Data61's mission to wipe out the password

Data61's Dali Kaafar believes passwords have been "a huge disaster" for the world of IT security and usability.

They can be forgotten by their owners, stolen by malicious actors, and on average people will have just two different passwords across 12 separate accounts.

Kaafar and his team at the research body are trying to develop a new alternative to the password that uses the unique ways people touch their devices to authenticate them.

He told the Biometrics Institute’s Asia-Pacific conference last week how his team has been testing its patented method of what he calls “behavioural biometrics” with as many as 3000 users.

The process the researchers have come up with requires a user to register by picking two or three images from a line up of options. At login, they need only recall which images they picked, add up corresponding numbers at the bottom of the images, and handwrite the total on the screen.

The system, Kaafar said, uses the capabilities of a secret question (recalling an image), behavioural biometrics, and cognitive biometrics to create something he hopes is stronger than the sum of its parts.

The concept takes advantage of the ubiquity of touchscreen-enabled devices to identify users by the direction of their swipes; the level of pressure they place on the screen; their acceleration as they move their finger; the frequency of keystrokes; and the area of the device covered by strokes, among other things.

“The information is not based on one unique feature but a range of features combined. Even if one feature is very important, the combination is even more important,” Kaafar told the conference.

The use of the touch-based behavioural biometrics would become even more effective when used for “implicit” or continuous authentication that takes place in the background while a device is in use.

Kaafar said it requires a minimum of seven to eight gestures to properly authenticate an identity using the stroke-based method.

The Data61 team is currently testing whether its method can be duped, by asking 150 people to sign in using the method more than 100 times. Every attempt will be recorded on video, and another 20 test subjects will attempt to reproduce the login behaviours to see if they can get into the system.

Kaafar said that unlike more traditional physiological biometrics like fingerprints and retina scans, behavioural features are “very consistent over a short period of time”, but “dynamic over a long time”.

He said the problem with static biometrics like your fingerprint was “once they are lost they remain lost”.

Kaafar hopes his research will turn the tide on 20 years of work to phase out the password that has not yet been able to come up with a replacement.

“This is a really a great opportunity from an authentication point of view,” he said.