IBM‘s Security team has put together a new report on the Future of Identity. The report looks at how people are reacting to new methods of securing data, and what may happen in the future. The future is a concern considering the continued rise of mobile devices and their increased use over more traditional platforms. Note that this is about how the tools are perceived by users, rather than their effectiveness in securing data and maintaining privacy. It also comes with a pretty infographic (as it is a well-known fact that millennials can’t read long blog posts and reports!)
Use of biometrics
In summary, the report says that 67% of respondents are currently comfortable with using biometrics today; and 87% would consider using biometric information for authentication in the future. This rise is probably prompted by the increase in biometric security in mobile devices recently. Both Apple and Samsung are leading the way with the move to biometric security on phones, with other manufacturers following suit. Almost all high-end phones now come with fingerprint scanners. Android and iOS have hooks built-in to their latest versions to use the scanners and expose them to applications.
Use of passwords
There is an interesting split highlighted between the behaviour of older respondents compared to the millennial generation. Some of the numbers are not that different but indicate trends in usage. We should consider how security is used, as opposed to its proper implementation, particularly in applications. For example, millennials don’t see passwords as “the” way of proving identity, with a higher percentage using less complex passwords and fewer “unique” passwords overall. Similarly, millennials are more likely to use password managers and biometrics to prove who they are.
If used properly, password managers can ensure a complex password, protecting data within applications. But constantly going to another application to retrieve a password means that more often used apps have a memorable password. This could explain the drop in complexity and fewer “unique” passwords. It remains to be seen if the applications protected with easily remembered passwords are banking apps or social media accounts. Perhaps this question is answered later on in the report, let’s keep reading.
What’s the most secure?
There is a split in the way that people view the relative security of various methods of proving identity. More are focusing on methods we take with us, such as fingerprints and our eyes (retina or iris scans), with fewer concentrated on passwords and PIN as the most secure method. However, recent announcements mean only 12% believe this is the most secure method of proving your identity. Examples are stories about how Windows Hello facial recognition can be fooled with photographs or iPhone X Face ID fooled by “evil twin” mask. Even if we nearly always take out face with us, along with our eyes and fingerprints.
There is always the argument that you can’t rescind biometrics, so folks can “be you” by borrowing the requisite body part. Similarly, your physical presence could be used to open an account by force, whereas revealing a password requires an act (or lack) of will on your part. (Imaging being forced to have a finger pressed against a sensor, compared to what you think you might withstand to reveal passwords. But that’s an entirely different argument to what is covered in the report).
Trusted keepers of identity data
Regarding protection of the information provided, societies current trust models continue, with banks being the most trusted with protecting our biometric data, while social media companies are least trusted. This might not matter now, but with the future use of blockchain digital identities, it makes sense to have biometric information and your identity linked by someone you and others can trust. But are banks ready to be security and identity verifiers, as well as managing our financial transactions? Currently, I think not. But then the requirement for this is also not entirely developed either. But it does pose an interesting question if governments are not the most trusted holders of identity, given the number of times we need to prove who we are to them.
Convenience over security?
We get the answer to our previous question in the next element, which looks at the balance of convenience, security and privacy across a range of application categories. Unsurprising apps that deal with our core financial information we place the most value on and are happy to lower the convenience to increase security. Conversely, at the other end of the spectrum, social media apps are about living in the moment, and convenience outweighs security here.
What does the future hold?
In launching the report, IBM’s press release has the following quote from Limor Kessem. (IBM Future of Identity Study: Millennials Poised to Disrupt Authentication Landscape)
“In the wake of countless data breaches of highly sensitive personal data, there’s no longer any doubt that the very information we’ve used to prove our identities online in the past is now a shared secret in the hands of hackers. As consumers are acknowledging the inadequacy of passwords and placing increased priority on security, the time is ripe to adopt more advanced methods that prove identity on multiple levels and can be adapted based on behavior and risk.” – Limor Kessem, Executive Security Advisor, IBM Security
What is certain is that the reliance on passwords as the only way of securing data is reducing, and the rise of biometrics is upon us. Please register your fingerprint below to comment.