The Future of Passwords Isn’t Just Biometric, It’s Behavioral

Even fingerprints and eyeballs can be hacked. Replicating interactions, however, is nearly impossible.


Motivated, no doubt, by the rash of large-scale online security breaches in recent years, companies like Apple and Google have attempted to move security into a post-password world with features like fingerprint or iris recognition. Biometric technology represents a vast improvement over strings of letters and numbers, but the future’s most secure passwords will likely also be behavioral. Our bodies, it turns out, are easier to imitate than our actions. The two things in concert, well, that’s what makes us recognizable to each other and will soon be what makes us recognizable to our phones and computers.

The post-password world was championed by no less than Regina Dugan, head of Google’s Advanced Technologies and Projects Group, in a keynote address earlier this year. The authentication revolution, she said, will achieve peak security by capitalizing not only on our physical uniqueness but also unique behaviors.

These are the actions that will become your de facto password:


Fingerprints, the quintessential personal ID, are less replicable than the average string of alphanumerics, which is why devices from the iPhone to the Lenovo ThinkPad are equipped with fingerprint scanners. Still, scanners can be beaten. Last year, German hacker Jan Krissler, alias Starbug, hacked an iPhone 6 using a thumbprint generated from photos of a person’s hands. Taking the speed, pressure, and rhythm a person uses as they swipe and type into account will add an additional layer of security and make remote hacking far more difficult.


There’s an episode of Archer where Sterling tricks his colleague Cyril into unlocking a voice-protected security system by forcing him to repeat his name — the password — over speakerphone. While Archer’s hack illustrates one of the potential pitfalls of the speech-based security system, it also emphasizes one of the points Dugan made in her keynote address: Security comes down not to “what you say,” she says, “But how you say it.”

In addition to carrying a baseline acoustic “voiceprint,” the human voice carries information about variables like cadence, accent, and emotional state, all of which make hacking more difficult as long as authentication rests on the characteristics of speech and not simply on a spoken password, which could easily be replicated mechanically. Earlier this year, researchers from the University of Alabama, reporting on the ability of automated voice systems to fool both humans and machines, suggested that the ultimate defense would require detection of “the live presence of a speaker.”


MasterCard recently began rolling out its IdentityCheck system, which allows users to verify their purchases with a selfie rather than a signature. Still, a mere photo won’t suffice: Faces can be replicated even more easily than fingerprints and voices. In addition to recognizing your face, systems like IdentityCheck also require users to blink — verifying that you’re actually there.


The motion sensors and accelerometers on smartphones are often overlooked as security devices, but even macro-scale movements — like gait or speed — are potential identifying factors. By analyzing a person’s walk, a phone could determine whether it was in its rightful owner’s pocket without requiring them to actively authenticate.

Related Tags