What If Your Password Was A… Hand Motion?

The future of authentication has nothing to do with letters and numbers.

If you were the JPMorgan employee whose stolen password was used to collect data from 76 million people, you might have wished you could wave a magic wand and made the problem go away. Similarly, if you were Jennifer Lawrence the morning she woke up and found that her naked pictures had been stolen from the cloud and leaked all over the Internet, you might have fantasized about a magic wand.


That’s sort of the idea behind AirSig, a Taiwanese startup that received $2 million in funding last month for its algorithm that protects passwords via its “magic wand” technology.

It works like this: You store all your passwords inside a “wallet” app, similar to 1Password. But rather than opening the app with yet another password, you open AirSig by signing your name in the air with your cellphone. It looks as if you’re waving your magic wand. The phone’s internal sensors recognize your unique motion (watch ) and open the app so you can access your secret passwords.

AirSig is still its infancy (it’s been downloaded a little over 9,000 times) but it recognizes a basic truth: Everybody at this point agrees that the password needs to die, or at the very least, get some help. Even if you pick really hard-to-crack passwords with symbols and a gazillion characters (most people still go for “password” and “1234” however), it’s still crazy-easy for hackers to steal your log-ins. Partly, that’s because most peoples’ accounts are all linked via their email, so once hackers have gotten into one account via a basic password retrieval scam, they’ve got the keys to the proverbial kingdom .

AirSig doesn’t kill the password–it just protects your passwords–but it does present a novel authentication method that could theoretically replace or at the very least supplement the password one day. It’s also one of a growing number of technologies that are taking advantage of mobile phones and wearable devices to verify your identity.


Biometrics authentication, using a person’s physical characteristics to identify them, are finally gaining traction. The fingerprint sensors in the iPhone 6 and Galaxy S5 let you unlock your phone with your thumbprint. And this summer, Samsung hinted that it plans to equip upcoming mobile devices with a retina scanner.

The FBI just announced the launch of its six-years-in-the-making Next Generation Identification (NGI) program, a vast system that will capture the fingerprints, iris scans, DNA profiles, voice ID, and other facial recognition characteristics of millions across the U.S. It will be built and maintained by Lockheed Martin and start rolling out this year, not just for public agencies such as police departments to use, but for unspecified private entities as well.

Facial and voice recognition products have existed in the marketplace for a good while, but have been stymied in part due to poor sensors and low cell-phone camera resolution. But mobile technology is improving.

“This field is very important because passwords definitely don’t work,” says Johannes Ullrich, director of SANS Internet Storm Center, a cyber-threat/Internet security monitor and alert system. “Biometrics is the closest thing you have to real-world authentication where people recognize people by their looks.”

What if, instead of a password, you had a passthought? UC Berkeley professor John Chuang has spent the past three years working on a way to use peoples’ brainwaves as a means of authentication. Chuang hooked research subjects up to cheap consumer-grade EEG machines and asked them to think about a secret but specific thing: imagine themselves playing golf, for instance, or singing “The Sound of Music.” Their brainwave activity was like a fingerprint, nearly impossible to duplicate, even if somebody knew their secret “passthought.”

“No two peoples’ brain structure is the same, even if they’re identical twins,” explains Chuang, who intends to build out an authentication system based on his findings and make it available to whomever wants to use it.


Despite the poetic allure of using your golf visualizations to log onto Gmail, the reality of going about your day hooked up to electrodes is perhaps a bit farfetched. More realistic is the Canadian startup Bionym, which creates a wristband called the Nymi that analyzes your heartbeat using a voltmeter and uses that to identify you.

The challenge for the Nymi, AirSig, or any other new authentication system, is widespread adoption. Until big companies like PayPal and Google decide to recognize you by your magic wand sig or heartbeat, we’re stuck with the same old password system. But at least we know it’s coming.

“Google Glass that has a camera that does biometrics on you is the ultimate dream,” says Ulrich. And at that point we become the password. Problem solved.