ByMartyn Landi, PA Technology Correspondent Will Maule
02:20, 5 MAY 2022
The public and businesses need to “drop passwords altogether” and move to other technology to protect personal information from hackers, a cybersecurity expert has said.
Marking World Password Day on Thursday, Grahame Williams, identity and access management director at defence firm Thales, said passwords were “becoming increasingly insecure” and “easily hacked”. He called on the industry to move to other forms of log-in, such as multi-factor authentication (MFA) – where users must provide an additional layer of identification to log in – or biometrics, such as face or fingerprint scans, to improve the general safety of personal data.
Mr Williams said a key issue was the widespread use of simple and easy-to-guess passwords. Data shows that common and obvious phrases such as “password” and “qwerty” – in reference to the common computer keyboard layout – are often among the most used passwords globally.
Now I can understand if they say there is a need to increase security and some services may require thumb or eyescan and a memoriable password but not ONE solution alone.
Experts advise people who are creating a password to use a collection of three unique, random words and not to reuse them across multiple accounts. But Mr Williams said where possible, platforms should introduce other ways for people to log in and users should strive to use them.
“Whereas passwords are really easy to guess, actually being able to use something which is unique to you – like your face or fingerprint – is obviously the logical step for us to take,” he said. “We would recommend that everyone – whether consumer or private – to start utilising these technologies.
“Our standpoint on this is there’s no reason why you should have to still use passwords and we should all be looking to really push forward.”
Whereas passwords are really easy to guess, actually being able to use something which is unique to you – like your face or fingerprint – is obviously the logical step for us to take ,”
Am I the only one here who doesn't keep my phone next to my computer?
Mr. Grahame Williams has a major flaw in his argument. That he's a spokesman for Thales frightens me.
User name, fingerprint, face scan are all useful to identify you.
Fine.
But a password is in your brain, and hopefully only there. It's at a much higher and personal security level. That some people use idiotic passwords is their problem.
It's unfortunately coming. Google has already announced they wanted to get rid of passwords too. Most online services will likely follow.
Can I refuse to have my child fingerprinted at school?
This article is more than 11 years old Emma Norton
Thinkingcrumpet wants to know if refusing to allow their son to be fingerprinted by a new school will endanger his place
Fri 16 Jul 2010 11.38 BST
My child will be starting a school in September where the preferred registration method is fingerprint recognition. Is it lawfully possible to refuse to comply and keep his place at the school?
More and more parents are asking us for advice about this issue. No one knows how many schools are now using biometric technology like this because it seems that the government is not keeping a record. Some estimates suggest that as many as 30% of all schools in the UK have fingerprinting technology. This means that millions of children are having their fingerprints taken and retained. This massive expansion of the collection of highly personal data has been allowed to take place without parliamentary scrutiny or public debate.
The short answer to thinkingcrumpet's question is: we cannot see how it would be fair or lawful for a school to use a parent's refusal to consent to fingerprinting her child as a reason for rescinding an offer of a place at a school. The reaction would be wholly disproportionate (engaging the child's right to privacy and education).
The new coalition government has already stated that it intends to ban the taking of prints from children without parental consent so it would be very poor practice if schools did not take this proposed legislation into account (although they are, of course, not legally bound by it). Furthermore, the Information Commissioner's Office (the office that oversees compliance with the Data Protection Act 1998 (DPA), has published guidance on this issue and advises that even though there is no lawful requirement on a school to obtain parental consent for fingerprinting children, the school "must" involve the parents to ensure that information is obtained fairly, unless the school can be certain that the child understands the implications of giving up his/her prints.
The ICO states that "it would be a heavy-handed approach for schools not to respect the wishes of those pupils and parents who object". It specifically states that other systems can work just as well and that those who wish to opt out should be offered another means of accessing the same services.
The main reasons given by schools for introducing biometric technologies are to assist in registration, library and canteen systems. Upon entry, the pupil is required to place his or her finger on a scanner whereupon the software will identify them as someone entitled to access the service. It is argued that access to the service is made faster and more efficient, but also that the system can keep tabs on the pupil (so that it is easier, for example, to spot if a student is skipping school). Using a cashless system like this is also credited with reducing bullying and stigmatisation, especially for those on free school meals. It has been suggested that parents can keep better track of what their kids are eating, with some sort of block being put on the canteen system if the child tries to buy unsuitable food.
Although fingerprinting technology is still the main biometric systems employed by schools, other trials to date have included retinal scanning and palm-vein scanning.
So what is wrong with this? Certainly when I asked my 14-year-old and some of his friends about it, they didn't immediately see anything wrong with fingerprints and scanners in schools – in fact, they quite liked the futuristic style of the technology as opposed to their battered old library cards, or boring registration procedures. Liberty does not share their enthusiasm. Indeed one of our principal concerns is that it plays on these ideas and gets children accustomed to giving up their highly personal biometric data as a matter of routine.
