Facebook: Is this the Beginning of the End, or the End of the Beginning?

Facebook: Is this the Beginning of the End, or the End of the Beginning?

Is Facebook the new smoking? Zuckerberg and Sandberg may be inept at damage control but growth has plateaued, market share is declining and they have to raise prices to maintain revenue. Is something fundamental happening? The pile on is definitely underway. Not since Uber have
How Norway’s Fatland beat back ransomware thanks to a rapid backup and recovery data protection stack

How Norway’s Fatland beat back ransomware thanks to a rapid backup and recovery data protection stack

The next BriefingsDirect strategic storage and business continuity case study discussion explores how Norway’s venerable meat processing business, Fatland, relied on rapid backup and recovery solutions to successfully defended against a nasty ransomware attack. The comprehensive backup and recovery stack allowed Fatland’s production processing systems to snap back to use after only
Biometric Authentication

Passwords: More Secure Than Biometric Authentication?

Biometric Authentication

Biometrics has long granted or denied access to secure things like premises and vehicles. Now it is being seriously considered for the same role as regards connected services. A recent draft publication by the US Department of Commerce National Institute of Standards and Technology (NIST) proposes guidelines for reliable digital identity management including biometric authentication for granting access to diverse services through a dedicated device.

The draft is provoking a far-reaching debate. This centres on two factor authentication and authorisation. NIST argues there are circumstances when authentication via biometric device alone is sufficient. Others argue for supplementary or alternative authentication. The NIST proposal follows a simple logic: devices and accompanying password or PIN are “something you have.” Their ownership and your password memorisation itself serves as valid secondary authentication.

The draft proposes the following procedures for one time password devices (OTP devices): “The OTP is displayed on the device and manually input to the verifier. For example, an OTP device may display 6 characters at a time, thereby proving possession and control of the device. The multi-factor OTP device is something you have, and it SHALL be activated by either something you know or something you are.

All very good, but that “something you have” might turn out to be biometric data which is not secret at all. And passwords can be stolen or compromised in plentiful ways. Thus, one can flummox face recognition simply by taking or downloading someone else’s mugshot. And anyone can take one’s fingerprints from an object one has handled. Iris patterns can be captured by high resolution cameras. Et cetera…

The proposed solution is attack detection (PAD) technology. Liveness detection, for example, detects whether someone requesting access through a biometric device is actually a real person. But it still leaves plenty to be desired. Other factors that affect biometric authentication include a myriad of unpredictable events like a user injuring their enrolled fingers, experiencing changing facial features or body weight, iris recognition failing after eye surgery, and all the rest of it.

Hence, NIST concludes, an alternative authentication method is required and users must be able to use a second factor in the form of a memorised secret. This returns us to the good old password or secret question. This in turn ushers in wider questions on whether two-factor authentication is indeed secure and reliable, and whether biometrics in particular can be trusted.

The broader scenario usually involves sending confirmation messages to mobile devices. Physical or other coercion scenarios aside, one would need only occasional access to a mobile to complete compromised authentications involving PIN codes or passwords. Experts believe biometric authentication is good for physical security but impairs security provided by passwords. Sometimes, a false sense of security is worse than no security at all.

Many security experts argue that fallback password provide an extra layer of security. This pertains especially to cases when biometric authentication fails for false reasons. Others argue that where these two authentication methods work in parallel, not simultaneously, they in fact result in less secure authentication.

Hitoshi Kokumai is a long time advocate of either biometrics or passwords as sole authentication factors. He advises biometric product users to turn off biometrics functionality when their devices also allow passwords. His argument is that the convenience of biometrics with passwords as a fallback only obtains when users can accept lower security.

Biometrics used with a fallback password, the most common and popular way of deploying biometrics, might be helpful where convenience matters. But it is wrong to claim that it helps for security. Biometrics should be turned off where security matters. Password/PIN-only authentication is more secure.

Some people advocate a password-less life, perhaps without thinking about its consequence; life in a democratic society must secure the right for individuals not to get their identity authenticated without their knowledgeable confirmation. This volitional process can be achieved only by “volitional” identity authentication involving memorized secrets (passwords).

Due respect should be paid to the value of the biometric solutions as an effective “body identification” tool for forensic and the likes of border control. But it is not wise to use it for “identity authentication” in cyberspace,” Kokumai told CloudTweaks.

There is no doubt that biometric authentication offers convenient access to, say, a ‘phone. Access to critical services and locations is another matter. Biometric data is all too easy to obtain. Passwords are also hackable. What we probably have to admit is that we do not yet possess a technology which is fully compromise proof. This puts biometric authentication very much under question when it comes to business or organisation level security. A cautious approach remains the best attitude to a technology that demonstrably has a long way to go before offering truly secure identification.

By Kiril V Kirilov

Kiril Kirilov

Kiril V. Kirilov is a content strategist and writer who is analyzing the intersection of business and IT for nearly two decades. Some of the topics he covers include SaaS, cloud computing, artificial intelligence, machine learning, IT startup funding, autonomous vehicles and all things technology. He is also an author of a book about the future of AI and BIg Data in marketing.

RESOURCES

12 WordPress Managed Hosting Services

12 WordPress Managed Hosting Services

WordPress Hosting Services WordPress hosting services has exploded in popularity as a blogging tool and content management system in recent years, and is now used by more than 23.3 percent (2018 Edit: 53%) of the top 10 million websites worldwide. Due ...
Glassdoor’s 10 Highest Paying Tech Jobs Of 2018

Glassdoor’s 10 Highest Paying Tech Jobs Of 2018

Glassdoor is best known for its candid, honest reviews of employers written anonymously by employees. It is now common practice and a good idea for anyone considering a position with a new employer to check them out on Glassdoor first. With ...
HTML5 Speed Test

HTML5 Speed Test

HTML5 SPEED TEST SERVICES There is no made-for-all solution when it comes to optimizing a website for speed, and while putting a cloud platform in place is a good start, every cloud startup should ensure that they have an optimization ...

SPONSORS

Moving Test and Dev to the Cloud: How the "As-A-Service" Economy Delivers Tangible Benefits

Moving Test and Dev to the Cloud: How the “As-A-Service” Economy Delivers Tangible Benefits

Moving Test and Dev to the Cloud Have you ever seen the old parlor trick in which a person pulls ...
The Shift from Monolithic to Microservices: What It Means for CTOs

The Shift from Monolithic to Microservices: What It Means for CTOs

The Shift to Microservices The shift in application development strategies is moving from monolithic design to isolated and resilient components ...

Cloud Community Supporters

(ISC)²
AWS
HPE
CA Technologies
Cisco

Cloud community support comes from sponsorship, service opportunities and collaborative network partnership initiatives.

"Top 100 Brand Influencer, Cloud”
-ONALYTICA

"Best Cloud Computing Blog"
-SYSADMIN MAGAZINE

"Top 10 Sites For Cloud Computing"
-DIGITALISTMAG SAP

"Top 10 Cloud Computing Blogs”
-MARKETING ENVY

"Top 25 Must Read Cloud Blogs"
-CLOUDENDURE