Passwords: More Secure Than Biometric Authentication?

Biometric Authentication

Biometrics has long granted or denied access to secure things like premises and vehicles. Now it is being seriously considered for the same role as regards connected services. A recent draft publication by the US Department of Commerce National Institute of Standards and Technology (NIST) proposes guidelines for reliable digital identity management including biometric authentication for granting access to diverse services through a dedicated device.

The draft is provoking a far-reaching debate. This centres on two factor authentication and authorisation. NIST argues there are circumstances when authentication via biometric device alone is sufficient. Others argue for supplementary or alternative authentication. The NIST proposal follows a simple logic: devices and accompanying password or PIN are “something you have.” Their ownership and your password memorisation itself serves as valid secondary authentication.

The draft proposes the following procedures for one time password devices (OTP devices): “The OTP is displayed on the device and manually input to the verifier. For example, an OTP device may display 6 characters at a time, thereby proving possession and control of the device. The multi-factor OTP device is something you have, and it SHALL be activated by either something you know or something you are.

All very good, but that “something you have” might turn out to be biometric data which is not secret at all. And passwords can be stolen or compromised in plentiful ways. Thus, one can flummox face recognition simply by taking or downloading someone else’s mugshot. And anyone can take one’s fingerprints from an object one has handled. Iris patterns can be captured by high resolution cameras. Et cetera…

The proposed solution is attack detection (PAD) technology. Liveness detection, for example, detects whether someone requesting access through a biometric device is actually a real person. But it still leaves plenty to be desired. Other factors that affect biometric authentication include a myriad of unpredictable events like a user injuring their enrolled fingers, experiencing changing facial features or body weight, iris recognition failing after eye surgery, and all the rest of it.

Hence, NIST concludes, an alternative authentication method is required and users must be able to use a second factor in the form of a memorised secret. This returns us to the good old password or secret question. This in turn ushers in wider questions on whether two-factor authentication is indeed secure and reliable, and whether biometrics in particular can be trusted.

The broader scenario usually involves sending confirmation messages to mobile devices. Physical or other coercion scenarios aside, one would need only occasional access to a mobile to complete compromised authentications involving PIN codes or passwords. Experts believe biometric authentication is good for physical security but impairs security provided by passwords. Sometimes, a false sense of security is worse than no security at all.

Many security experts argue that fallback password provide an extra layer of security. This pertains especially to cases when biometric authentication fails for false reasons. Others argue that where these two authentication methods work in parallel, not simultaneously, they in fact result in less secure authentication.

Hitoshi Kokumai is a long time advocate of either biometrics or passwords as sole authentication factors. He advises biometric product users to turn off biometrics functionality when their devices also allow passwords. His argument is that the convenience of biometrics with passwords as a fallback only obtains when users can accept lower security.

Biometrics used with a fallback password, the most common and popular way of deploying biometrics, might be helpful where convenience matters. But it is wrong to claim that it helps for security. Biometrics should be turned off where security matters. Password/PIN-only authentication is more secure.

Some people advocate a password-less life, perhaps without thinking about its consequence; life in a democratic society must secure the right for individuals not to get their identity authenticated without their knowledgeable confirmation. This volitional process can be achieved only by “volitional” identity authentication involving memorized secrets (passwords).

Due respect should be paid to the value of the biometric solutions as an effective “body identification” tool for forensic and the likes of border control. But it is not wise to use it for “identity authentication” in cyberspace,” Kokumai told CloudTweaks.

There is no doubt that biometric authentication offers convenient access to, say, a ‘phone. Access to critical services and locations is another matter. Biometric data is all too easy to obtain. Passwords are also hackable. What we probably have to admit is that we do not yet possess a technology which is fully compromise proof. This puts biometric authentication very much under question when it comes to business or organisation level security. A cautious approach remains the best attitude to a technology that demonstrably has a long way to go before offering truly secure identification.

By Kiril V Kirilov

Daniela Streng

Preventing IT Outages and Downtime

Preventing IT Outages As businesses continue to embrace digital transformation, availability has become a company’s most valuable commodity. Availability refers to the state of when ...
Sebastian Grady

Digital Transformation – Updated Metrics for the Cloud Era

Cloud Era Metrics Undertaking digital transformation means also transforming how IT success is defined, including metrics that address business in the cloud.  With up to ...
Steve Prentice

Episode 2: Coronavirus Phishing Emails and Work-from-Home Meetings

Coronavirus Phishing Emails What to watch out for as scammers exploit pandemic panic, and tips on how to attend meetings while working from home. Working ...

The Quest to Bring Computers to People – Personal Computing

The quest to bring computers to people,' rather than people to computers" resulted in the invention of Personal Computer The world changed its direction a ...
David Gevorkian

Website Accessibility: Compliancy, Laws and Best Practices

Key to Making Your Website Accessible The internet has changed the education sector in so many ways. With e-learning, more people around the globe are ...
Tunio Zafer

The Evolution of Data File Sharing

Data File Sharing Whether due to a lack of time, need or simply because email started at such an advanced stage, digital data-transfer systems have ...
Sam Samarasekera

Why AWS’s building block structure can benefit SMBs

AWS’s Structure Can Benefit SMBs With every year that passes, the popularity of cloud technology increases as more businesses choose to make the move. This ...
Trust Report

Profit-Driving Strategies for 2020, Backed by Data

Profit-Driving Strategies Since 2019 is coming to a close, the time has come for businesses to evaluate what they can do to propel profits in ...
Brian Day

Tips for Developing Apps In a Cloud Environment

DevOps and the Cloud Unless you’ve just started a brand-new organization, your IT environment is currently running a diverse collection of last-generation and older applications ...
Bill Talbot

How IT Operations Can Survive and Thrive in a Multi-cloud World

IT Operations Can Thrive in a Multi-cloud World IT operations teams are contending with the reality that growing volumes of workloads are running across multiple ...