One of the biggest problems is that many people use weak passwords (easy for a machine to guess), and this is compounded by the fact that they use the same (weak) passwords on multiple sites. If one gets hacked, then all may fall. One way of preventing this from happening is to use more complex and different passwords for each site. However, with potentially dozens of sites (I have about 150 sites in my manager), it becomes very hard -or just impossible- to remember them all. It’s human nature, even hackers have been found to use weak passwords at times.
Myris from Eyelock has been designed to solve this problem by letting you use extremely complex passwords, without having to remember them, ever. Myris will encrypt and store the passwords, and you can use a simple way to unlock them: just look at the device and your unique iris pattern will be used to decrypt the vault.
Strong and weak passwords: what are they?
In case, you’re not sure about what “Strong Password” and “Weak Password” mean, I would like to clarify this before continuing.
The main metric for Strong/Weak is how easy it is for a machine (or a human) to guess. The first thing that a human would do is to guess your password by using information related to you: birthday, pet name, spouse name, etc… People often use these because it’s easy for them to remember. Unfortunately, it’s also easy to guess with a little bit of work. Maybe there are 20-30 obvious data points here.
With the help of a computer, hackers can also try using all dictionary words and all known slang, famous character names, etc… They also have lists of the most frequently used passwords (here on iPhone), of the worst passwords, which is even documented by some ridiculous studies on the topic. This means that if you use one of those, it is only a matter of time until they find the right one. Still, they must try tens of thousands of possible password in what is called a brute-force attack.
For you, the name of the game is to increase the number of possible combinations to make your login credentials harder to guess/crack. You can typically do that by mixing more characters in the password like capital letters, numbers and punctuation (like “sF154rhgES01#%”), or by simply making the password longer, maybe by using a pass-phrase like “yesterday Jaba the Hutt ate 10 bugs at diner”. Certainly, I think that the latter is easier to remember, but both are strong passwords.
It is best to use one unique strong password for each site you subscribe to. However, memorizing such passwords quickly becomes impossible. That’s what password managers have been invented.
A password manager is essentially a digital vault which contains all your passwords. Good password managers are (very) strongly encrypted so that if the vault was to fall in the wrong hands, it would be extremely difficult to crack.
Myris unlock: why and how?
When it comes to biometric information used to unlock your data, fingerprints have proved to be a popular option. The iris pattern is unique like fingerprints, but the Eyelock team will point out that the human eye has many more unique markers than fingerprints do, so it is “more unique” if you want.
By looking at your eyes, Myris can create a unique key that is bigger and harder to guess/crack, in theory. It is the equivalent of an extremely complex master password. Except that you don’t have to remember it, and that nobody can possibly “guess” what it is.
This is what software like Lastpass or 1password have proven that this is an effective and easy way to manage. Myris was created to take this process to the next level by replacing the master password that you type, with your eye signature. The net result is an unforgettable master password, and a faster log-in, since you don’t have to type. Eyelock has a great overview that compares the accuracy of Iris-based recognition with fingerprints or voice recognition.
Without looking at the raw image of what Myris exactly “sees” when looking at your eyes, I’m not exactly sure how much eye detail can be gathered, but I’m pretty confident that false positive ID would be very hard, especially if you take into account that a person needs physical access to your device.
InstallationThe installation is pretty simple and easy, although Chrome users may bump into a couple of caveats that I will mention shortly.
Upon connecting the Myris device to a USB port, a drive should appear with an app installer. Select your OS and start the installation. I have tested it on Windows, but Mac users should have a fairly similar experience.
I strongly recommend closing all applications – the browsers in particular, since the installer will attempt to install browser extensions (IE, Chrome and Firefox are supported on a PC) which will capture and fill out password fields.
This is where I have bumped into issues with Chrome (on two different PCs) since Chrome had some resident background threads running in the background, the installer would not install the extension. If you don’t know how to check for this in the Task Manager, just reboot your computer then proceed to installing before using a browser.
If you are using another password manager such as Lastpass (and others), I would recommend disabling the browser extension for it because you could see some issues as both the old manager and Myris try to capture password events at the same time.
By the time the install is finished, you should see an Eyelock app screen that asks you to register for a new account. After that, it will take several photos of your iris and use them as a reference.
