Using biometrics to replace passwords is supposed to enhance security, but it can also push the boundaries of privacy. Dozens of new personal tech products at the International Consumer Electronics Show (CES) 2014 use biometrics to scan fingerprints, palm prints and irises, utilize facial recognition, eye tracking, voice recognition and even monitor behavior. While there’s nothing inherently evil about biometrics, who controls all the collected personal data? If passwords are replaced with biometric products that use FIDO authentication, then it was supposed to be “designed with a core focus on privacy;” all “biometric and/or personally identifiable information (PII) stays local on the user's device and is not shared to the cloud or over the network.”
The FIDO (Fast Identity Online) Alliance, which includes tech companies like Microsoft, Google, BlackBerry, PayPal and many others, intend to show off their FIDO-certified innovative authentication products at CES. For a device to be certified as FIDO Ready, it must conform to UAF (Universal Authentication Framework) standards.
“Up until now, everyone thought the smartphone was the key to the cloud, but everyone was wrong. The smartphone is a lock and a very smart lock with lots of sensors,” FIDO member Sebastien Taveau told the Washington Post. “Your human body will be your own key, and you will get an extremely customized experience on your device and feel more comfortable doing more on your device than ever before.”
While we are terrible when it comes to passwords, many companies are equally terrible when it comes to protecting those passwords. Even if you trust a company not to store your biometric data, to instead keep the info local on your smartphone, then what happens if you lose your smartphone or if it is stolen? Is the mobile device secure, or are your personal biometric identifiers at risk of being stolen? Regardless, we are marching ever closer to the end of passwords and embracing biometrics.
Here are a few of the password-alternative FIDO certified biometric products on display at CES 2014.
Yubico will show off YubiKey NEO dongle, which “offers military grade security out-of-the box, with no additional drivers or client software needed.” To authenticate, the user plugs it into a PC USB port, types a PIN or password and “touches YubiKey NEO to confirm that he/she is physically present and is attempting to log in.” For mobile devices, “the user just taps the YubiKey NEO o an NFC enabled smart phone or tablet.”
Sign up for Computerworld eNewsletters.