Sital Amin is Director of product management for Qualcomm Technologies, Inc. (QTI), where she leads development of QTI’s trusted execution environment and content protection solutions. Prior to her role in security, Sital managed multiple Qualcomm Web Technologies product initiatives, including MPEG-DASH, WebGL and HTML5 development. The views expressed are the author’s own, and do not necessarily represent the views of Qualcomm.
If I were asked to design a truly secure smartphone, it would be really easy. The phone would have one button and it would dial just one number.
Why? Because security is the art of restricting access. Therefore, the most secure solution will also be the most restrictive.
Unfortunately, my one-button phone wouldn’t be very useful, so clearly, its security measures would need to be more flexible. At the end of the day, humans use these devices for specific purposes—shopping, mapping, messaging, reading, banking—and they don’t think about security. They simply expect it. That’s the foundation we’re working from. Unlike military defense systems, where users understand that they may need to take some extra steps or give up some of their personal comfort for the sake of security, people are less willing to make concessions with consumer electronics. Case in point: If I told you that your next smartphone would be incredibly secure but would have only half the battery life, the average person would probably opt out of the extra security.
The password is a classic example of that value judgment: The effort it takes to maintain security trumps the perceived benefits. This is because passwords are great for security, but they're not designed for our brains. The problem is that a strong password, one that could not be hacked, would have to be so complicated that you would need a computer to remember it for you. Multiply that by the amount of websites and services that require a password, and our brains are simply at a natural disadvantage. So we use either a weak password, the same password for all websites, write a list of passwords in an Excel file (shudder!), buy an app to manage passwords, or use some other method that lets us continue our lives without disruption.
The root of the password problem is that it’s forcing humans to think like machines. From a user perspective, wouldn’t it be more useful to make machines that think more like humans? Cognitive technologies like machine learning are enabling us to teach our devices how to recognize individual users based on the behaviors and characteristics that make each human unique. For humans, this type of authentication will appear seamless, because it’s how we recognize one another in day-to-day life. Imagine how awkward seeing a friend on the street would be if, like computers, we had to authenticate each other every time we met. Instead, we recognize him based on sensory inputs—how he looks and sounds, and the way that he walks.
Soon, computers will be able to do the same thing.
For example, some devices now use biometric data like fingerprint, voice, or iris scans in the place of traditional passwords. Unique inputs like these are ideal, but many devices are still unable to distinguish between a face and a photograph of that face. While no security solution is completely foolproof, we’re continuing to improve on these systems, and they’re quickly becoming more robust. Biometric authentication can potentially (and eventually very likely will) use any sort of biological data—from a heartbeat to the chemical makeup of sweat—but this is only one piece of the mobile security puzzle.
Security has different layers. The fact that your fortress has guards intelligent enough to distinguish friend from foe doesn’t mean that you should now leave the drawbridge down. What is the next line of defense? Each sensor on our device can be used to gather information: You have a camera that can take a snapshot of your face, a microphone that can listen to your voice and analyze it, even an accelerometer and gyro that can detect and learn to recognize everything from how you handle your device to the specific eccentricities of your gait. Any one of these information points alone can provide a certain degree of authentication, but when you start to combine them intelligently, they become even more powerful.
The ultimate goal is to build smart solutions that will enable a device to recognize that you’re there in the flesh and not require you to do anything else. As a technology platform, mobile has come to encompass so much more than just tools for communication and organization. Likewise, cognitive technologies will allow us to finally take full advantage of the global network that tech companies have worked so hard to build by proactively (and automatically) safeguarding our privacy.
When we enter credit card numbers and other private information, our mobile devices become personalized. Soon, they’ll become personal. As counterintuitive as it may sound, our data itself is helping to secure our devices better than any password ever could. Just as much as height or weight, this data is a part of what makes each human unique—beyond just the space they occupy.
So it wouldn’t be quite so easy, but if somebody asked me to design a smartphone that was truly secure (without sacrificing the user experience), it would be a phone intelligent enough to know its owner on a more personal level.