In-depth

Why earwax & kittens are no recipe for successful IT security

Security researchers claims the unique properties of people's earwax could make it a password killer. Davey Winder's not convinced

Password and username box

Scientists at the Monell Chemical Senses Centre in the US have discovered the aroma of earwax varies from person to person.

More accurately, the chemical compounds that make it smell vary and create a unique waxy identifier.

In fairness, the boffins behind this discovery have not suggested earwax as a replacement for computer passwords, but some security experts are already talking up its potential as an authentication mechanism.

Advertisement - Article continues below

I am not surprised, given my exposure to equally daft-sounding biometric authentication projects in recent years.

A team in Tokyo has been working on a chair that measures your buttock with 360 pressure sensors, for example.

Then there's cognitive fingerprint technology such as SilentSense, an authentication framework currently being developed by researchers at the Illinois Institute of Technology, which uses 'touch-related' behaviour.

This uses data mined from behaviours, such as screen tapping and gesture creation, and works out a pattern of micro-movements that can uniquely identify a device owner.

The cute kittens were one of the Human Interactive Proofs (HIPS) that were all the rage a couple of years back in research labs. They were used by Microsoft researchers to try and distinguish between bots and humans when accessing forums.

Display a grid of photos with a mix of cats and dogs, and ask the cats to be identified; easy for people, apparently very hard for computers.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

The trouble is whenever I am told something is going to be a password killer, I immediately wince; the password is not dead, nor is it terminally ill, and here's why. If biometrics were the answer to user authentication then we would all be using fingerprint scanners routinely by now, and we are not.

The technology has existed for what seems like forever, and is as mature as it can be. Yet still it's a niche methodology. Even the implementation as a device lock and purchase validator on the iPhone 5s is actually less triumphant than you may think; this still needs a password to work with.

The problem with getting caught up in the biometric hype, of which the smell of your earwax has to be the most bizarre yet, is that it misses the point.

We already have secure authentication systems that work, are reasonably secure, easy to use and will not break the bank when it comes to enterprise distribution costs.

Advertisement - Article continues below

Yes, I'm talking about two-factor (or multi-factor) authentication where you know the password alone is not enough, and there's a requirement for something you have in the shape of a token (be that hardware or created in software) to back it up. One will not work without the other.

The trouble with using body parts is in the argument that a body part cannot change, and is unique. Fine until that fingerprint is cloned (when you cannot change your print like you can your password or token mechanism) or your bottom gets bigger.

Sure, by all means use biometrics as part of your multi-factor authentication solution, but please stop trying to sell me on them as the sci-fi saviour of IT security.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now
Advertisement

Recommended

Visit/security/ransomware/356292/university-of-california-gets-fleeced-by-hackers-for-114-million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Visit/security/cyber-security/356289/australia-announces-135b-investment-in-cybersecurity
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
Visit/cloud/cloud-security/356288/csa-and-issa-form-cybersecurity-partnership
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Visit/business/policy-legislation/356215/senators-propose-a-bill-aimed-at-ending-warrant-proof-encryption
Policy & legislation

Senators propose a bill aimed at ending warrant-proof encryption

24 Jun 2020

Most Popular

Visit/mobile/google-android/356373/over-2-dozen-additional-android-apps-found-stealing-user-data
Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020
Visit/laptops/29190/how-to-find-ram-speed-size-and-type
Laptops

How to find RAM speed, size and type

24 Jun 2020
Visit/cloud/356260/the-road-to-recovery
Sponsored

The road to recovery

30 Jun 2020