If children at primary school age are taught that it is normal to hand fingerprints or other personal data to their school or local authority, how alarmed are they going to be if and when, as adults, a future government tries to reintroduce the idea of ID cards, for example, or to argue that there should be universal DNA retention?
It also touches on the important issue of consent. The law (see below) requires that the person must give their consent to the fingerprints being taken. How schools are ensuring that children are giving informed consent is very hard to determine and practice seems to vary widely. The ability of a seven-year-old to give consent is going to be very different from that of a 17-year-old. Surprisingly, the law does not require that consent be obtained from the parents of a child, although good practice and guidance has recommended that it be obtained in advance. We are aware of many cases where this has not happened, though, and parents are only informed after the event.
The massive expansion in the use of this technology has been pushed almost entirely by the private sector companies that make a lot of money out of it. Some have made claims about the benefits of the technology that are entirely untested. We have heard about one school that spent thousands of pounds installing retinal scanning software, only to have to remove it because the process of scanning each pupil took far longer than expected and all the pupils could not be fed inside the lunch hour. Concerns about preventing bullying and stigmatisation could also be met through the wider introduction of swipe cards and PIN numbers.
The law
The Data Protection Act 1998 contains a number of principles governing what a "data controller" (in this case, a school) can do with the personal information it holds. A detailed discussion of the data-protection principles is beyond the scope of this article, but in summary: the information must be processed fairly and lawfully; can only be taken for a lawful purpose; must be adequate and not excessive in relation to the purpose for which it was taken; must be kept for no longer than is necessary; and must be safely and securely maintained.
Liberty believes the problems touched on above with regards to consent raises immediate questions about whether information taken in such circumstances can be said to have been processed "fairly and lawfully". We are also very concerned about the possibility of other agencies outside the school being able to access the information. The ICO has confirmed, for example, that the police could ask the school to hand over biometric information about children. It has stated that biometric data should be destroyed once a pupil leaves the school but there is no system for checking and ensuring this is done. Compliance with the DPA is likely to be poor because it is effectively unchecked.
Article 8 of the Human Rights Act protects the right to respect for a person's privacy. The taking of DNA and fingerprints has already been held by the court of human rights to engage this right. The need for protection is even higher for children.
The right to privacy is not an absolute right and under the second part of the article the state may justify an interference with the right that is "in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others".
You can see the sort of arguments that would be raised to try to show that the interference was justified. Assuming the DPA had been complied with, the school could argue that retention was necessary in a democratic society to ensure attendance of pupils at school or prevent bullying and stigmatisation (protection of the rights and freedoms of others). We think this is questionable. It is hard to see how installing a new system for taking books out of a library justifies the interference with privacy involved. And there are less invasive alternatives available to deal with concerns about attendance and bullying, which do not have such implications for personal privacy.
The expansion of biometric systems like this have been allowed without a proper public debate. If we get too hung up on issues about efficiency and modernisation, we will overlook these vital questions. This highly personal information belongs to the individual and it should not be for him or her to tell the state why they should not have it – it is for the state to justify why it should. So far, it has failed to do so.
It's unfortunately coming. Google has already announced they wanted to get rid of passwords too. Most online services will likely follow.I don't depend on it, I'll close the account to move somewhere else.
Sure. Until they all do the same. Do you think they won't?
https://www.firstpost.com/tech/news-analysis/explained-why-apple-microsoft-google-want-to-get-rid-of-passwords-10640151.html
The big three tech companies want to introduce a system where users will have to log in to online services using a passkey on their phones.[/quote
Well I already do that when paying for things over a certain value but it makes me wonder about sims swap. Oh yes they might fix the problems with that by requiring a biometric reading.
I don't know what I am going to do but I don't want to give anybody apart from doctor or healthcare my personal medical information thank you very much.
Not participating in the survey, as it misses the option I would choose and is designed wrong.
In the real word, most data breaches that I have read about were due to human stupidity, such as inserting a thumb drive to see what was on it. A simple PIN should suffice.
I suspect the ratio of cracking "passwords" to obtaining such information by stupidity is similar.
Dear apple google and microsoft.and wot about us renegades who have decided the best place for there mobile phone was in the bin?
I don't mind if it is changed in other ways but my concern is just based on forcing everyone to use biometric revealing information about themselves.
What would you like me to list as an option in the survey?
