In-depth

Why earwax & kittens are no recipe for successful IT security

Security researchers claims the unique properties of people's earwax could make it a password killer. Davey Winder's not convinced

Password and username box

Scientists at the Monell Chemical Senses Centre in the US have discovered the aroma of earwax varies from person to person.

More accurately, the chemical compounds that make it smell vary and create a unique waxy identifier.

In fairness, the boffins behind this discovery have not suggested earwax as a replacement for computer passwords, but some security experts are already talking up its potential as an authentication mechanism.

I am not surprised, given my exposure to equally daft-sounding biometric authentication projects in recent years.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

A team in Tokyo has been working on a chair that measures your buttock with 360 pressure sensors, for example.

Then there's cognitive fingerprint technology such as SilentSense, an authentication framework currently being developed by researchers at the Illinois Institute of Technology, which uses 'touch-related' behaviour.

This uses data mined from behaviours, such as screen tapping and gesture creation, and works out a pattern of micro-movements that can uniquely identify a device owner.

The cute kittens were one of the Human Interactive Proofs (HIPS) that were all the rage a couple of years back in research labs. They were used by Microsoft researchers to try and distinguish between bots and humans when accessing forums.

Display a grid of photos with a mix of cats and dogs, and ask the cats to be identified; easy for people, apparently very hard for computers.

The trouble is whenever I am told something is going to be a password killer, I immediately wince; the password is not dead, nor is it terminally ill, and here's why. If biometrics were the answer to user authentication then we would all be using fingerprint scanners routinely by now, and we are not.

Advertisement - Article continues below

The technology has existed for what seems like forever, and is as mature as it can be. Yet still it's a niche methodology. Even the implementation as a device lock and purchase validator on the iPhone 5s is actually less triumphant than you may think; this still needs a password to work with.

The problem with getting caught up in the biometric hype, of which the smell of your earwax has to be the most bizarre yet, is that it misses the point.

We already have secure authentication systems that work, are reasonably secure, easy to use and will not break the bank when it comes to enterprise distribution costs.

Yes, I'm talking about two-factor (or multi-factor) authentication where you know the password alone is not enough, and there's a requirement for something you have in the shape of a token (be that hardware or created in software) to back it up. One will not work without the other.

Advertisement
Advertisement - Article continues below

The trouble with using body parts is in the argument that a body part cannot change, and is unique. Fine until that fingerprint is cloned (when you cannot change your print like you can your password or token mechanism) or your bottom gets bigger.

Sure, by all means use biometrics as part of your multi-factor authentication solution, but please stop trying to sell me on them as the sci-fi saviour of IT security.

Featured Resources

Report: The State of Software Security

This annual report explores important trends in software security

Download now

A fast guide to finding your cloud solution

One size doesn't fit all in the cloud, so how do you find the best option for your business?

Download now

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Small & Medium Business Trends Report

Insights from 2,000+ business owners and leaders worldwide

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/mobile/28299/how-to-use-chromecast-without-wi-fi
Mobile

How to use Chromecast without Wi-Fi

5 Feb 2020
Visit/hardware/354723/coronavirus-starts-to-take-its-toll-on-the-tech-industry
Hardware

Coronavirus starts to take its toll on the tech industry

6 Feb 2020
Visit/operating-systems/microsoft-windows/354739/windows-7-bug-blocks-users-from-shutting-down-their-pcs
Microsoft Windows

Windows 7 bug blocks users from shutting down their PCs

10 Feb 2020
Visit/in-depth/354726/sonos-speakers-are-environmentally-unsound
In-depth

Sonos speakers are environmentally unsound

9 Feb 2020