Microsoft Pen Authentication: do we need yet more biometric tech?

News by Davey Winder

As Microsoft files a patent for secure user authentication using a stylus, SC Media UK asks if the world needs yet more biometric security?

Microsoft is looking for a patent to cover the 'system and method for authentication with a computer stylus.' In other words, authenticating a user by what and how they draw on the screen. This could make sense considering that so many devices now have touch-enabled screens. But do we really need yet another biometric authentication technology?

Handwriting recognition is nothing new, with efforts that include pressure applied, the inclination of written text and so on, going back at least ten years. None have ever taken off. So why should this Microsoft effort be any different when it doesn't even appear to take that sort of biometric data into consideration?

Well, the Microsoft patent application is more than just a glorified lockscreen pattern detector or handwriting analysis tool. It talks about linking a specific stylus to a specific machine, which would make it a kind of 2FA device (meaning that the second factor in the multi-factor authentication (MFA) process is based on something you possess). Add the gesture recognition, to include the location on screen, and you get something you know thrown in as well.

This still leaves the question of why we need such a thing, when the world is already full of two-factor tokens, codes and biometric tech such as fingerprint or iris scanning? Other biometric authentication technology (who remembers the Biometric Butt Scanning Chair for example?) have fallen by the wayside, why will this be any different?

SC Media opened the debate with Sándor Bálint, security lead for applied data science at Balabit, who suggests that while a new biometric authentication method is probably not the most important thing when it comes to security these days, "we shouldn't confuse patent filings with product strategy either". With the legal and business environment heavily incentivising the patenting of everything that has even a remote chance of being useful in the future, he has a point.

Rashmi Knowles, CTO EMEA at RSA, admits that "authentication is a balancing act of security vs. convenience and organisations are always trying to find new, convenient ways to make identity and access more frictionless for the user". In that sense, Knowles believes that the more options available, biometric or otherwise, the better the chance of finding a solution or set of solutions which suit your exact needs.

And that's a fair point as current ones aren't always fit for purpose. "Voice recognition for instance is still in early stages of development, it has a lot of hiccups and can be frustrating," Knowles told SC. "Eye and retina scans were also quite bad at first, although it must be said that they are getting much better."

Innovation in this space isn't exactly hard to come across, and some of it shows a lot of promise. Qualcomm's Snapdragon Sense ID 3D Fingerprint Technology uses sound to map the contours of a fingerprint, for instance, thereby getting round the issue of fingerprint capture from an object.

"When this was announced," explains Ken Munro, a partner at Pen Test Partners, "we suggested this could have been further improved with the use of 2FA, and the Windows 10 stylus certainly seems to have ticked that box." Indeed, combining habitual usage patterns and gestures in addition to something like a fingerprint makes a lot of sense.

"It's certainly the case that current biometric technology is far too standalone," Munro argues. "Solutions need to adopt other forms of authentication in order to bolster security and improve upon the humble password."

Munro concludes that the prospects of using biometrics as a 1FA wonder authentication are pretty dim: "It should be used in conjunction with other factors, always."

Meanwhile, Kyle Lady, senior R&D engineer at Duo Security, says there is nothing new about handwriting authentication, observing that he was "logging into my Palm Pilot via the nuances of my signature in 2004".

That said, Lady still thinks the Microsoft idea has legs if the system is one that you'd need to use a stylus with anyway. "While the design you draw with Microsoft's stylus is something you know, it's impossible to describe how you write: which strokes are faster, the delay between strokes, and the pressure you use."

For any biometric methodology to become as truly popular (if that's the correct word) as the humble password, it will require user familiarity and comfort with the idea. Something that Lady points out is "already happening in the mobile phone space, with increasingly prevalent fingerprint sensors".

According to Thomas Bostrøm Jørgensen, CEO at Encap Security, the convenience of fingerprint and iris scanning isn't enough to convince everyone. What is needed, he insists, is choice. "What will drive mass uptake of biometric technology is a combination of choice, availability and usability beyond the device," Jørgensen says. "Using a fingerprint to unlock a device is a neat gimmick – using a fingerprint to securely authorise a bank transaction or sign a contract is market-changing."

Jackson Shaw, senior director at One Identity, warns that the caveat lies in standards. "If each vendor goes off and does their own thing," he told SC, "then it becomes cumbersome for the user".

Don't expect to be unlocking your Windows PC with your Apple Watch any time soon, Shaw points out. "The free market will choose winners and losers and those will become the standards everyone will snap to," Shaw insists, "but we're quite far from that at this point."

And finally, who better to leave the final word to on this disruptive topic than  SoftServe's Robert Corace, officially known as its 'executive vice president of digital disruption' (yes, seriously).

Disruptively, he thinks the world needs more biometrics.

"The fact is, biometric security is faster, easier to use, more convenient and more secure than traditional security measures," Corace says. "As the technology advances it will include additional layers of authentication and verification, making our current use of keys and passwords seem archaic in comparison."


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews