Smartphones have you pegged, and for better or worse they'll soon ID you

March 3, 2017 by Tim Johnson, Mcclatchy Washington Bureau
Credit: CC0 Public Domain

The things that make human beings unique - fingerprints, irises, facial features - have become the preferred way to sign onto banking accounts online or other sensitive websites, the newest solution to the problem of hackable and forgettable passwords.

But your can be stolen, your photo replicated. Now cyber experts are looking at the next security step: cellphones and computers that actually recognize you from a variety of factors.

Your smartphone now gathers more information about you than you probably realize.

"It's amazing how many sensors there are on a modern-day smartphone. You have motion sensors, like an accelerometer, a gyroscope and magnetometer," said John Whaley, of UnifyID, a startup that offers what it calls revolutionary authentication.

Then you have other sensors, such as GPS, Bluetooth and Wi-Fi. All told, an average smartphone has 10 or so sensors measuring precise details about location and user habits.

"We can tell what floor of a building you're on. We can tell if you are inside or outside of a building," Whaley said. "Just with a few seconds of your walking data, from your phone sitting in your pocket, we can actually identify you based on that."

All told, smartphones can measure the angle that your cradle your devices, the pressure you put on the screen, how much of your finger touches the pad, the speed at which you type, how you swipe, your physical rhythms, the times you normally stir in the morning, some 100 or more indicators that in combination can give near total accuracy in identifying you.

"Once you combine a large number of these factors together, we can actually get to 99.999 percent accuracy about it being you versus not you," Whaley said. "At that threshold, you can actually use this for authentication and you don't have to use passwords anymore."

If passwords become a thing of the past, it is likely due to what computer scientists describe as machine learning - which allows computers to find hidden insights without being explicitly programmed where to look - as well as improvements in sensors that measure our lives and actions with precision. What Whaley calls "implicit authentication" may change the way humans interact not only with phones and websites, but maybe the world at large. ATMs may recognize us as we approach. Clerks or cash registers at stores may greet us by name as their computers recognize our smartphones.

Whaley, who has a master's degree in computer science from MIT and a doctorate in the field from Stanford, is catching attention. His company competed with scores of others as the most innovative startup in the field of cybersecurity at the RSA conference in San Francisco last week, which drew 43,000 attendees, and won in a unanimous decision of the judges.

Technology to ensure authentication of users would have repercussions in banking and finance, e-commerce, cybersecurity, transportation security and in fraud detection, sectors with a value that nearly reaches $2 trillion.

"The need for extended authentication technology is going to be great," said Robert Capps, vice president of business development at NuData Security, a Vancouver firm that uses behavioral analytics to help clients identify good users from bad ones.

The downside to using biometrics, such as fingerprints, in computer security is not widely understood.

"There definitely is a gap in the perceived value of biometrics and the true value," said Daniel Ingevaldson, at Easy Solutions, a Doral, Fla., company that helps banks fight electronic fraud.

Ingevaldson noted that a billion smartphones are now equipped with fingerprint sensors, and consumers clamor for banks to accept biometric proof.

But fingerprints are not secure. In the hack of the federal Office of Personnel Management in 2015, the fingerprints of 5.6 million people were stolen. And prints can be lifted off surfaces such as glass doors. High-resolution photos can also fool .

"Once your biometric credentials are stolen, they are stolen forever. There's no way to easily change your face. There's no easy way you can change your voice. And definitely not an easy way to change your fingerprints," said Ricardo Villadiego, Easy Solutions' chief executive.

Traditionally, the areas of authentication for users are something you know (such as a password), something you have (say, a cellphone or an electronic key) or something you are (a biometric indicator).

As the need for passwords has proliferated, users have grown fatigued. Many users choose ever simpler passwords. They repeat the same password on multiple sites, or make minor modifications.

The advantage of what UnifyID calls implicit authentication is that a user doesn't take conscious action to verify his or her identity. The smartphone, using a data bank of patterns of a given user, is continuously testing against those patterns.