The installation app doesn’t say it explicitly, but it’s important during the initial acquisition process that you move the device back and forth between 9 and 13 feet from your eyes. This will allow the device to capture images of your iris at different distances, allowing for later recognition from different placements.
If you decide to change your default browser after the initial scan, please close the app and restart it, or it won’t be able to launch the browser.
Add websites & Apps
From there, you will be prompted to unlock Myris with your eyes each time you enter a new password online. This works pretty much like other passwords manager, except that the password aren’t stored online, but inside the Iris device, making this protected from massive online breaches such as the one Lastpass experienced a few years ago.
To automatically log into a website, just go to the login page, and look at the Myris device. It will take about 1 sec to unlock, then it will fill out the form automatically for you.
Adding apps work very much in the same way, although since applications don’t use a standard web form to ask for login and passwords, eyelock has to add support for each of them individually, so expect that only the most popular apps to be supported.
Overall user experience
I really like the idea of what Myris is designed to accomplish: removing friction from the password management process. If after about 1-3 seconds (usually 1 Sec), I can be positively identified and my credentials can be retrieved and entered on an app/web site, this is great.
The industrial design is very well done, and the Myris device feels great in the hand, and is not intimidating at all. As long as you can see both eyes in the small mirror at a comfortable distance (like holding a smartphone), it should be able to see enough of your eyes to recognize who you are.
Must-know and possible improvements
As good as Myris is, there are a few things that you need to be mindful of, and some things that I wish were different.
1/ This is a personal device: because it uses both eyes to recognize a user, and is not configurable to handle more than one person, this is pretty much a one-user device and isn’t meant to be used by a group or a family. It’s OK, but since some tablets and phones are becoming more group-friendly, I wanted to point that out. This is probably something that Eyelock can add on later, since it’s “just” a matter of storage and data partitioning.
2/ Support is behind a walled password-protected access. I think that Eyelock should make public the most frequently asked questions such as “how can I install the Chrome add-on after the initial install?”.
3/ Device lost/stolen: Well, if that happens, you have to start from scratch, and yes, it’s very bad because you can’t possibly remember all the complex passwords that you created, thinking that someone else would remember them for you.
Myris won’t be hacked by a massive attack on a central server (some security analyst have emitted the idea that an online vault can be ripe for hacking), but the downside is that there is no central server to backup your data. In fact, there is no way to back up the data. If you travel with it, you can potentially be in trouble if your bag gets stolen. I have suggested to the Eyelock team that users should be able to backup/restore a strongly encrypted file to a local drive.
4/ Installation could use more polish: The kind of issues that I had with the Chrome extension and Skype could be difficult to deal with for many. It’s true that not everyone uses 3 web browsers, but many people use Chrome. I’ve had no problems with Firefox and IE 10/11.
Small detail: the installation shows you all the files being installed. This is great for developers to keep tabs on potential issues, but users would rather want to have a plain progress bar to know when things will be done.
There is a strong case in saying that using retinal recognition is much stronger and convenient than a master password, but beyond pure password security, I typically think of Myris as a convenience device which is built to make managing and using your (strong) passwords much easier.
To me, this is not about building some kind of uncrackable master password (although it would help). Myris’ ability to quickly and accurately recognize your eyes is top notch, and that’s an undeniable advantage."MYRIS HAS THE POTENTIAL FOR MAKING STRONG PASSWORD MANAGEMENT MUCH EASIER"
If you look around (and omit idiotic passwords like… “password”), the overwhelming majority of stolen login/password is either coming from (sometime sophisticated) phishing, or taken at the source: the web servers of your bank/store/provider. Complex password management will allow you to severely limit what the stolen data can be used for, and force the thieves to effectively breach each site separately. Complex passwords buy you time and space to react.
Myris has the potential for making strong password management much easier, especially for folks who don’t want to become “password management savvy” (nobody should have to do that, really). In a way, the future of password management for non-geeks probably looks like this. In the meantime, and if you need to have a password manager that also work on phones, tablets and non Mac/Windows systems, you may want to wait since Myris doesn’t support all platforms yet.
Can someone unlock Myris by using a picture of me? Iris uses near-infrared light and bounces light in a way that requires a live subject and (I suspect) some 3D-volume in the iris’ texture, so it would be extremely hard, if not impossible, to unlock using a photo.