In a world full of electronic systems, there is a need to prevent the unauthorized users from accessing protected data. Various ways of authentication are used, passwords being the most ubiquitous.
Authors: Abdelwakil Bouljoub and Aki Vainio
What is the problem with traditional passwords?
Traditional passwords are sequences of characters. Various organizations have their own guidelines and rules, often based on earlier recommendations from NIST, which have since been completely redone (Grassi, et al. 2017). However, passwords are problematic. Often the passwords that follow the official guidelines are hard to remember or the users avoid these memory issues by not following the guidelines or by finding the most trivial way to follow them, leaving their passwords weak (Munroe 2011). They are hard for the user, but easy to break with the ever-advancing technology we have access to (Munroe 2011).
As passwords continue to present problems, many organizations are trying to move away from them. For instance, W3C (World Wide Web Consortium) in collaboration with FIDO Alliance finalized a web standard for what they called Passwordless Logins that recommend a standard for browsers to let users log into their account using other options (W3C 2019). FIDO Alliance is an industry association that aims to develop authentication standards, which boasts many of the leading technology companies in the world as its members. FIDO recommends the use of alternative authentication methods, such as biometrics.
The trend to abolish the use of passwords has commercial implications. Integrating biometrics or other authentication methods into systems requires new software and often hardware components. (Bouljoub 2019.)
What are biometrics and how are they used for authentication?
Biometrics refer to the information about someone’s body. There are many domains of biometrics usage, such as forensics science and crime investigations, but with the advance of technology, biometrics can be used to extract repeatable biometric features for biometric-based authentication.
In fact, we have many features in our bodies that differentiate us from each other. The Biometrics Institute, an independent non-profit organization, has categorized biometrics as illustrated in figure 1.
Figure 1. Biometrics types (compiled from Biometrics Institute 2019)
Apple, for example, introduced the Face ID feature in iPhone X (Schiller 2017). It is a feature that gives to the user the option to unlock the phone by using the face recognition method. At the same time, Samsung used a similar feature on Galaxy Not 8, but in addition, Samsung added the iris recognition feature as well (Samsung 2019). Many other companies are using different types of biometric to provide a solution to plenty of domains such as security surveillance.
Not all biometrics have been proven to be unique from one person to another. The idea of the uniqueness of biometrics is based in most cases on the low probability of the existence of similar biometric information on two different individuals. Joanna Stern a columnist in Wall Street Journal tried the face recognition feature in iPhone X with identical twins and the system fail to distinguish between them (Stern 2017).
Biometrics are problematic
Most of the reviews that have been conducted on the topic of biometrics are looking for which solution is most secure against hacking attempts, but simply being secure is not enough. Instead, using biometrics presents its own set of problems.
The data used in biometrics can be used for other purposes as well. In China, for example, biometric data is being used by law enforcement which raises a serious concern about user privacy. Many people are not sure if the biometric data collected by companies is stored safely and it won’t be used for other purposes.
The second reason is related to the fact that biometrics are unchangeable. Although this could be considered an advantage because a user doesn’t need to remember any specific information when using a biometric-based authentication, it is also a big disadvantage in case something happens to the integrity of the stored data which could render a certain biometric useless.
The exposed nature of biometrics is another issue, especially the most used one. For instance, face, eye and fingerprints are almost public for others and it could be a burden to protect them from copying or forging. Is true that Apple claims that its Face ID feature is strong enough against attempt of using a person’s image or even a person’s 3D-printed face, but the feature can’t tell if the user scan intentionally his face in purpose to unlock the phone or someone else is doing that under certain circumstances. (Fysi Tech 2017.)
There is also the question of practicality. No-one wants to conduct a DNA or gait analysis each time they login onto their phones.
Signatures as authentication method
The methods for using signatures as a method of authentication are still being developed, but signatures are one possible solution for the various challenges. What makes a signature-based method strong is not only the visible result, but the actual metrizable habit of writing that signature, including the rhythm and pressure impacted while writing, which are impossible to replicate (Huber & Headrick 1999).
