Passwords are the worst

Alphanumeric passwords are an archaic security system that should be replaced immediately. They are so inconvenient, especially in a mobile world, that a lot of people simply forgo them entirely in favour of convenience. Complex passwords are hard to remember, therefore people use simple, easily guessable ones, or reuse the same one everywhere on the Internet. Sometimes both.

Students from Xi’an Jiaotong-Liverpool University in China published a study in 2018 where they explore the possibility of replacing traditional passwords with semantically-linked images for mobile devices. They basically show that arranging a set of images in a predefined fashion to unlock your mobile device is as secure as entering a passcode, easier to remember, and better adapted to touch screens. Great, right?

I think it’s an interesting concept, but swapping one input system for another is unlikely to solve the issue. No password system is secure if users simply opt out. From the study: 

Research by Micallef et al shows that over 64% of users chose not to secure or use an authentication system on their mobile devices. However, it has been suggested that users may not assign significance to the information existing on their mobile devices, other arguments, such as that made by [Micallef et al], suggest that users dislike the inconvenience of repeatedly unlocking their mobile devices.

Yikes. 

The trend over the last few years has been to implement biometric authentication on phones and other computers. Touch ID and Face ID are probably the two most well-known systems. If you use a Windows machine, you might be familiar with Windows Hello.

When Apple launched Face ID in 2017, they touted how secure it was. Sure, the identification system in action here is pretty much unparalleled. Unfortunately, it and almost all consumer-grade biometric recognition systems have a fatal flaw. Here’s an excerpt from the Apple support page for Face ID:

The probability that a random person in the population could look at your iPhone or iPad Pro and unlock it using Face ID is approximately 1 in 1,000,000 with a single enrolled appearance. As an additional protection, Face ID allows only five unsuccessful match attempts before a passcode is required.

And therein lies the problem. Even when users opt in to Face ID, they have to set up a backup solution in case the authentication fails. By default, the solution is a 4 digit PIN, which is not nearly as secure as biometric authentication. For one, the probability that someone will guess your passcode at random is 1 in 10,000, or 100 times more likely than unlocking your Face ID according to Apple’s own numbers. More so, if you have two working eyes, it is ridiculously easy to see someone’s passcode when they enter it, or even guess it from the smudges left on the screen. And even with Face ID on, iOS requires users to enter their passcode a lot. Glenn Fleishman wrote for Macworld (from 2016, but still accurate to my knowledge):

[iOS asks for a passcode when] restarting the device, five failed fingerprint [or facial] recognition attempts, receiving a remote lock command via Find My iPhone, enrolling new fingerprints in Touch ID [or appearances in Face ID], and not having been unlocked in any fashion in 48 hours.

The article mentions other, more obscure ways to trigger a passcode request. The main culprit, however, is definitely five failed attempts. This happens all the time on my Touch ID devices, and it seems to happen quite a bit with Face ID too.

Here’s the thing: a machine is only as secure as its weakest authentication system. Imagine you spend thousands of dollars on a premium quality and practically impenetrable lock for the front door to the shed in your backyard but use a Master Lock that is lock-picked in two seconds for your back door. What crook is going to spend the time trying to concoct a plan to unlock the front door if they can essentially kick your back door in and make themselves at home?

I think the days of using biometrics without requiring a backup PIN are probably still far off for two reasons. One, it’s currently impossible to lock yourself out of your device permanently as long as you remember your passcode. Without a passcode, any number of things could happen that would leave you without a means of getting in: you lose your Touch ID-registered fingers in an accident, you damage your fingerprints or your face in a fire, you need facial reconstructive surgery, etc. Two, the customer service and PR nightmare that would ensue when users start locking themselves out of their phones and computers. We’ll have to make do in the meantime, and no authentication method will revolutionize cybersecurity as long as we have Master Locks on our back doors.