Tech Alternatives To Passwords Could Help Thwart Hackers
DAVID GREENE, HOST:
In the tech world, headlines all week have been screaming about bleeding hearts because a bug called Heart Bleed has punched a hole in one of the most popular encryption programs online. The upshot here - a clever hacker can easily get hold of our user names and passwords. For this reason, many security professionals are recommending that we all change our passwords on Facebook, Gmail, Yahoo, banking websites, you name it. And I'm worried this means we're going to need to have different passwords for every single site.
To help guide us through this, we're joined by our colleague Steve Henn from Silicon Valley. Good morning, Steve.
STEVE HENN, BYLINE: Good morning.
GREENE: So is the upshot here that I have to start thinking and remembering all these alphanumeric combinations and be setting up different passwords for everything?
HENN: Well, you know, the honest truth is that you probably won't. And most people listening probably aren't going to go and reset all of their passwords. And lots of us don't make different passwords for all of our sites. And there's actually a school of thought among some security professionals that that's OK because we're not handling launch codes.
GREENE: That's a good thing. It's a really good thing.
HENN: Right. And, you know, Google and your bank are good at identifying weird, possibly fraudulent behavior. So if you log in from a strange city you might get asked a few other questions. And they sort of bake that into the cost of doing business.
GREENE: But clearly I don't want to have the same password for dozens of sites and I have trouble remembering them all the time. Are there other options out there for security other than passwords?
HENN: Well, yeah. I mean, it's pretty obvious this system doesn't work well for consumers. So there are lots of people working on it. And the ideas range from sort of the mundane to the kind of bat nut crazy. I mean, you've probably seen sites that offer to be your password manager and, you know, you give them all your passwords and then you have one password for that site and they sign you in.
Some security people I've talked to who are a little uneasy about that because they say you're putting all your eggs in one basket and if that place gets hacked you're out of luck.
GREENE: Someone has all your passwords.
HENN: Right. Yeah. And the crazier ideas I seen; Google is messing around with a pill you'd actually swallow.
HENN: That would send out a little unique identifier to your phone or computer letting it know it was really you. That's, you know, kind of gross. And I have questions about whether or not someone could steal your pills. But there are some thing that have to do with biometric information that are really intriguing.
GREENE: Biometrics meaning things like using my body. I mean, a fingerprint on mobile devices.
HENN: Right. Yeah. So you've probably tried the fingerprint scan on the iPhone 5S, and sometimes that stuff doesn't work and that's one of the problems with biometrics. Your face isn't always going to look the same. The sample of your fingerprint always isn't going to be the same. The other thing is if someone steals a biometric code - it's not like you can change your fingerprint. So you're sort of out of luck.
So one of the technologies I find really intriguing is voice biometrics because it's dynamic. A computer can recognize whether or not your voice is the voice it's hearing, but they could also ask you to say different things.
GREENE: Well, how does that work?
HENN: Well, I have some tape. I visited Doug Sharp. He's the head of research at Nuance, which does voice recognition. And he showed me an app that he could train in about 30 seconds to recognize his own voice.
COMPUTER: Please say your pass phrase.
DOUG SHARP: My voice is my password.
COMPUTER: Welcome back, Doug.
HENN: All right. Now let's see if I can imitate your voice.
COMPUTER: Please say your pass phrase.
HENN: My voice is my password. So I was trying to trick it by mimicking his voice.
COMPUTER: Can you say you pass phrase a little slower?
HENN: I kept trying but I could never get in.
GREENE: Which is a good thing. It means this thing was working.
HENN: Right. And then we tried training it to my voice and Sharp couldn't get in. And Sharp actually says this app can actually even recognize when it's listening to a recording.
GREENE: Oh, wow.
HENN: And the thing that makes it really intriguing to me is that you don't have to say a specific phrase. So there's a bank in Great Britain that's actually been using this technology on its customer service lines. So if you were to call that bank and say you forgot your pin number, the customer service rep would just chat you up and a light on his or her screen would go from red to yellow to green as the computer verified that it was actually you on the other end of the line.
GREENE: What if I have laryngitis or I'm just really tired?
HENN: Right. Well, that's the problem with any of these kinds of biometrics and unfortunately, it's going to need a backup in that situation. And right now the most common backup is still going to be a password or a pin number.
GREENE: All right. Steve Henn is NPR's technology correspondent. Thanks, Steve.
HENN: My pleasure.