"Security, instead of being up front, like, 'what's your password?' is going to be passive, in the background and happening all the time," Whaley said.

"Your devices will recognize you. Your car will recognize you. Your house will recognize you, and so security will become much more seamless," Whaley said. "It wasn't possible just a few years ago. It's because of a proliferation of , the fact that they are all connected, and machine-learning technology."

Just how such data are stored, and who has access to it, may play out differently in different parts of the world.

"The perception in the U.S. is that consumer data (are) fine in the hands of private industry but not fine in the hands of government," Capps said. In Europe, the opposite is true.

Authentication can occur either on a smartphone itself or in the cloud, and there are tradeoffs. If data is stored on a phone, then the phone itself recognizes a fingerprint and only sends a simple message on to institutions like banks, which cannot conduct further analysis. But if companies collect a large repository of sensitive user data, it becomes a honey pot for hackers.

"Much of the data is actually sensitive," Whaley said, "things about even where you are at a certain time of day. These are examples of data you may not even want your spouse to know."

Kurt Somerville, chief operating office at UnifyID, said companies compiling the vast data that can be extracted from smartphones must be "totally transparent" with users about what they are collecting and what it will be used for, opting in or out for each data point.

"If they are not comfortable with us using their GPS, where they physically move, they can turn that off and all the other factors will essentially re-weigh themselves," he said.

Whaley said the passive biometric data would be kept on the smartphones themselves, not by the company.

"We always want to be in the position that even if somebody hacked into our servers or we got a subpoena from a government or otherwise were compelled to give up data, we can legitimately say there's no way for us to give that data because we don't have it," Whaley said.

Explore further: Why fingers make handy, if not foolproof, digital keys

9 shares

Related Stories

Finger vein authentication using smartphone camera

October 26, 2016

Hitachi today announced the development of highly-accurate finger vein authentication technology using the camera commonly integrated in the standard smartphone. This technology will enable the use of biometric authentication ...

Student develops fingerprint-based authentication app

March 3, 2016

Having trouble remembering all your online passwords? You're not alone. A recent study by identity management firm Centrify found that the average person has at least 19 online passwords, and that 25 percent of users forget ...

Recommended for you

Printing microelectrode array sensors on gummi candy

June 22, 2018

Microelectrodes can be used for direct measurement of electrical signals in the brain or heart. These applications require soft materials, however. With existing methods, attaching electrodes to such materials poses significant ...

EU copyright law passes key hurdle

June 20, 2018

A highly disputed European copyright law that could force online platforms such as Google and Facebook to pay for links to news content passed a key hurdle in the European Parliament on Wednesday.

18 comments

Adjust slider to filter visible comments by rank

Display comments: newest first

gkam
1 / 5 (5) Mar 11, 2017
Big Brother owns us, and the intelligence agencies own him.

And Putin owns some of the intelligence agencies.
Uncle Ira
4.3 / 5 (6) Mar 11, 2017
Big Brother owns us, and the intelligence agencies own him..


Cher, here you go again about your big brother. What makes him so bad, he got to be at least more older than you so why I should be worried about him?
gkam
1 / 5 (5) Mar 11, 2017
One of my jobs in the service was to bug Southeast Asia with ground sensors. That was 1967-68.

You apparently do not understand the implications and potential consequences of your attitude.
Uncle Ira
4.3 / 5 (6) Mar 11, 2017
One of my jobs in the service was to bug Southeast Asia with ground sensors. That was 1967-68.
That's nice. But that is not what I asked.

You apparently do not understand the implications and potential consequences of your attitude.
My attitude? What that means Cher? You keep talking about your big bad big brother. What about him I should be worried about? He has got to be at least 80 or 75 years old by now.
Uncle Ira
4.3 / 5 (6) Mar 11, 2017
potential consequences of your attitude
You don't understand the potential consequences of your big bother's attitude if you think he going try to come around here and teach me a lesson about messing around with the "REAL" glam-Skippy. A 70 year old man still using the "my big brother" line, you should feel real foolish about that. I haven't heard that one since I was in the 5th grade.
gkam
1 / 5 (5) Mar 11, 2017
Don't you Red State folk refer to that as your Senior Year?
gkam
1 / 5 (5) Mar 11, 2017
If you has stayed until the sixth grade, you could have read "Brave New World" or "1984", and learned something.
Uncle Ira
4.3 / 5 (6) Mar 11, 2017
Don't you Red State folk refer to that as your Senior Year?