Jeremy was fired for refusing fingerprinting at work. His case led to an 'extraordinary' unfair dismissal ruling
ABC RN / By Anna Kelsey-Sugg and Damien Carrick for The Law Report
Posted Mon 20 May 2019 at 10:30pmMonday 20 May 2019 at 10:30pm, updated Tue 21 May 2019 at 6:25am
When Queensland sawmill worker Jeremy Lee refused to give his fingerprints to his employer as part of a new work sign-in, he wasn't just thinking about his privacy. It was a matter of ownership. "It's my biometric data. It's not appropriate for them to have it," he tells RN's The Law Report. For not agreeing to the new system, Mr Lee was sacked. What followed was a legal battle that delivered the first unfair dismissal decision of its kind in Australia. Mr Lee represented himself before the full bench of the Fair Work Commission — and won. "It's extraordinary," says Josh Bornstein, national head of employment law with Maurice Blackburn lawyers. "It's off the charts for a self-represented litigant dealing with very sophisticated legal issues to have such an outstanding result. That is a very unusual achievement. "There's not too many Jeremy Lees, in my experience." He says Mr Lee's case reflects the complicated intersection of privacy and technology — an area in which the law is struggling to keep up pace.
'My biometric data is mine' — or is it?
Mr Lee says his employers at Superior Wood "tried to coerce" him to agree to the new fingerprint scanning system for about three months. But he remained resolute. Mr Lee says he has no criminal record and has never been in trouble with police. Nor does he object to a drug or alcohol test at work. But he draws a firm line at handing over his biometric data — data relating to someone's physical or physiological make-up — for fear it could be shared and potentially misused. "If someone else has control of my biometric data they can use it for their own purposes — purposes that benefit them, not me. That is a misuse," he says. His employer argued the new scanning system meant they could better track who was or wasn't on the premises, but Mr Lee says there are other means of doing that. Swipe cards, he argues, could be just as effective as an electronic identity check. His employers disagreed.
Have you faced issues around biometrics or privacy with your employer? Email lawreport_rn@abc.net.au
In February 2018 Mr Lee was fired for refusing the new sign-in system. Represented by pro bono lawyers, he began an unfair dismissal case. That case, heard by a single commissioner at the Fair Work Commission, was unsuccessful. The commissioner found the fingerprint scanning system was a reasonable policy; therefore, the sawmill company had a right to require employees to comply with it — and to dismiss those who didn't. Mr Lee appealed against the decision, proceeding to argue his case before a full bench of the Fair Work Commission — this time without any legal representation or support. The legal framework he was operating within was highly complicated, but his reasoning was anything but. "I was insisting that my biometric data is mine," he says. "My objection was that I own it. You cannot take it. If someone wants to get it or take it they have to get my consent. "Surely if my employer tries to get it and sacks me for refusing to give it, that is illegal. That was my argument." But it was a different argument that convinced the commission's full bench.
'A fantastic and unusual outcome'
The commission's full bench found there was no valid reason to fire Mr Lee for refusing to provide consent to the company to use his fingerprints and biometric data. On May 1, 2019, more than a year after Mr Lee was sacked, it was found he had been unfairly dismissed.
"I think it was a fantastic and unusual outcome," Mr Bornstein says.
He says all employees have an obligation to "comply with all lawful and reasonable directions" from an employer. But the Privacy Act states that when an employer wants to collect sensitive information — and biometric data like fingerprints are classified as such — they must give sufficient notification and allow for a process of informed consent. Mr Lee's workplace failed on both accounts. The commission found the sawmill's scanning policy had violated the Privacy Act. Mr Bornstein says the law "has been shifting very much in favour of employers being able to give employees direction successfully about medical information [and] other information, making greater and greater incursions into their employees' lives".
But Mr Lee's victory presents a major roadblock. "[Mr Lee's] is a rare case, which actually says 'no, what you did was not right' ... and the employee actually had a win," Mr Bornstein says. He says the win highlights the increasingly fraught intersection of privacy, technology and regulation. "There's a huge issue more broadly in our society as to whether people's privacy protections are being maintained with the rapid pace of technological change," Mr Bornstein says. "We're seeing employees more closely regulated than ever before — on a 24/7 basis. "There's no doubt regulation is lagging well behind the development of technology."
Who really owns our biometric data?
Mr Lee is proud of his win, but his case has left him disappointed too. While the law declared him unfairly dismissed, his case didn't set a legal precedent — as he'd hoped it would — about the ownership of biometric data. But Mr Bornstein says the law has never recognised biometric information as property and — precedent or not — Mr Lee's win is remarkable. "What he's achieved is quite spectacular and very, very unusual," he says. "He may not have achieved a finding that he couldn't be forced to hand over his property, but he did achieve a finding that he could not be forced to hand over, without his consent, sensitive information under the Privacy Act." Mr Borstein says the issue of whether biometric information is property is "a philosophical debate". "Ultimately, is our personal information, is our fingerprint data, is the image of our face, property? In some ways it's a legal debate [but] I think it is an even broader argument that's more philosophical in nature," he says. "So it was, I think, a fantastic and unusual outcome to do this on your own, from first tier up to a full bench, and be successful. "It's an amazing achievement."
Biometric authentication is alluring, because it’s extremely convenient, but under the hood it’s a key generator. Better than user-invented passwords, but in many ways worse. It’s one-factor authentication, with a factor that can never be changed and, while possibly hard to copy,(1) it is still publicly available information.