Here's the fundamental problem with passwords: They are most effective in protecting a company when they are long, complicated and changed frequently. In other words, when employees are least likely to remember them.
As a result, technology companies are rushing to provide solutions that are both more secure and more convenient. Many laptops now come with built-in fingerprint readers. Smartphones and other devices, too, are opening up biometric options such as facial and voice recognition.
Apple Inc. last year acquired AuthenTec Inc., a developer of fingerprint-sensor technology, and on Tuesday it said its new iPhone will come with a fingerprint sensor. Microsoft Corp. says its Windows 8.1 operating system, due out next month, is "optimized for fingerprint-based biometrics." Biometric authentication will be usable more extensively within the system, the company says.
Google Inc., PayPal Inc., Lenovo Group Ltd. and others, meanwhile, have come together in an organization known as the FIDO (Fast Identity Online) Alliance, which is aimed at creating industry standards for biometric and other forms of so-called strong authentication.
Google is also experimenting with a new kind of hardware token, created by Palo Alto, Calif.-based Yubico Inc. Like the traditional hardware tokens that generate random numeric passwords and which companies have used for years, the Yubico devices generate temporary passwords to be used as a second form of authentication.
But instead of having to read the password off the token and retype it, employees can simply plug the token into a USB port or touch it on a mobile device using near-field communication, a technology through which electronic devices communicate by making physical contact.
Google is testing the tokens with employees this year, and plans to offer them to consumers next year as a way of logging into Gmail and other Google accounts more securely.
Mayank Upadhyay, a director of security engineering at Google, says the tokens are easy to use and have strong encryption.
"We believe that by using this token we've raised the standard of security for our employees beyond what was commercially available," he says. The token works with Google's Web browser Chrome, and "works very seamlessly for people in their day-to-day workflow here at Google," he says.
Another new option, from RSA, the security division of EMC Corp. and creator of the widely used SecurID hardware tokens, is risk-based authentication.
This technology sifts through masses of user data from various groups at a company to establish "normal" behavior, then assigns risk scores to each user. If an employee does something unusual, like log in from a new location, use a different computer, or try to access a system other than his or her usual, the risk score will increase, and the employee may be asked to provide additional authentication, for example by verifying his or her identity over the phone.
Many people expect the security landscape to change rapidly as more and more employees bring their own smartphones and other devices to work. While the proliferation of individual devices is often seen as a security threat, some analysts suggest that mobile devices can improve security by making it easier to use biometric authentication. Most mobile devices feature a microphone and camera, and can pinpoint an employee's location as well.Yubico Inc. Yubico's random-password token plugs into a USB port or can be touched to a screen.
"We think that biometric authentication is going to be significantly more popular, and the driver and enabler of this is mobile computing," says Ant Allan, research vice president at Gartner Inc. of Stamford, Conn.
He explains that for large enterprises, installing new hardware for each employee can be very expensive, thus a system that draws on commonly owned personal devices has clear economic advantages. Moreover, employees with mobile devices are likely to find a fingerprint reader much easier to use than remembering and typing passwords.
Other developers of groundbreaking security tools include Agnitio SL of Madrid, which makes voice-recognition software used in law enforcement. The company has developed a system that allows workers to log in by speaking a simple phrase.
London-based PixelPin Ltd., meanwhile, wants to replace passwords with pictures. Choose a picture of your spouse, for example, and log in by clicking on four parts of her face in a sequence you've memorized. A photo is easier for people to remember than a text password, and harder for others to replicate, says company co-founder Geoff Anderson.
And, looking further into the future, researchers at the University of California, Berkeley, are studying the use of brain waves as authentication. Test subjects in the research wore a headset that measured their brain-wave signals as they imagined performing a particular task, and the researchers were able to distinguish between different people with 99% accuracy. In theory, an imagined task like this could become a worker's "passthought."
Most experts expect companies to use a variety of different measures. Saratoga Hospital, in Saratoga Springs, N.Y., for example, uses fingerprint readers as a more secure alternative to passwords. But while they've solved many of the hospital's security problems, the print readers don't work for everyone. A few elderly volunteer workers struggle to hold their hand still, and the readers don't work when people are wearing gloves, or when their hands are too dry, says Gary Moon, security analyst at the hospital. Some employees also have refused to hand over their prints.
As a result, Mr. Moon says, the hospital is still using passwords as a backup security system.
"There really isn't any 'one size fits all' in authentication," says Vance Bjorn, founder of DigitalPersona Inc. in Redwood City, Calif., which supplied the fingerprint readers to Saratoga Hospital. Companies need access to a combination of different technologies, Mr. Bjorn says.
"One technology solves certain problems, but it might not be the right mix of security, convenience, cost and ease of deployment for everyone."
Mr. Blackman is a writer in Crete. He can be reached at email@example.com .
More From The Wall Street Journal
- Retirees Face High Stock Prices and Low Bond Yields
- Three Big Money Mistakes You Could Be Making Right Now
- Information Technology
- Technology & Electronics
- Biometric authentication
- fingerprint readers