Passwords get hacked — a lot. In an effort to move beyond passwords, big companies are embracing biometric technology: the use of fingerprints, iris scans or voice recognition for user identification.
To heighten security, smartphones are being outfitted with biometric features. But, ditching passwords for biometrics may not make the hackers go away.
At a big security conference called RSA, thousands of people gather in San Francisco's Moscone Center, selling products to make life online more secure.
Conor White, an executive at a biometrics company called Daon, begins to demonstrate how he logs into his bank account.
"I've just launched our mobile app and you can see here, I'm straight into the app," he says. "Watch how it authenticates me."
He doesn't type in a password. He holds his iPhone up to his face, like he's going to take a selfie.
He blinks — on purpose. What follows is a camera click sound.
"I blink because photographs don't blink," White says. "It's a basic test to make sure it's not someone holding up a photograph of me on the Internet."
And if selfie security doesn't work — say you're in a dark room — you can use your fingerprint instead, or your voice. White reads this sentence to get into the app: "My identity is secure because my voice is my passport."
His company recently landed a big contract with USAA to do biometric identification for the financial services firm's account holders. White says bankers are calling him regularly now because the old system has failed.
Biometrics are a great alternative, he says, because they're super-personal.
"I wear my face every day," White says. It's the only face I have. As they say, a face only my mother could love."
And if it feels too personal, don't do it, he says.
"At the end of the day, it's down to choice," White says. "If people feel uncomfortable, they don't have to do it. They can continue to go with the password-based model. They may not get the level of service that they want, but it's their choice."
A Race To Patent
It's a choice for now. But given the pace at which companies are putting biometrics into their hardware, it could become the new normal soon.
Patent attorney Yuri Eliezer, with the firm SmartUp, says a decade ago, there were just 46 patent applications for biometrics. Last year, he counted at least 567.
"It's a definitely a growing number and we anticipate that's going to continue to grow," he says.
Apple, Samsung, Google, Microsoft and Intel are all filing. Eliezer says biometrics is part of the blueprint for the newest lines of smartphones and fitness trackers.
"This is something we're always holding in our hand or having in our pockets, always so close to our bodies," he says. "And now, the fact that we could integrate these sensing devices into our mobile devices, it makes it all the more useful to aggregate and collect data on us."
It could provide something useful, too.
According to patent filings: Apple wants to use biometrics to lock and unlock messages [keep that text for your irises only]; Microsoft is interested in entertainment value, and is working on a device that monitors your heart rate or blood oxygen levels — maybe to adjust the music while you play Xbox.
"If your heart rate's increasing, the music might speed up or slow down based on the environment the gaming providers are trying to create," Eliezer says.
The biometric boom raises some well-known privacy concerns. It also raises some less-known security concerns.
David Cowan with Bessemer Venture Partners is an investor. He's put over $100 million into digital security companies, but he refuses to invest in biometrics.
"Either a password or a biometric can be stolen," he says. "But only the password can be changed. Once your fingerprint is stolen, it's stolen forever, and you're stuck."
Hackers have already made dummy fingerprints — using pictures of people's hands available online — to swipe into the iPhone 6 scanner.
Cowan says in a world where just about anything can be hacked, the cost of biometrics is just too high.