Biometrics has long granted or denied access to secure things like premises and vehicles. Now it is being seriously considered for the same role as regards connected services. A recent draft publication by the US Department of Commerce National Institute of Standards and Technology (NIST) proposes guidelines for reliable digital identity management including biometric authentication for granting access to diverse services through a dedicated device.
The draft is provoking a far-reaching debate. This centres on two factor authentication and authorisation. NIST argues there are circumstances when authentication via biometric device alone is sufficient. Others argue for supplementary or alternative authentication. The NIST proposal follows a simple logic: devices and accompanying password or PIN are “something you have.” Their ownership and your password memorisation itself serves as valid secondary authentication.
The draft proposes the following procedures for one time password devices (OTP devices): “The OTP is displayed on the device and manually input to the verifier. For example, an OTP device may display 6 characters at a time, thereby proving possession and control of the device. The multi-factor OTP device is something you have, and it SHALL be activated by either something you know or something you are.”
All very good, but that “something you have” might turn out to be biometric data which is not secret at all. And passwords can be stolen or compromised in plentiful ways. Thus, one can flummox face recognition simply by taking or downloading someone else’s mugshot. And anyone can take one’s fingerprints from an object one has handled. Iris patterns can be captured by high resolution cameras. Et cetera…
The proposed solution is attack detection (PAD) technology. Liveness detection, for example, detects whether someone requesting access through a biometric device is actually a real person. But it still leaves plenty to be desired. Other factors that affect biometric authentication include a myriad of unpredictable events like a user injuring their enrolled fingers, experiencing changing facial features or body weight, iris recognition failing after eye surgery, and all the rest of it.
Hence, NIST concludes, an alternative authentication method is required and users must be able to use a second factor in the form of a memorised secret. This returns us to the good old password or secret question. This in turn ushers in wider questions on whether two-factor authentication is indeed secure and reliable, and whether biometrics in particular can be trusted.
The broader scenario usually involves sending confirmation messages to mobile devices. Physical or other coercion scenarios aside, one would need only occasional access to a mobile to complete compromised authentications involving PIN codes or passwords. Experts believe biometric authentication is good for physical security but impairs security provided by passwords. Sometimes, a false sense of security is worse than no security at all.
Many security experts argue that fallback password provide an extra layer of security. This pertains especially to cases when biometric authentication fails for false reasons. Others argue that where these two authentication methods work in parallel, not simultaneously, they in fact result in less secure authentication.
Hitoshi Kokumai is a long time advocate of either biometrics or passwords as sole authentication factors. He advises biometric product users to turn off biometrics functionality when their devices also allow passwords. His argument is that the convenience of biometrics with passwords as a fallback only obtains when users can accept lower security.
“Biometrics used with a fallback password, the most common and popular way of deploying biometrics, might be helpful where convenience matters. But it is wrong to claim that it helps for security. Biometrics should be turned off where security matters. Password/PIN-only authentication is more secure.
Some people advocate a password-less life, perhaps without thinking about its consequence; life in a democratic society must secure the right for individuals not to get their identity authenticated without their knowledgeable confirmation. This volitional process can be achieved only by “volitional” identity authentication involving memorized secrets (passwords).
Due respect should be paid to the value of the biometric solutions as an effective “body identification” tool for forensic and the likes of border control. But it is not wise to use it for “identity authentication” in cyberspace,” Kokumai told CloudTweaks.
There is no doubt that biometric authentication offers convenient access to, say, a ‘phone. Access to critical services and locations is another matter. Biometric data is all too easy to obtain. Passwords are also hackable. What we probably have to admit is that we do not yet possess a technology which is fully compromise proof. This puts biometric authentication very much under question when it comes to business or organisation level security. A cautious approach remains the best attitude to a technology that demonstrably has a long way to go before offering truly secure identification.
By Kiril V Kirilov