Why earwax & kittens are no recipe for successful IT security

Security researchers claims the unique properties of people's earwax could make it a password killer. Davey Winder's not convinced

Scientists at the Monell Chemical Senses Centre in the US have discovered the aroma of earwax varies from person to person.

More accurately, the chemical compounds that make it smell vary and create a unique waxy identifier.

In fairness, the boffins behind this discovery have not suggested earwax as a replacement for computer passwords, but some security experts are already talking up its potential as an authentication mechanism.

I am not surprised, given my exposure to equally daft-sounding biometric authentication projects in recent years.

A team in Tokyo has been working on a chair that measures your buttock with 360 pressure sensors, for example.

Then there's cognitive fingerprint technology such as SilentSense, an authentication framework currently being developed by researchers at the Illinois Institute of Technology, which uses 'touch-related' behaviour.

This uses data mined from behaviours, such as screen tapping and gesture creation, and works out a pattern of micro-movements that can uniquely identify a device owner.

The cute kittens were one of the Human Interactive Proofs (HIPS) that were all the rage a couple of years back in research labs. They were used by Microsoft researchers to try and distinguish between bots and humans when accessing forums.

Display a grid of photos with a mix of cats and dogs, and ask the cats to be identified; easy for people, apparently very hard for computers.

The trouble is whenever I am told something is going to be a password killer, I immediately wince; the password is not dead, nor is it terminally ill, and here's why. If biometrics were the answer to user authentication then we would all be using fingerprint scanners routinely by now, and we are not.

The technology has existed for what seems like forever, and is as mature as it can be. Yet still it's a niche methodology. Even the implementation as a device lock and purchase validator on the iPhone 5s is actually less triumphant than you may think; this still needs a password to work with.

The problem with getting caught up in the biometric hype, of which the smell of your earwax has to be the most bizarre yet, is that it misses the point.

We already have secure authentication systems that work, are reasonably secure, easy to use and will not break the bank when it comes to enterprise distribution costs.

Yes, I'm talking about two-factor (or multi-factor) authentication where you know the password alone is not enough, and there's a requirement for something you have in the shape of a token (be that hardware or created in software) to back it up. One will not work without the other.

The trouble with using body parts is in the argument that a body part cannot change, and is unique. Fine until that fingerprint is cloned (when you cannot change your print like you can your password or token mechanism) or your bottom gets bigger.

Sure, by all means use biometrics as part of your multi-factor authentication solution, but please stop trying to sell me on them as the sci-fi saviour of IT security.