When passwords fall down

In the previous article I touched on some of the problems with password security but there is more to this subject. A few years back I was working with children as a primary school teacher in a city school. The classrooms had no computers except one laptop for the teacher to use with a projector. This isn’t much of a step forward from my old schooling in the 1980′s, when  at least my classroom had a BBC micro for the children to use! But outside in the corridor, however, there was a bank of computers set-up for classes to share access to throughout the week. But computer access, or lack thereof, isn’t the topic I want to highlight today. I have entitled this article, “When passwords fall down” – and so on to how this relates to experiences in schools.

Retina scanners: a viable way forward?

In schools, access to computers is, in many cases, enabled by user profiles. These profiles can store user preferences, settings and assign shared storage. The advantage: a user is not tied to a particular machine but can access their documents at multiple locations. Users have access to a range of machines, each linked to a central server or servers. In corporate and higher education environments this is a common arrangement as it allows a pooling of resources and flexible working practices. When schools look to install IT facilities for their pupils they naturally look to this model for ideas.

At first glance this approach appears sensible, especially as in the case of my old school where children are sharing access to a bank of computers. The alternative of one-laptop-per-child seems a very remote possibility (although this Indian tablet initiative is encouraging) and a pupil/PC ratio of 10:1 is not uncommon. Sharing IT resources makes a lot of sense, be they desktop or laptops or tablets. So the popular setup is to have computers dotted around the site, congregated in IT suites or stored in a movable trolley. These in turn connect to wired or wifi-based networks to gain access to the internet and internal server systems. Setting up such a network is relatively straightforward for a knowledgable engineer and maintenance is low so many schools employ contractors to work on a part-time basis to periodically update systems.

So how are these systems used in practice? When logging on to a computer at the start of the teaching session each pupil will enter their user details on the login screen and subsequently be able to access a personalised subset of applications and data storage from the main server (some systems run applications on the server itself – others run the apps from the local client computer and  just store user settings and files centrally). And this is where the problems start. Children are required to enter a username and a password. This could be simply the child’s name and a favourite colour – that shouldn’t cause any problems should it? Well, even adults forget their passwords on occasion – hence the need for a password-reset link on the majority of internet sites. This reset feature normally uses an email-based recovery process. On internal sites it is more common to have a password reminder or a refer-to-system-admin option. In the school environment the common problem is exasperated by the likelihood of children forgetting – or being unable to spell – their own username!

The result is that teachers often have to enter usernames and/or passwords for children, so they will commonly print out lists of children’s login details for such a purpose. This is not an ideal situation as then valuable lesson time is wasted. If, in a typical class of 30 pupils, a teacher spends 1 minute per pupil helping them log in then 30 mins of the lesson have been wasted. Of course, some teachers will provide children with login details printed on cards (which will be lost over the course of a term) or commission more able children to help those struggling to enter their details. Another option is to disable personal profiles and enable general access to the computers. This has a few disadvantages, access to certain applications can no longer be controlled on a user-by-user basis and children have to either store files locally (limiting them to one machine) or   be trained to use certain server directories (as if learning a password wasn’t bad enough!) But even this cannot rule out the need for passwords as more and more applications go online and in the cloud we will be requiring pupils to enter login details to more and more websites.

No, there is a clear problem with the current reliance for password-based access to IT services in education. Other methods for securing access have centred around hardware-based solutions: in one school I visited, the children accessed a library computer with a finger-print scanner. Some manufacturers are experimenting with facial recognition for this task. Facial recognition will struggle with identical twins, however, and all hardware methods currently require additional equipment and software - something schools are unlikely to fork out for. The recent acquisition by Apple of security tech company AuthenTec raises the possibility of such hardware becoming integrated into future iPhones and iPads (or even TV remotes for parent control?). Where Apple goes, others always follow, so the future might see biometrics replacing the password for a variety of applications.

Other more left-field solutions include a number of password alternatives based on users tapping out a rhythm on a single button. I know from experience that memorable phrases can be used to teach children simple rhythms. Perhaps this would work as an alternative to conventional text-based passwords. Or will the voice-prompt be a way forward? The worry with old voice recognition systems was they could be fooled by recordings – not so anymore as this video claims:

So is this a way forward for children? Security doesn’t need to be as tight in a school network environment and it requires very little hardware – certainly nothing expensive. The software could be an issue as the current systems available are mainly used in banks although this stand alone voice-protected USB device has all the tech built-in. So who is making it right now? Well, a brief online search doesn’t immediately reveal any products specifically aimed at the education market. Anyone want to address that?