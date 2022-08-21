Fingerprint and facial recognition features could help avoid password hacking. Photo / 123RF

Fingerprint scanning and facial recognition are set to solve one of the biggest weaknesses in digital security. By Peter Griffin.

As an online scam, it was as ingenious as it was lucrative.

California man Argishti Khudaverdyan, the owner of a T-Mobile store in Los Angeles, was last month found guilty of fraud and hacking charges after raking in about US$25 million in ill-gotten gains by accessing T-Mobile's IT systems to unlock customers' mobile phones.

You see, in the US, if you buy a phone from a carrier such as T-Mobile, Sprint or AT&T, use of the phone is typically "locked" to one network. New Zealand carriers, thankfully, don't do this. For a fee, Khudaverdyan offered an unlock service via his website, unlocks247.com.

The key to the scam was gaining high-level access to T-Mobile's user database. To do so, Khudaverdyan conducted email "phishing" attacks aimed at T-Mobile employees, stealing their passwords and login credentials in the process. Between 2014 and 2019, the money rolled in as Khudaverdyan worked within T-Mobile's systems, unlocking thousands of phones, before his activity was uncovered. He will be sentenced for his crimes in October. But every day, lucrative scams are under way and they all rely on exploiting the biggest weakness in digital security – our flaky use of passwords.

Passwords can be cracked through automated "brute force" attacks if they are too weak, or stolen in hacking attacks. Millions of people have been simply duped into disclosing their passwords in response to genuine-looking email requests. The answer is to do away with the password entirely.

Microsoft, Google and Apple are among a group of tech companies collaborating through the Fido (Fast Identity Online) Alliance to do just that. When Apple's latest operating systems for the iPhone, iPad and Mac computers (iOS16, iPadOS 16 and macOS Ventura) debut in a few weeks' time, they will include passkeys, which will let users authenticate themselves across their Apple devices using the Face ID or Touch ID features of their iPhone.

Apple device users have a version of this already, using the iCloud Keychain system. But passkeys will go a step further, using encrypted keys that are stored on an Apple device and can only be accessed when you scan your fingerprint or use the facial-recognition feature to authenticate that it is really you. That should eliminate phishing attacks, because you'll never be using a password, at least in the Apple environment.

Apple is also working with app makers to include its passkey system so that, eventually, it will be available on a wide range of commonly used apps. If you are trying to use your Apple ID to log into a non-Apple device, such as a Windows computer or TV set-top box, you'll be able to scan a QR code using your iPhone to verify that it's you.

Microsoft made password-less sign-in generally available for its commercial users last March, with a system relying on the phone-based Microsoft Authenticator app to authenticate logins on a user's various devices. Like Apple, Google will also use public-key encryption for a system, allowing its users to open their phones to authenticate online logins.

But as the trendsetter in user design, Apple has the power to cement password-less login as the default setting for hundreds of millions of people. It also cements the iPhone at the heart of the Apple ecosystem, as the go-to device to use biometrics to authenticate your online activity.

Although there has been a backlash against the use of facial recognition to identify shoppers in retail outlets, or by law enforcement agencies trying to pick suspects out of a crowd, the technology certainly has its place. As a means of authenticating your identity via your phone's camera or fingerprint sensor, it is incredibly effective and secure. With Apple and others keeping your biometric data encrypted on the device itself, it isn't being sent to a web server that is vulnerable to hacking.

It means, within a couple of years, we should finally be free from the hassle of selecting and remembering complicated passwords.