’t work with just any hardware. You can’t just install Windows 10 on your old computer and start logging in with your face. My Surface is obviously optimized for it and has the special camera and illuminated infrared sensor. There are third party devices that have the cameras built in, and Tobii, a company that makes eye-tracking technology, supports Windows Hello with its standalone cameras. If this becomes a popular substitute for password logon (and it should), we will undoubtedly see more companies getting into the act.

Probably the biggest obstacle to Windows Hello adoption – other than privacy issues some may have with the cameras constant “searching” for you – is the simple fact that many users won’t even know it’s an option unless they get curious and start poking around in the logon settings in Windows 10, since the biometric logon technologies aren’t enabled by default.

Here’s a caveat, though: Windows Hello’s facial recognition is so good that it will almost certainly sometimes log you in when you aren’t wanting to log on. It can “see” you at surprising distances and angles. That could cause problems if someone else is looking over your shoulder and you had something on the screen that you didn’t want them to see. My solution is the tactic I already mentioned: Keep the cameras covered with a sticky note until you want to use them.  It will keep looking for you in vain until you remove the piece of paper.

What if you have the opposite problem? Maybe you change your looks drastically and Hello doesn’t know who you are?  You can have both fingerprint and facial rec set up so that if Hello can’t figure out who you are when it sees you, all you have to do is press a fingertip to the reader.

It may take a while, but I think once people start to experience the convenience of logging in with Windows Hello, we’ll see this trend start to pick up speed. And as we say hello to alternative authentication methods, we can finally say goodbye to passwords.