The perfect password? You’ve put your finger on it

It’s a common occurrence. I grab my iPad, place my thumb on the home key and wait for the main screen to pop up.

And nothing happens.

I often forget my 3-year-old iPad came out before Apple embraced the fingerprint sensor. But it’s a testament to how conditioned I am to unlocking my iPhone 6 with my finger that I expect the same convenience from my tablet. It’s only after a moment that I — slightly embarrassed and annoyed — tap in my passcode.

I doubt I’m alone. Thanks to newer smartphones and tablets from Apple and Samsung, fingerprint sensors have gone mainstream. And in May, Google said it will also support sensors in its Android mobile operating system. It’s easy to see why. These sensors are more convenient than a numeric passcode. They’re also a lot more secure.

A fingerprint is difficult (but not impossible) to steal. And because verification happens right on the tablet or smartphone, your fingerprint information doesn’t travel online, where it could get nicked. Passwords, on the other hand, are the weakest link in almost any security system. Their vulnerability lies, in part, on password overload — a symptom of our logging in to dozens of websites, each requiring a user ID and password.

Experts say each password should be unique. Raise your hand if you use the same password for almost every website you visit. That’s a big problem, because some of those sites have strong security safeguards, others not so much. Hackers who steal passwords from one site can, with a little time and patience, get into the online equivalent of Fort Knox.

But they can’t easily steal your body’s unique biometrics. (Emphasis on “easily,” since skilled hackers can replicate fingerprints from a photo.)

That’s why fingerprint sensors serve as the crux of all new mobile-payment systems.

“Your fingerprint is one of the best passwords in the world,” Dan Riccio, Apple’s head of hardware engineering, says in a 2013 promotional video for the iPhone 5S. “It’s always with you, and no two are exactly alike. So it made perfect sense to create a simple, seamless way to use it as a password.”

Mobile-app makers have been quick to capitalize on Apple’s Touch ID. These include developers of financial apps, like Mint and American Express; shopping apps, such as Rent the Runway and Amazon; and file-sharing apps like Dropbox. By 2019, people will be downloading fingerprint-enabled apps more than 770 million times a year, according to Juniper Research.

The Apple effect

Back in 2004, IBM was the first company to include a built-in fingerprint reader with a PC. Seven years later Motorola was the first to add a sensor to a smartphone. But its sensors weren’t always accurate and required users to swipe their finger — an extra, unnatural gesture that sometimes worked, sometimes didn’t.

Apple’s innovation in 2013 was making fingerprint reading dead simple to use. It did this by placing the sensor beneath the iPhone’s home key and taking advantage of a gesture everyone already uses: resting your finger on the button. That, along with more reliable fingerprint-recognition technology, helped kick biometrics into the mainstream.

“The integration into mobile devices is really a big step forward for overall adoption and trust of the technology,” says Daniel Hays, a consultant for PricewaterhouseCoopers. “Fingerprint scanning is the choice du jour because it’s easy to understand and interact with.”

Samsung added a similar touch sensor in its Galaxy S6 smartphone. Others are expected to roll out fingerprint readers this year and into 2016, says Rick Bergman, CEO of Synaptics, which makes the sensor used in the Galaxy S6. He declined to say who those vendors will be.

Death to passwords

Most tech companies will tell you passwords are lousy at protecting your data. The most commonly used password is “123456,” according to password-management application provider SplashData. The next most popular? “Password.”

Even complicated passwords can be stolen, because they’re stored online. That’s created a booming market on the so-called Dark Web, where hackers buy and sell passwords. And remember, a password pinched from one site will often open dozens more.

That’s why heavy hitters such as Google, Microsoft, Samsung and Visa are banding together to figure out ways to get around the password — with fingerprint recognition a key alternative.

Fingerprint readers, however, aren’t the end-all, be-all of security. They’re not completely accurate. They could potentially accept forged fingerprints. They are only as safe as the security used by your bank, retailer or card company. And, as with everything else, they will eventually be hacked.

But for all the security talk, being able to rest my finger on my iPhone and watch it come to life is good enough — for now.


This story appears in the summer edition of CNET Magazine.

Leave a comment

Leave a Reply