AI Is Breaking Passwords, and the Alternatives Are Getting Pretty Weird

Your next password could be your heartbeat—or maybe even the way you breathe. As hackers get better and better at cracking traditional passwords (by exploiting lazy consumer habits and technical advances such as artificial intelligence), researchers are searching for new methods to protect sensitive data. The tech industry has been trying to nudge users to other data protection methods for years—and some of those methods have been unusual, to put it mildly. Take, for example, the latest alternative authentication method, which was developed last year by researchers at Rutgers University. VitalID is a new spin on biometric protection, utilizing unique vibration patterns from breathing and heartbeats that resonate through the skull to identify you. Differences in people’s bone structure and facial tissues make the harmonics as distinctive as a fingerprint, researchers said in a paper outlining the proposed authentication method, which was envisioned for extended reality headsets. “Traditional security mechanisms—such as passwords, PIN codes, and conventional biometric systems—proved increasingly incompatible with immersive interfaces,” the researchers write. The average person is responsible for roughly 170 passwords, according to password manager company NordPass. That’s why, in part, people tend to reuse the codes—and it’s why hackers have been increasingly effective at gaining access to people’s information, in attacks on both corporate and personal systems. Biometrics have shown some promise. Mobile users are quite familiar with Face ID and pressing their thumb to the screen to prove they’re the rightful owner of the device. Fingerprint logins started to go mainstream in 2013, and face scanning began to rise in popularity in 2017. Voice recognition seemed like it would be an effective tool, but recent technology advances have sidelined that. “Now that AI can clone a voice from a few seconds of audio, it’s not reliable,” said Karolis Arbaciauskas, head of product at NordPass. Rutger’s unusual approach to security is far from the first strange way of securing user authentication. Attempts to do away with passwords have taken several different forms over the years. Here are some of the most unique: Password pill: While Apple was launching Touch ID in 2013, Motorola pursued a different authentication method. The company prototyped a small authentication pill that was designed to be powered by stomach acid. When swallowed with a glass of water, it would produce an 18-bit ECG-like signal that made your body the authentication token. As you might guess, this was seen as a pretty creepy way to guard your data, and it never made it out of the prototype phase. Tattoo: Motorola showcased a temporary tattoo that same year that could be used for authentication, but that method was met with the same privacy concerns as the pill. Body odor: As an offshoot of biometric authentication, some researchers have experimented with using a person’s unique chemical scent to confirm their identity. (Some of those same groups also studied things like the shape of your ear and your gait as identifiers.) These have fallen short of mainstream acceptance as people don’t really want to use their funk as an identification, and the sensors have not proved to be as reliable as other methods. Lip-reading: This technology actually works, focusing on the unique way people mouth specific words or phrases. It’s used more frequently as a discovery tool, though, such as discovering what someone is saying in video footage that has no audio. Most consumers have not shown a real willingness to mouth a passphrase to their PC or phone. Heartbeat recognition: This biometric authentication method has caught the eye of NASA. Like fingerprints, no two ECG patterns are the same, so by wearing an experimental band, you can verify your identity. This actually made it to market in the form of the Nymi Band, but it remains too costly at the moment for mass-market adoption. While research on fringe identification methods is likely to continue, the most promising data protection advance these days is the passkey. This authentication method generates a pair of keys: one public, which is stored on the cloud, and one private, which is stored on the device. That means that if the cloud server is compromised by hackers, accounts are still protected, as the hacker won’t have both sets of keys. In essence, the passkey you enter on your phone or via your face scan/fingerprint is one half of what’s necessary to get access. The other is stored elsewhere. For a hacker to crack both, they would need to have your phone and to hack the server, making breaches more difficult. While many major sites support passkey technology, it’s still far from universal. (And hackers have a way of catching up, which is why researchers are still looking at other methods, like biometrics. Especially as new technology appears close to breaking encryption.) “It’s no surprise that there have been and still are many attempts to free us from passwords and remembering them,” says Arbaciauskas. “But for now, there is no universally practical way to live without passwords—especially since not all websites and platforms support passkeys yet.” BY CHRIS MORRIS @MORRISATLARGE