On Friday, the White House convened a “cyber summit” at Stanford’s campus in Palo Alto so that business and government leaders could get together and talk, essentially, about how scary hackers are.
There were two keynote speakers: Apple CEO Tim Cook, who got 10 minutes of talking time, and President Obama, who got 30 minutes. Obama focused on the threats to our digital security — “This is not a liberal or conservative issue. Everybody is online and everybody is vulnerable” — and legislation he’s proposed, including a revision to the existing law against computer intrusion and a national data breach notification law. He ended the talk by signing an executive order to promote companies sharing information about digital attackers. Cook, meanwhile, spent most of his time promoting Apple Pay and talking about threats to privacy in the name of security.
Cook obliquely addressed an ongoing tension between Apple and the U.S. government: Apple’s decision to add encryption to its iPhones so that the data on them can only be unlocked by their owners, and not with a government order. The enhanced security measure has come under criticism by the U.K. prime minister and by the director of the FBI, who said Apple and Google (which plans to offer the same feature for Androids) are putting their customers “beyond the law.”
“We believe deeply that everyone has a right to privacy and security,” said Cook. “So much of our information now is digital: photos, medical information, financial transactions, our most private conversations. It comes with great benefits; it makes our lives better, easier and healthier. But at Apple, we have always known this also comes with a great responsibility. Hackers are doing everything they can to steal your data, so we’re using every tool at our disposal to build the most secure devices that we can.”
Cook used the opportunity at the podium to take a dig at his tech competitors—pointing out that Apple, unlike other companies, doesn’t sell or monetize its customers’ data. His fellow CEOs were not there to hear the burn, though. Despite being invited, Facebook CEO Mark Zuckerberg, Yahoo CEO Marissa Mayer and Google CEO Larry Page, were not in attendance at the hastily-arranged summit, though their security executives did show up.
Cook signaled that Apple has no intention to back down on allowing its customers to encrypt their devices, despite the criticism the policy has gotten from government types and calls for “golden keys” to grant law enforcement access to otherwise secure messages.
“People have trusted us with their most personal and private information and we must give them the best technology we can to secure it,” said Cook. “Sacrificing our right to privacy can have dire consequences. We live in a world where people are not treated equally. There are people who don’t feel free to practice their religion, express their opinion or love who they choose. Technology can mean the difference between life and death.”
In other words: people have secrets that they want to keep from hackers, but also, in some places with repressive governments, from authorities themselves.
“If we don’t do everything we can to protect privacy, we risk more than money,” said Cook. “We risk our way of life.”
Passwords Are Terrible — And These Companies Want To Kill Them
That’s the password-free future that many tech companies envision. It just may take them a while to get there.
Passwords have long been the gold standard in online and device security, and we’ve been using them for as long as we’ve had to log in to computers and accounts.
The trouble is, passwords are horrible. Many people don’t use them properly. While security experts recommend using a strong, unique password for every service, most users don’t do that,leaving them vulnerable to hacking. And many of us regularly forget our passwords and have to reset them frequently.
But take heart: The race to kill the dreaded password is on. Tech giants are battling to replace it with biometric technology — using your face, eyes, fingerprint or heartbeat to identify you — which could mean more security and convenience for consumers.
This week, Qualcomm, which makes the chips for many Android smartphones, announced Snapdragon Sense ID, a new type of sensor that uses sound waves to detect 3-D details of your fingerprint. The company says the sensor can read fingers covered in sweat or lotion and can work on glass, steel, plastic and aluminum devices, giving more flexibility to device manufacturers.
Snapdragon Sense ID, unveiled this week at Mobile World Congress, an annual gathering in Barcelona for tech and telecom leaders, is just one of several new developments in biometric security that technology companies have announced of late.
Also at Mobile World Congress, Samsung said that it had improved the fingerprint sensor on its new high-end smartphones.
At the Consumer Electronics Show in January, chipmaker Intel unveiled True Key, which uses facial recognition, fingerprint scanning and other authentication methods to unlock a password manager that gives access to apps and online accounts.
And Touch ID, Apple’s fingerprint-sensing technology for newer iPhones and iPads — widely seen as the most successful application of biometric security to consumer devices — is available on a growing number of third-party apps.
“There’s somewhat of a perfect storm happening in the marketplace now,” said Anthony Antolino, the chief marketing and business development officer at eyeLock, a New York-based company that has built iris authentication platform technology.
Antolino said that frequent high-profile security breaches, the availability of less expensive and smaller biometric technologies and the staggering rise in the number of mobile devices are all driving the urge to end the password age.
The success of Apple’s Touch ID in particular has inspired the rest of the industry to follow, according to Chester Wisniewski, a senior security advisor at the security company Sophos.
In September 2013, Apple released Touch ID on the iPhone 5S as an alternative to unlocking the phone with a passcode. The company said at its developer conference last June that before Touch ID was available, fewer than half of iPhone owners used a passcode. But as of that conference, 83 percent of iPhone 5s users were using Touch ID to unlock their phones.
“Apple proved a business model offering consumers biometrics,” Wisniewski said. “Apple went out there and proved people will use it if it’s easy enough to use.”
A year later, Apple opened up Touch ID to non-Apple apps, so people can now use their fingerprints to log in to some services, like Amazon and personal finance manager Mint. And people with the latest Apple devices can also use Touch ID to pay for things with their phones.
Still, it will be quite a while before the password is out of our lives completely.
One issue is the reliability of biometric security. Even though Touch ID is widely seen as successful, it doesn’t work well for everyone. It also may not work if your hands are cold or after you’ve showered or done the dishes.
When Intel debuted True Key during a keynote address at the CES, the program failed to recognize the presenter during the demonstration.
Passwords have no such issues. Despite their drawbacks, they work — if you type in your password correctly, you’ll get in.
Another issue is trust: Consumers must believe that these companies are taking good care of data on their fingerprints, faces and eyes.
Wisniewski lauded Apple for the way it protects the privacy of users’ fingerprints, but said consumers shouldn’t expect the same levels of security from every company that holds their biometric data — especially when protecting password data has already proven to be so difficult.
“Why should we trust that the companies asking us for our biometric data are going to be any better with it than my password?” Wisniewski said.
For the time being, security experts recommend using password managers — digital lockers that not only generate strong, unique passwords, but also store them — that can be unlocked with one strong password. They also recommend using multi-factor authentication, which requires you to use a code generated on another device, like a smartphone, when it’s available.
“Right now we’re eliminating the hassle of remember multiple passwords,” said Mark Hocking, vice president and general manager of Safe Identity at Intel. “Down the road, we want to eliminate the password completely. But that’s going to take a long time.”