Biometric Authentication

Passwords: More Secure Than Biometric Authentication?

Biometric Authentication

Biometrics has long granted or denied access to secure things like premises and vehicles. Now it is being seriously considered for the same role as regards connected services. A recent draft publication by the US Department of Commerce National Institute of Standards and Technology (NIST) proposes guidelines for reliable digital identity management including biometric authentication for granting access to diverse services through a dedicated device.

The draft is provoking a far-reaching debate. This centres on two factor authentication and authorisation. NIST argues there are circumstances when authentication via biometric device alone is sufficient. Others argue for supplementary or alternative authentication. The NIST proposal follows a simple logic: devices and accompanying password or PIN are “something you have.” Their ownership and your password memorisation itself serves as valid secondary authentication.

The draft proposes the following procedures for one time password devices (OTP devices): “The OTP is displayed on the device and manually input to the verifier. For example, an OTP device may display 6 characters at a time, thereby proving possession and control of the device. The multi-factor OTP device is something you have, and it SHALL be activated by either something you know or something you are.

All very good, but that “something you have” might turn out to be biometric data which is not secret at all. And passwords can be stolen or compromised in plentiful ways. Thus, one can flummox face recognition simply by taking or downloading someone else’s mugshot. And anyone can take one’s fingerprints from an object one has handled. Iris patterns can be captured by high resolution cameras. Et cetera…

The proposed solution is attack detection (PAD) technology. Liveness detection, for example, detects whether someone requesting access through a biometric device is actually a real person. But it still leaves plenty to be desired. Other factors that affect biometric authentication include a myriad of unpredictable events like a user injuring their enrolled fingers, experiencing changing facial features or body weight, iris recognition failing after eye surgery, and all the rest of it.

Hence, NIST concludes, an alternative authentication method is required and users must be able to use a second factor in the form of a memorised secret. This returns us to the good old password or secret question. This in turn ushers in wider questions on whether two-factor authentication is indeed secure and reliable, and whether biometrics in particular can be trusted.

The broader scenario usually involves sending confirmation messages to mobile devices. Physical or other coercion scenarios aside, one would need only occasional access to a mobile to complete compromised authentications involving PIN codes or passwords. Experts believe biometric authentication is good for physical security but impairs security provided by passwords. Sometimes, a false sense of security is worse than no security at all.

Many security experts argue that fallback password provide an extra layer of security. This pertains especially to cases when biometric authentication fails for false reasons. Others argue that where these two authentication methods work in parallel, not simultaneously, they in fact result in less secure authentication.

Hitoshi Kokumai is a long time advocate of either biometrics or passwords as sole authentication factors. He advises biometric product users to turn off biometrics functionality when their devices also allow passwords. His argument is that the convenience of biometrics with passwords as a fallback only obtains when users can accept lower security.

Biometrics used with a fallback password, the most common and popular way of deploying biometrics, might be helpful where convenience matters. But it is wrong to claim that it helps for security. Biometrics should be turned off where security matters. Password/PIN-only authentication is more secure.

Some people advocate a password-less life, perhaps without thinking about its consequence; life in a democratic society must secure the right for individuals not to get their identity authenticated without their knowledgeable confirmation. This volitional process can be achieved only by “volitional” identity authentication involving memorized secrets (passwords).

Due respect should be paid to the value of the biometric solutions as an effective “body identification” tool for forensic and the likes of border control. But it is not wise to use it for “identity authentication” in cyberspace,” Kokumai told CloudTweaks.

There is no doubt that biometric authentication offers convenient access to, say, a ‘phone. Access to critical services and locations is another matter. Biometric data is all too easy to obtain. Passwords are also hackable. What we probably have to admit is that we do not yet possess a technology which is fully compromise proof. This puts biometric authentication very much under question when it comes to business or organisation level security. A cautious approach remains the best attitude to a technology that demonstrably has a long way to go before offering truly secure identification.

By Kiril V Kirilov

The Digital Economy: Embracing The Latest Technological Advancements

The Digital Economy: Embracing The Latest Technological Advancements

The Digital Economy As you would expect, for any business to achieve successful growth and meet its objectives, it must ...
A Closer Look at the Hidden Costs of Collaboration Solutions

A Closer Look at the Hidden Costs of Collaboration Solutions

The Hidden Costs of Collaboration Solutions Collaboration technology is key to efficient communication and productivity for a dispersed and global ...
OpenStack private cloud revenues to outpace its public cloud revenues in 2018

OpenStack private cloud revenues to outpace its public cloud revenues in 2018

OpenStack Private Cloud Revenues Growth of OpenStack private cloud will overtake public cloud revenue for hosting providers sooner than previously ...
New Report Reveals Just How Bad The Cybersecurity Skills Gap Is

New Report Reveals Just How Bad The Cybersecurity Skills Gap Is

The Cybersecurity Skills Gap It’s not difficult to find worrying predictions from experts who say the cybersecurity sector desperately needs ...
Through the Looking Glass: 2017 Tech and Security Industry Predictions

Through the Looking Glass: 2017 Tech and Security Industry Predictions

2017 Tech and Security Industry Predictions As we close out 2016, which didn’t start off very well for tech IPOs, ...
Tesla is Worth More Than Ford or GM. Is this the Automakers iPhone Moment?

Tesla is Worth More Than Ford or GM. Is this the Automakers iPhone Moment?

The Automakers iPhone Moment Remember Blackberry? How about Nokia or Motorola? Vaguely you say. Will we one day state the ...
Exclusive: North American, UK, Asian regulators press EU on data privacy exemption

Exclusive: North American, UK, Asian regulators press EU on data privacy exemption

WASHINGTON/BRUSSELS (Reuters) - Financial watchdogs from North America, Britain and Asia are urgently seeking a formal exemption from the European Union’s tough new data privacy law to avoid hampering cross-border investigations, regulatory officials told Reuters ...
Radware Anti-DDoS Defenses Actively Shield Veon Customers During World Cup 2018

Radware Anti-DDoS Defenses Actively Shield Veon Customers During World Cup 2018

Russian telecoms company Veon already stopping hundreds of DDoS attacks every day, with further spikes expected MAHWAH, N.J., June 25, 2018 (GLOBE NEWSWIRE) -- Radware® (NASDAQ:RDWR), a leading provider of cyber security and application delivery ...
Adobe set to join rush of foreign giants opening AI labs in Canada

Adobe set to join rush of foreign giants opening AI labs in Canada

Adobe Systems Inc. is the latest foreign technology giant planning to open an artificial intelligence lab in Canada. The Silicon Valley software giant, best known for document-creation products Photoshop and Acrobat, says it is looking ...