The signature doesn’t invade user privacy. A signature doesn’t reveal if the person is a male, female, young, old or from a specific ethnicity. That minimizes the chance of using the signature as a tool to track individuals using biometric information provided by themselves (for example, Xie 2019).
A signature used for the authentication is stored in the same manner as the data for other biometrics methods. However, a person could change the appearance of the signature whenever the stored one becomes compromised.
In contrast to other biometric types, a signature is an act that requires an intention and a conscious effort from the person. It is not possible to get a person’s signature without that person being informed. The reason why signatures are not used widely as a method of authentication could be related to usability. For example, biometrics such as fingerprints are more relevant to smartphone’s usage. To unlock a phone by signature might take longer than the time needed to unlock it with a face recognition feature. In many cases, using signatures also requires dedicated hardware.
No one can steal a signature, your signature is with you everywhere and, in contrast to other biometrics methods, signature doesn’t require you to take a selfie each time you want to check your notifications. Furthermore, the biometrics and recognition methods are an active research field that it is evolving rapidly, and it has many advantages that encourage their use in several aspects of our daily life to improve security and reduce the traits of data security that are becoming a serious issue.
Biometrics Institute. 2019. Types of Biometrics. [cited 11 Jun 2019]. Available at: https://www.biometricsinstitute.org/what-is-biometrics/types-of-biometrics/
Bouljoub, A. 2019. Electronic signature for authentication. Bachelor’s thesis. Lahti University of Applied Sciences, Faculty of Business and Hospitality. Lahti. [cited 14 Jun 2019]. Available at: http://urn.fi/URN:NBN:fi:amk-2019060515037
Fysi Tech. 2017. iPhone x FACE ID Experimental Video While Sleeping. [cited 11 Jun 2019]. Available at: https://www.youtube.com/watch?v=Ms7wLX2h9ec
Grassi, P., Fenton, J., Newton, E., Perlner, R, Regenscheid, A., Burr, W., Richer, J., Lefkovitz, N., Danker, J., Choong, Y.-Y., Greene, K. & Theoganos, M. 2017. NIST Special Publication 800-63B – Digital Identity Guidelines. NIST. [cited 11 Jun 2019]. Available at: https://pages.nist.gov/800-63-3/sp800-63b.html
Huber, R. & Headrick, A. 1999. Handwriting Identification: Facts and Fundamentals. CRC Press LLC. Boca Raton. USA.
Munroe, R. 2011. Password Strength. XKCD. [cited 11 Jun 2019]. Available at: https://xkcd.com/936/
Samsung. 2019. Security. [cited 11 Jun 2019]. Available at: https://www.samsung.com/global/galaxy/galaxy-s8/security/
Schiller, P. 2017. Face ID on iPhone X. Video. [cited 5 Jun 2019]. Available at: https://www.youtube.com/watch?v=z-t1h0Y8vuM
Stern, J. 2017. iPhone X Review: Testing (and Tricking) FaceID. Wall Street Journal. Video. [cited 5 June 2019]. Available at: https://www.youtube.com/watch?v=FhbMLmsCax0
W3C. 2019. W3C and FIDO Alliance Finalize Web Standard for Secure, Passwordless Logins. [cited 11 Jun 2019]. Available at: https://www.w3.org/2019/03/pressrelease-webauthn-rec.html
Xie, E. 2019. China working on data privacy law but enforcement is a stumbling block. South China Morning Post. [cited 14 Jun 2019]. Available at: https://www.scmp.com/news/china/politics/article/3008844/china-working-data-privacy-law-enforcement-stumbling-block
Abdelwakil Bouljoub is close to the end of his bachelor’s studies in Business Information Technology at Lahti University of Applied Sciences.
Aki Vainio is a senior lecturer of Information Technology at Lahti University of Applied Sciences.
Illustration: https://pxhere.com/en/photo/1440395 (CC0)
Reference to this publication
Bouljoub, A. & Vainio, A. 2019. Using a signature instead of a password. LAMK Pro.
LAMK Pro. [Cited and date of citation]. Available at: http://www.lamkpub.fi/2019/06/17/using-a-signature-instead-of-a-password/