Only when we are slapping around your older bother and I don't care how big he is.
Uncle Ira
4.3 / 5 (6) Mar 11, 2017
If you has stayed until the sixth grade, you could have read "Brave New World" or "1984", and learned something.


I was in the second grade in 1984. What does that have to do with anything?
gkam
1 / 5 (5) Mar 11, 2017
On, nothing, . . . .

Pay no attention to the snickers.
Whydening Gyre
5 / 5 (5) Mar 11, 2017
On, nothing, . . . .

Pay no attention to the snickers.

Sorry, George, but "1984" is not the definitive tome for all generations in regards to abuse of power.
And, I'd almost bet Ira HAS read it...
He's smarter and better informed than you give him credit for, methinks..
gkam
1 / 5 (5) Mar 11, 2017
He HAS to be smarter than he writes, especially when doing his phony Cajun routine.

My point is this is a science site not a high school twitter forum. I want to discuss the science not play his silly games while he hides from scrutiny. It is tiresome to have to defend myself from continuous sniping from an apparent adolescent.
Uncle Ira
4.3 / 5 (6) Mar 11, 2017
It is tiresome to have to defend myself from continuous sniping from an apparent adolescent.
Says the couyon who tweeters 30 posts a day about the couyon who barely averages 3.
Captain Stumpy
4.3 / 5 (6) Mar 11, 2017
He's smarter and better informed than you give him credit for, methinks..
@Whyde
i can guarantee he is far more intelligent and well read than most give him credit for

.

.

@STOLEN VALOR LIAR-kam
My point is this is a science site not a high school twitter forum.
LOL
the scientific method
The scientific method is a body of techniques for investigating phenomena, acquiring new knowledge, or correcting and integrating previous knowledge. To be termed scientific, a method of inquiry is commonly based on empirical or measurable evidence subject to specific principles of reasoning.
one thing mentioned in there is "evidence"
that is the one thing you routinely fail to add to any argument... and especially when the evidence directly refutes your claims

so by your own definition, your posts are emotional anonymous high school twitter sloganeering bullsh*t

per your own request, then...
TheGhostofOtto1923
4 / 5 (4) Mar 11, 2017
I want to discuss the science not play his silly games
Uh no you want to make it up and play goobers here like cheap kazoos. Because youre a psychopath who enjoys plying his wares.

George has found nirvana. The only place he can be himself (besides at home) and not get fired or stomped into the pavement.

"One psychopath interviewed by Hare's team said quite frankly: "The first thing I do is I size you up. I look for an angle, an edge, figure out what you need and give it to you. Then it's pay-back time, with interest. I tighten the screws.""

"They perceive themselves as superior beings in a hostile world in which others are competitors for power and resources. They feel it is the optimum thing to do to manipulate and deceive others in order to obtain what they want."

-Physorg is the only place where george can be George Kamburoff.
TheGhostofOtto1923
4.2 / 5 (5) Mar 11, 2017
Sorry, George, but "1984" is not the definitive tome for all generations in regards to abuse of power
Yeah it was probably Animal Farm. The pigs were all psychopaths.
gkam
1 / 5 (5) Mar 11, 2017
Did you fail to notice you accused me of someone else' post?

Did you notice my correct use of the apostrophe?
Uncle Ira
4.3 / 5 (6) Mar 11, 2017
Did you fail to notice you accused me of someone else' post?
Did you fail to notice he probably was not talking to you?

Did you notice my correct use of the apostrophe?
Cher, are you so hard up for some ooohs and aaaahs that you have post up your own accolades?

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.