Google biometrics tests show there's no magic pill for passwords
Electronic tattoos and pills that make the body itself a password would create their own unique challenges, security experts warn
By Antone Gonsalves
June 04, 2013 — CSO — While passwords fall short of the tight security businesses would like, the use of electronic tattoos and pills that Google is experimenting with would introduce a new set of problems, experts say.
Regina Dugan, who leads special projects at Google-owned Motorola, disclosed at the All Things Digital conference last week that the company was experimenting with the new forms of biometrics. The technologies are a long way from adoption, but they reflect the boldness with which Google is looking for password alternatives.
Password weaknesses are well documented. Once stolen from a company's database, hackers have the tools to crack many of them, even when they are encrypted. Users add to the problem by choosing passwords that are easy to decipher, such as "password," "123456" and "12345678," which are among the most popular passwords, according to SplashData's 2012 list.
As alternatives, Google has partnered with company MC10 in experimenting with electronic tattoos, said Dugan, the former head of the Defense Department's Defense Advanced Research Projects Agency (DARPA). Separately, the pill form of authentication would essentially turn a person's whole body into a password.
While praising Google's willingness to experiment at the outer edges of biometrics, experts pointed out Monday that the technologies would create a unique set of challenges. For example, criminals would have to add kidnapping to hacking computer systems in order to get the information they seek.
"Criminals will want to take your body and bring it to their login place or maybe make you login under duress, which is scary," said Mark Risher, chief executive of Impermium, which protects Web sites against account compromises and counterfeit registrations.
To counter such a scenario, another layer of technology would be needed to make the authentication mechanism unusable if the person was under extreme stress.
Another problem would be in transmitting the password. If people using the technology were in close quarters, then the receiving computer could have difficulty separating the right password from the rest, Risher said.
Convenience would certainly be a major plus with tattoos and pills, since the authentication would be automatic and would not require remembering a password. Nevertheless, both biometrics would be far move invasive for the user than using a fingerprint reader, said Eve Maler, an analyst with Forrester Research.
The creepiness of having an electronic tattoo or swallowing a pill to log into websites is likely to turn off most people, Maler said. In addition, it would be difficult to reset the authentication, if the technology was compromised.
Nevertheless, Google deserves credit for pushing the envelope. "Google, unlike a lot of other big companies who are in the authentication game, is organically doing a lot of experimentation, which I think is good," she said.
Last month, Google released a draft of a five-year plan for exploring technologies that could replace passwords. Many of Google's ideas, meant to foster discussion with security pros, ties authentication to mobile phones, cloud-based services and Web browsers.
Read more about access control in CSOonline's Access Control section.