In-depth

Why earwax & kittens are no recipe for successful IT security

Security researchers claims the unique properties of people's earwax could make it a password killer. Davey Winder's not convinced

Password and username box

Scientists at the Monell Chemical Senses Centre in the US have discovered the aroma of earwax varies from person to person.

More accurately, the chemical compounds that make it smell vary and create a unique waxy identifier.

In fairness, the boffins behind this discovery have not suggested earwax as a replacement for computer passwords, but some security experts are already talking up its potential as an authentication mechanism.

I am not surprised, given my exposure to equally daft-sounding biometric authentication projects in recent years.

A team in Tokyo has been working on a chair that measures your buttock with 360 pressure sensors, for example.

Then there's cognitive fingerprint technology such as SilentSense, an authentication framework currently being developed by researchers at the Illinois Institute of Technology, which uses 'touch-related' behaviour.

This uses data mined from behaviours, such as screen tapping and gesture creation, and works out a pattern of micro-movements that can uniquely identify a device owner.

The cute kittens were one of the Human Interactive Proofs (HIPS) that were all the rage a couple of years back in research labs. They were used by Microsoft researchers to try and distinguish between bots and humans when accessing forums.

Display a grid of photos with a mix of cats and dogs, and ask the cats to be identified; easy for people, apparently very hard for computers.

The trouble is whenever I am told something is going to be a password killer, I immediately wince; the password is not dead, nor is it terminally ill, and here's why. If biometrics were the answer to user authentication then we would all be using fingerprint scanners routinely by now, and we are not.

The technology has existed for what seems like forever, and is as mature as it can be. Yet still it's a niche methodology. Even the implementation as a device lock and purchase validator on the iPhone 5s is actually less triumphant than you may think; this still needs a password to work with.

The problem with getting caught up in the biometric hype, of which the smell of your earwax has to be the most bizarre yet, is that it misses the point.

We already have secure authentication systems that work, are reasonably secure, easy to use and will not break the bank when it comes to enterprise distribution costs.

Yes, I'm talking about two-factor (or multi-factor) authentication where you know the password alone is not enough, and there's a requirement for something you have in the shape of a token (be that hardware or created in software) to back it up. One will not work without the other.

The trouble with using body parts is in the argument that a body part cannot change, and is unique. Fine until that fingerprint is cloned (when you cannot change your print like you can your password or token mechanism) or your bottom gets bigger.

Sure, by all means use biometrics as part of your multi-factor authentication solution, but please stop trying to sell me on them as the sci-fi saviour of IT security.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

Biden nominees highlight tough cyber security challenges
cyber security

Biden nominees highlight tough cyber security challenges

20 Jan 2021
Report: Security staff excluded from app development
cyber security

Report: Security staff excluded from app development

20 Jan 2021
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

20 Jan 2021
SolarWinds hackers hit Malwarebytes through Microsoft exploit
hacking

SolarWinds hackers hit Malwarebytes through Microsoft exploit

20 Jan 2021

Most Popular

Citrix buys Slack competitor Wrike in record $2.25bn deal
collaboration

Citrix buys Slack competitor Wrike in record $2.25bn deal

19 Jan 2021
IT retailer faces €10.4m GDPR fine for employee surveillance
General Data Protection Regulation (GDPR)

IT retailer faces €10.4m GDPR fine for employee surveillance

18 Jan 2021
How to recover deleted emails in Gmail
email delivery

How to recover deleted emails in Gmail

6 Jan 2021