How does a machine verify the identity of a human being? Irises, heartbeats, fingertips and voices, for starters.

Apple's two new iPhones include a model with a fingerprint sensor that can be used instead of a passcode to open the phone and buy products. It is part of a trove of authentication tools being developed for consumers.

Among the most novel of biometric authentication tools is a new wristband developed by cryptographers at the University of Toronto. It contains a voltmeter to read a heartbeat.

"You put it on. It knows it's you. It communicates that identity securely to everything around you," said Karl Martin, one of its creators.

Security is a primary selling point of the wristband, Nymi. While a heart can be broken, Mr. Martin promises that a heartbeat cannot.

These new technologies arrive against the backdrop of mounting concerns over security and privacy, as the old ways of verifying identity online have been exposed as risky. Many user names and passwords have been stolen from a variety of popular sites, and last month, it was discovered that even passwords as long as 55 characters could be broken.

Clef, a start-up firm in San Francisco, has developed a mobile app that lets you send an encrypted key from a mobile app to a desktop computer. Then, the Web site you are trying to enter can effectively recognize you based on your phone, instead of a typed-in password.

LaunchKey, a Las Vegas start-up that is in a testing phase, also looks to the mobile phone for authentication. You register with LaunchKey and connect your account to a particular cellphone. Then, when you log into a Web site or mobile app that accepts the start-up's service, it sends a notification to that phone. Using an app, you move an icon on the screen to authorize authentication.

The start-up OneID, based in Redwood City, California, offers a single sign-on that can be used on various Web sites and devices. In a video, an engineer at OneID, Jim Fenton, demonstrated how he used OneID to open his garage door at home.

The weakness of many new Internet-connected devices, Mr. Fenton said, is protecting secure access.

"If you connect all these things to the Internet, you need to have good ways - good from a security standpoint and a convenience standpoint - good ways to control access to things," he said. "Having user names and passwords is not a good solution

for every device."

Biometric authentication tools, like fingerprint readers, have already been put in devices like laptops, but they have not always worked correctly. It remains to be seen how well Apple's new fingerprint sensor will work, and whether users will adopt it.

At the same time, biometric sensors raise questions of security. When Apple's sensor was announced, skepticism and privacy concerns erupted online even though Apple said users' fingerprints would be stored only on the phone - not sent to online servers or made available to app developers.

Technologists say just one trick is unlikely to unlock the problem of authentication. One set of tools may verify identity on Web sites; another may unlock cars; still another could grant access to bank accounts.

A coalition of hardware and software companies, calling itself the Fido Alliance, is working on a set of specifications for password alternatives that the industry can rally around. Its guidelines are expected to be released at the end of the year. Companies affiliated with Fido are already testing products, like fingerprint readers and software that recognizes faces and voices. One day, users might be able to log into a favorite e-commerce site by speaking into a computer and buy something with a gaze at a mobile PayPal app.

Facebook has perhaps had the most success in becoming a one-stop identity verification service. Millions of Web sites allow users to log in with their Facebook credentials, which is also a way for Facebook to get to know you better - and serve you more tailored ads. The dangers are obvious. A thief with your Facebook credentials can pretend to be you across the Web.

Mozilla has been trying to popularize its Persona alternative to that single sign-on system. Mozilla makes sure your e-mail provider verifies that the account belongs to you. Then, for every site that accepts a Persona login, you can log in with the original verified e-mail.

A more fantastical solution is being developed in a lab at the University of California, Berkeley. Computer scientists there say a simple and cheap headset will be able to read your brain waves to verify your thoughts - and save you the work of typing in a password.

The New York Times

(China Daily 09/22/2013 page11)