Passwords

Passwords: More Secure Than Biometric Authentication?

Biometric Authentication

Biometrics has long granted or denied access to secure things like premises and vehicles. Now it is being seriously considered for the same role as regards connected services. A recent draft publication by the US Department of Commerce National Institute of Standards and Technology (NIST) proposes guidelines for reliable digital identity management including biometric authentication for granting access to diverse services through a dedicated device.

The draft is provoking a far-reaching debate. This centres on two factor authentication and authorisation. NIST argues there are circumstances when authentication via biometric device alone is sufficient. Others argue for supplementary or alternative authentication. The NIST proposal follows a simple logic: devices and accompanying password or PIN are “something you have.” Their ownership and your password memorisation itself serves as valid secondary authentication.

The draft proposes the following procedures for one time password devices (OTP devices): “The OTP is displayed on the device and manually input to the verifier. For example, an OTP device may display 6 characters at a time, thereby proving possession and control of the device. The multi-factor OTP device is something you have, and it SHALL be activated by either something you know or something you are.

All very good, but that “something you have” might turn out to be biometric data which is not secret at all. And passwords can be stolen or compromised in plentiful ways. Thus, one can flummox face recognition simply by taking or downloading someone else’s mugshot. And anyone can take one’s fingerprints from an object one has handled. Iris patterns can be captured by high resolution cameras. Et cetera…

The proposed solution is attack detection (PAD) technology. Liveness detection, for example, detects whether someone requesting access through a biometric device is actually a real person. But it still leaves plenty to be desired. Other factors that affect biometric authentication include a myriad of unpredictable events like a user injuring their enrolled fingers, experiencing changing facial features or body weight, iris recognition failing after eye surgery, and all the rest of it.

Hence, NIST concludes, an alternative authentication method is required and users must be able to use a second factor in the form of a memorised secret. This returns us to the good old password or secret question. This in turn ushers in wider questions on whether two-factor authentication is indeed secure and reliable, and whether biometrics in particular can be trusted.

The broader scenario usually involves sending confirmation messages to mobile devices. Physical or other coercion scenarios aside, one would need only occasional access to a mobile to complete compromised authentications involving PIN codes or passwords. Experts believe biometric authentication is good for physical security but impairs security provided by passwords. Sometimes, a false sense of security is worse than no security at all.

Many security experts argue that fallback password provide an extra layer of security. This pertains especially to cases when biometric authentication fails for false reasons. Others argue that where these two authentication methods work in parallel, not simultaneously, they in fact result in less secure authentication.

Hitoshi Kokumai is a long time advocate of either biometrics or passwords as sole authentication factors. He advises biometric product users to turn off biometrics functionality when their devices also allow passwords. His argument is that the convenience of biometrics with passwords as a fallback only obtains when users can accept lower security.

Biometrics used with a fallback password, the most common and popular way of deploying biometrics, might be helpful where convenience matters. But it is wrong to claim that it helps for security. Biometrics should be turned off where security matters. Password/PIN-only authentication is more secure.

Some people advocate a password-less life, perhaps without thinking about its consequence; life in a democratic society must secure the right for individuals not to get their identity authenticated without their knowledgeable confirmation. This volitional process can be achieved only by “volitional” identity authentication involving memorized secrets (passwords).

Due respect should be paid to the value of the biometric solutions as an effective “body identification” tool for forensic and the likes of border control. But it is not wise to use it for “identity authentication” in cyberspace,” Kokumai told CloudTweaks.

There is no doubt that biometric authentication offers convenient access to, say, a ‘phone. Access to critical services and locations is another matter. Biometric data is all too easy to obtain. Passwords are also hackable. What we probably have to admit is that we do not yet possess a technology which is fully compromise proof. This puts biometric authentication very much under question when it comes to business or organisation level security. A cautious approach remains the best attitude to a technology that demonstrably has a long way to go before offering truly secure identification.

By Kiril V Kirilov

THOUGHT LEADERS

Daren

Data Privacy Day (Cue The Parade)!

Data Privacy Day On Sunday, January 28, the United States, Canada, India and 47 European countries will celebrate Data Privacy Day, an international day established ...
Mark Casey Apcela

After the SD-WAN: leveraging data and AI to optimize network operations

AI to Optimize Network Operations Increasing numbers of companies have implemented SD-WAN technology, thanks to benefits like higher performance, lower cost, and greater business agility ...
Louis Columbus

The Best IoT Companies To Work For In 2019 Based On Glassdoor

The Best IoT Companies To Work Employees would most recommend the following companies to their friends looking for a job in IoT:  IGEL, SAP, ARM, Fortinet, Google, Microsoft, Bosch, Samsara, Schneider Electric, Siemens, Dell Technologies, Red Hat, Cisco ...
Jim Fowler

Data as a Service: 5 Strategies to Transition How You Access Data

Data as a Service Information wants to be free — at least that’s the saying. And like any good saying, you can read it in ...
Dark Web

An End to Credit Cards? How the Dark Web Is Pushing Fintech Towards Blockchain

Dark Web Pushing Fintech Towards Blockchain As Jennifer Klosterman points out, “There are many strong reasons for reputable businesses to keep their noses clean and ...

SPONSOR PARTNERS