People like using passwords way more than biometrics

A new survey shows that we’ll give up our passwords only when they’re pried from our cold, dead hands.

That’s more or less the conclusion of a new study conducted by Yougov on behalf of email portal mail.com.

In a recent survey of 1,119 US people, the preferred method, by far, to log on to online services was the password, chosen by over half – 58% – of respondents.

Biometrics weren’t even close.

Fingerprints were the most popular of the body-as-authentication methods, at 10%. Scanning people’s eyes, their voices or their faces were the preferred methods for a skimpy 2% each.

When it comes to biometrics, only 9% of those surveyed thought that collecting data in this way is risk-free. In fact, 26% said that they found biometric authentication methods flat-out risky.

That’s a healthy dose of skepticism, and it’s certainly not unfounded.

When it comes to authentication via facial recognition, it’s too easy to spoof static authentication by holding up a 2D picture to a camera, as Google found out after filing a patent to let users unlock their phones by, say, sticking out your tongue or wiggling your eyebrows…

…or, in the case of fingerprints, by making a dummy fingerprint out of wood glue or a 2D inkjet printout.

Google went ahead and filed a patent for “Liveness Checks,” but researchers using the most basic of photo editing tools managed to fool it with just a few minutes of editing and animating photos to make them look like subjects were fluttering their eyelashes.

Similarly, a few months ago, researchers came up with a way to mimic the swipey touch gestures we use to get into our phones. They did it by whipping up a Lego robot and equipping it with a finger sculpted from Play-Doh.

At any rate, to get back to that we-love-our-passwords survey, these are some of the specific reasons why some people don’t like biometrics:

42% worry about not being able to access online accounts through these biometric authentication methods in case of a malfunction.
42% don’t want companies to collect, save and use their personal data for logging on to online services. (Note: you’re pretty much out of luck if the Feds want to use it after you’re dead!)
33% worry that third parties could access their biometric data if they lost a device. (Or, say, if a judge forces you to unlock the iPhone of your boyfriend/alleged Armenian gang member. Bear in mind that courts nowadays consider passwords to be covered by Fifth Amendment rights against forced self-incrimination because passwords are something you know. However, biometrics aren’t protected by the Fifth Amendment, since they’re considered to be something you are.)
32% worry that hackers could overcome biometric authentication methods to log on to their online accounts. (They’re right! We’ve seen fingerprints, facial recognition and iris recognition all fooled by hackers.)
30% don’t think the technology is fully developed to support these biometric authentication methods. (Which is quite likely why we keep seeing ever more new biometrics tested as authentication methods, including, for example, brainprints.)

Digital Trends quoted mail.com CEO Jan Oetjen on the survey results:

The survey shows that biometric login methods are far from becoming a mass market. Nevertheless, for more security throughout the internet it is very important that alternative authentication methods like biometry are being further researched.

In order to meet the concerns of users, providers have to fulfill high data protection requirements concerning the storage and use of biometrical data.

But is it a foregone conclusion that biometrics are the way to go, to get us out of our reliance on passwords that are, all too often, horribly flimsy?

As it is, we’re seeing other, non-biometrics work being done to replace passwords. One example is Google’s so-called Sign-In Experiments, in which it was trialing a method of password-less sign-in that involves interaction with your phone.

One reader told us back in January that he’s been using a similar Microsoft sign-in app on his phone for some time: whenever he signs in on an “untrusted” device, his phone displays the attempt immediately and asks if he wants to approve or deny the request.

Other readers are interested in SQRL (Secure Quick Reliable Login): a draft open standard for secure website login and authentication.

Does online authentication need to get better than passwords? Oh, yea.

Are biometrics the only way to do that?

Not by the looks of it.

And judging by the attitudes expressed by a representative selection of US people, that’s a good thing, given that so many of us really, really don’t like these authentication methods.