1. 1
Eradicating Usernames and Passwords for Good – The Evolution of Biometrics
By Hector Hoyos, CEO of Hoyos Labs
How many times every day do we log onto our favorite websites – everything from online banking
accounts and social media profiles to news outlets and retail stores – and are prompted to enter
usernames and passwords with a variety of characters, symbols and word length requirements to
access them? Of course, forgetting these passwords only prompts you to answer yet another set
of lengthy questions to make sure that you are who you say you are: What’s the name of your
first pet? What was the last name of your second grade teacher? Where did you go on your first
date? In some cases, not knowing the answers to these questions could even lock you out of
your accounts. When do we finally say that enough is enough with usernames and passwords?
Consumers and corporations alike seem to agree that replacing usernames and passwords with
an easier, more convenient way to access our personal accounts is far overdue at this point in
history, especially with corporate hack and personal identity theft stories becoming more and
more prevalent in the media. From both a B-to-B and B-to-C perspective, the use of biometrics is
already leading the charge in this effort and making waves while doing so. Biometrics are, in fact,
passwords of the future: instead of having to remember countless usernames and passwords for
different websites, all someone will ultimately need to log onto these sites is his or herself through
biometrics – facial, periocular (a subset of facial biometrics), iris and / or fingerprint.
Over the last three decades, the biometrics and IT fields have developed significantly when it
comes to identity assertion. Back in 2010, Bank of America’s Headquarters in Charlotte, North
Carolina, deployed an iris-based access control system that was based on the HBOX and
EyeLock, two original proprietary technology products from Global Rainmakers, Inc., now known
as EyeLock Corp. Thousands of Bank of America employees entered their workplaces all around
Charlotte with nothing more than a glance of their irises, and no access cards or tokens were
needed. It took almost three years to reach this revolutionary breakthrough, as employees could
conveniently use iris-based biometrics to go in and out of the workplace in five seconds without
having to worry about carrying or losing their access cards. It was a watershed moment.
But three years later, a Forbes article came out about Google in which the company proposed a
two-factor authentication system (2FA) that required using a username and PIN, plus a token that
connects to the USB port of a computer. Dropping biometrics completely from the equation and
replacing them with a username / password system again, as well as a token that people had to
carry them, seemed counterintuitive to what Bank of America had accomplished just a few years
prior. As a result, many predicted that at some point, people would have to get rid of usernames,
passwords and PINS completely and replace them with biometrics on smartphones since we
carry our phones with us nearly everywhere that we go.
Flash forward to today and studies from Ericsson, PayPal, IBM, Microsoft and the Ponemo
Institute all reflect this sentiment. According to Ericsson’s study The 10 Hot Consumer Trends of
2013, 52 percent of smartphone users want to use fingerprints instead of passwords, 61 percent
want to use fingerprints to unlock phones and 48 percent are interested in using eye-recognition.
Another study by PayPal shows that consumers “are OK” with biometrics and that 53 percent of
those surveyed are “comfortable” replacing passwords with fingerprints, and 45 percent would opt
for an iris scan. Microsoft Research funded yet another study titled The Quest to Replace
Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes, and one
of its main conclusions is that the replacement for passwords should conform to the following
criteria: it should be easy to carry, efficient to use and have easy recovery from loss. It even goes
as far as to say that these criteria are achieved mostly by biometric schemes and that tokens are
not enough to achieve this. So how do we get biometrics-based technology into the hands of
consumers and corporations to safeguard their property?
Companies are able to figure out what makes their products successful through the adoption and
continued support of their offerings by consumers, who are focused on convenience and ease-of-
2. 2
use in their everyday lives. When it comes to biometrics, in some cases, it hasn’t become as
widespread as it should be at this point, because technology hasn’t become advanced enough to
eliminate spoofing efforts completely. For example, the iPhone 5S’s TouchID fingerprint
technology was hacked less than 48 hours after its release. As mentioned, some biometrics
technology still requires people to carry around extra gadgets or tokens, and there are now
password keepers that rely on even more complex master passwords and central databases to
store and protect private material.
But when it comes to the use of iris and periocular biometrics in particular, people can perform
many different tasks on their smartphones, including the ability to make financial transactions
quickly, seamlessly and securely. The core information in the face comes from the periocular, or
suborbital, eye area. Unlike voice recognition or fingerprints, periocular biometrics can be subject
to what’s called “liveness” detection through a series of proprietary computer vision techniques.
This determines whether the biometrics belong to a living person, not a high resolution
photograph or video. Voice, on the other hand, can be affected by background noise and is easily
spoofed (like fingerprints). It’s important to note, however, that biometrics are only as good as
their back-end systems, and as standalone hardware, they won’t get us very far, which is why it is
critical to have a complete, end-to-end solution with this new and constantly evolving technology.
Even in the short period of time since Bank of America deployed its iris-based access control
system, the world of identity assertion and biometrics has come a long way. Today, there are a
myriad of products on the market that seek to make people’s lives easier by eliminating
usernames and passwords once and for all. Some still require tokens, master passwords and
central databases while others allow people to do nothing more than take a selfie with their
smartphones to quickly authenticate their identities and access their accounts. It’s clear that
usernames and passwords are becoming a thing of the past, but for technological progress to
continue on track, it’s imperative for those who are working in the biometrics and IT fields to
remember that convenience and security are key components to ensuring that biometrics are a
lasting solution.
Identity assertion technologies that don’t utilize biometrics have continued to be built on the
premise that “identity” is defined by a set of numbers, letters and characters – be it a Social
Security Number, username, password or Apple ID. With biometrics technology, we are changing
the way that people and companies view identity. Identity should exist in the technological field as
the single, unique set of unchangeable biometrics that each person is born with. Rather than
burden people with a growing string of codes, PINs and passwords that they need to keep track
of (which can easily be hacked or stolen), people can use their own biometrics to identify and
verify themselves in the purest way possible – with the unique, physical attributes that they were
born with.
Hector Hoyos has been in the biometrics and IT fields since the mid-1980s as the founder and
president of various biometric companies. He co-founded and presided over Biometrics
Imagineering Inc., creating state-of-the-art technologies, such as fingerprint identification systems
and interactive financial transaction systems. He also helped incubate the Praetorian technology,
a real-time video surveillance technology, which, in February 2008, was awarded a training/video
surveillance contract by the U.S. Marine Corps.
Additionally, Hoyos served as the CEO of EyeLock Inc., an iris-based identity authentication
company, and Global Rainmakers, Inc. (GRI). He also invented the highly acclaimed HBOX,
Eyeswipe and Eyelock iris biometrics-based access control family of products. His inventions
have been implemented in multiple verticals including border control, education, healthcare
facilities, airports and financial institutions, among others, both in the U.S. and abroad.
Currently, he manages a digital infrastructure security company, Hoyos Labs, located at the
Cambridge Innovation Center on MIT’s campus. Hoyos Labs is the company behind 1U, a B-to-B
and B-to-C app that leverages a person’s smartphone to acquire his or her biometrics – facial,
3. 3
periocular, fingerprint, iris – to securely and conveniently protect online accounts without utilizing
extra gadgets or tokens, master passwords or central databases. 1U uses a unique, proprietary
“liveness” detection system that distinguishes a real person from an image or video in recognition
that there is only one you (1U).