Password authentication is a mess. Here’s a system to replace it

Hackers are having a field day, and weak authentication is a major cause. The vast majority of cyberattacks — some 80%, statistics show — have their roots in compromised passwords that hackers get hold of. All it takes is one stolen password for hackers to wreak havoc; and according to experts, that single password breach can cost enterprise firms over $7 million. Many schemes have been tried to build up password security, including increased education and 2FA. But despite that, password compromise statistics remain stubbornly high, cybersecurity education programs, although widespread, don’t seem to work, and 2FA has its own security issues.

At this point, it’s pretty clear we need alternatives to passwords, and an alternative that has grown in popularity in recent years is biometrics. Fingerprint readers are standard equipment on many smart devices, doors, and laptops today. But fingerprints can be spoofed, and facial recognition is not only flawed but may even be racist.

A better idea — more secure, more viable, and more practical — may be 3D hand geometry, combined with hand gesture recognition and advanced data analysis based on machine learning. Hands are much harder to spoof than fingerprints, and several studies contend that individual 3D hand shapes are quite unique. Studies suggest that gesture profiles may be unique to individuals as well. Thus, advanced data analysis and machine learning systems that examine the geometric and gesture data will build a secure profile unique to each individual, making spoofing a near-impossibility.

While the technology to authenticate users via hand geometry and gestures has been around for several years, it was missing the key element of advanced data analysis and machine learning. Authentication systems based on hand gestures currently in use match gestures of specific users to static images in a database (some are very large), but hackers could compromise it, changing the data associated with specific gestures to ensure anyone using them “passes,” for example. The same fate could await a static library of 3D hand images.

Advanced systems that actively analyze the 3D hand images and gestures as they come in — and compare them to other images and data to ensure uniqueness — could eliminate the dangers of database compromise, because the images and data are constantly being updated and improved via the system’s machine learning features. In addition, those systems can eliminate the privacy concerns surrounding biometrics.

The idea is based on research in geometric deep learning (GDL) — a new field that generalizes deep learning to learn from non-Euclidean data such as graphs and manifolds. (Manifold is a mathematical term used in differential geometry to indicate a space that is locally Euclidean. One of the simplest examples of a manifold is the Earth, a spherical surface that due to its planar appearance was believed to be flat for generations.) By evaluating the points on an object and their relations, the system can recognize and learn the unique geometric structure of that object, making it very useful when evaluating objects that can appear under different poses, such as 3D shapes, or those that cannot be processed by conventional deep learning.

GDL has been researched by several teams and has been the subject of several academic papers (I was a co-author of one of the earliest ones). And the technology is already being applied in 3D vision for autonomous driving and scene understanding, drug design (Moderna was open about it, although it didn’t mention GDL explicitly), recommendation systems, fake news detection in social media, among others. With research ongoing, GDL-based hand and gesture authentications are still being perfected (my company, NNAISENSE, has a working prototype), and commercialization is still some years away. Still, the technology is moving forward rapidly – and none too soon, given the sorry state of standard authentication systems.

Hand geometry takes into account the shape of the entire hand, along with features like ridges, finger size, the distance between knuckles, and much more. This provides a very unique profile for a user that would be very difficult to duplicate and certainly much harder to spoof than fingerprints.

Combining unique 3D hand images with the minute differences in gestures between people would render the system nearly impossible to hack. The details involved in this kind of authentication system would be too formidable for a hacker to try to duplicate. And the data analysis would ensure that even if hackers managed to spoof a hand and its gestures, they would be stopped in their tracks as the machine learning system would compare current data with existing data, on the individual and others.

The system is also less invasive than alternatives like facial recognition. 3D images of hands can be easily encrypted as they are sent over the internet. An authentication server using advanced security key technology can decrypt the code, matching up the hand being displayed in front of the 3D camera with a member of the authentication database. There is no need to even identify the person beyond their hand shape. Because there is no personal identification information involved, just the shape of a hand, you eliminate the privacy and discrimination issues involved in face recognition.

All the elements for this kind of hand-gesture authentication are now in place; advanced data technology and machine learning are robust and precise enough to sufficiently distinguish between the data presented. 3D cameras can be used to replace fingerprint keypads or other authentication systems at building entrances. In addition, they can be used with laptops to enable data-based hand geometry/gesture sign-ins to websites, replacing logins and passwords.

While the technology is there, putting it into action is a different matter altogether. Changing entrenched systems is usually very difficult, and passwords have been entrenched as authentication since the beginning of the computer era. Perhaps unsurprisingly, the first hack due to password compromise occurred soon after. Change usually starts at the top, so large enterprises — companies with the resources to invest in change — and governments should be trying alternative authentication methods. And the CISOs of these organizations should familiarize themselves with advanced data technology hand geometry/gesture-based authentication when considering those alternatives.

Safer computing is a matter of will, desire, and budget. Large organizations and governments have the will and desire to make their systems safer and the budget to make the necessary changes. Once they move forward, change will trickle down to the rest of society, making the world more secure.

Jonathan Masci is the Director of Deep Learning at NNAISENSE, a Swiss startup that builds AI for industrial process inspection, modeling, and control. His focus is on the application of machine learning to computer vision, pattern recognition, graphs and time-series analysis, with over 10,000 citations in the field. The algorithms he developed for steel manufacturer ArcelorMittal were the first applications of deep learning in heavy industry. He also serves as reviewer and is a program committee member for the top machine learning and computer vision conferences and journals (NeurIPS, PAMI, JMLR, IJCV, and IJCAI).