Slashdot Asks: Should Businesses Switch To Biometric Passwords?

This question was inspired by a recent article in Harvard Business Review: It's become abundantly clear that passwords are an untenable way to secure our data online. And asking your customers to keep track of complicated log-in information is a terrible user experience... The threat to security when relying on passwords is one reason businesses are increasingly migrating to biometric systems. Identity verification through biometrics can ensure greater security for personal information, while also providing customers with a more seamless experience in the digital environment of smartphones, tablets, sensors, and other devices... the idea is to verify someone's identity with a high degree of assurance by tying it to multiple mechanisms at once, known as biometric modalities [which] when used in concert, can provide a significantly safer environment for the customer, and are much easier to use... [I]f an app simultaneously requires a thumbprint, a retina scan, and a vocal recognition signature, it would be close to impossible for a bad actor to replicate that in the seconds needed to open the app.
This got me curious -- are Slashdot's readers already seeing biometric verification systems in their own lives? Share your experiences in the comments, as well as your informed opinion. Do you think businesses should be switching to biometric passwords?

TL;DR : not revokable, risk shifting

First time poster, long time reader.

Biometric elements regarding authentication fail regarding two major issues.

First issue, they can't be revoked. There won't ever be a "change your retina" or "forgot my bird to flip" form. Forget being forgotten, forget witness protection etc.

Second major issue : risk shifting.
If my credentials have value, then it stands to reason I can be assaulted to get them. To protect itself, my employer asks me at least two factors and I am OK with what I know and what I have. Both can be acquired without major hurt to my person (yes, under duress I will gladly give them and no one could blame me).
Biometric elements, provided that a copy of what I am cannot fool the system WILL have to be harvested from me.

Therefore, Biometrics is still heck of a bad idea

Re:I'm not sure I like the idea...

[jellomizer]

However most of security problems are not from targeted attack but from broad sweeping ones. Back in the 1980 an insecure server was a server that didn't need a password to login. And for the most part they were safe because they didn't have information that people wanted or were such a small group they were not targeted for anything as to connect to the server they needed to know the telephone number and at $0.10 per call it was expensive to war dial. Once computers started to be connected to the internet at a significant level then they really needed authentication because it got easier and cheaper to just try a bunch of IP addresses. Biometric may not be good for access to a secure location or a high targeted attack. But for the bulk of the systems who are more or less just fallout from a wide attack can be much safer.

The real problem with biometric is the relative difficulty to program. We still have newly developed apps that store the passwords in clear text. Expecting developers to widely use a biometric alorithms which is much harder to code then a
SELECT uid FROM users WHERE loginname=@login and password=@password
Most institutions will not pay for skilled developers so they have kids out of college or an offshore developer with just rudimentary stills who may have energy and ambition but lack the experience to think of problems in term of full lifecycle needs. Forcing most programs to use the same biometric API and treating the data in the most haphazard way possible.

Anybody ever hear of the crossover rate?

[brentlaminack]

Any discussion of biometrics without discussing the crossover rate (or Equal Error Rate) is woefully incomplete. see this explanation: https://security.stackexchange.com/questions/57589/determining-the-accuracy-of-a-biometric-system
The crossover rate is that point in the sensitivity settings of the system that yield minimum errors, where the False Acceptance Rate = the False Rejection Rate. In layman's terms, you're letting in unauthorized bad guys at the same rate you're keeping authorized good guys out. Any biometric system that doesn't list their crossover rate is pure snakeoil. Run away.
Another data point few consider. A Large Theme Park used biometrics a few years back for their annual ticket holders. It soon became known as the "identical twins two-for-one sale". Can your biometrics discern identical twins? Few can.

Re: I'm not sure I like the idea...

[swillden]

More generally, if the information gets stolen, you can never change it.

This is true, but irrelevant. Replaceability is unnecessary for biometric security. Your biometrics wouldn't be any more (or less) secure if you could replace them.

That's why people should adopt the philosophies of "biometrics = who you are (username)"

This is also wrong. Biometrics are terrible identifiers. They have no uniqueness guarantees and cannot be matched exactly, which makes them prone to Birthday Paradox problems.

Here's my screed on fingerprint / biometric security, which I'm going to post on every /. article where these incorrect ideas come up. Maybe it will help.

Claim:Fingerprint authentication is serious James Bond shizzle and it's totally secure.

No. No, it's not. See below.

Claim:Fingerprint authentication is insecure because you only have ten fingers, and when you've used them all you have no more new "passwords".

This is wrong, because it assumes that fingerprints (or other biometrics) are just a slightly different sort of password. They're not. Biometric authenticators are nothing at all like passwords; the security model is completely different. To understand how and why, we first need to understand the password authentication security model.

Why are passwords secure (when they are)? Passwords are secure when the attacker doesn't know them or can't guess them. That seems simple and obvious, but some subtleties arise when you think about howan attacker might acquire them. There are two primary ways: stealing copies somehow, and repeated guessing, also known as a "brute force search". These interact—in some cases the attacker can steal some information and guess the rest—and there are many methods of optimizing both, but it all boils down to getting a copy, or guessing.

Suppose the attacker has obtained a copy of your password, and you don't know it. Your security is compromised, but now the attacker has a choice. He can change your password, lock you out of your own account/device and use it for his own purposes, or he can leave your password and make covert use of your account/device/whatever. In many cases, the attacker opts for the latter approach because the former is too noticeable and the account/device often quickly gets shut down. Or suppose the attacker has obtained a copy of your password but hasn't gotten around to using it yet. In either case, changing your password shuts off the attacker's access, closing the window of vulnerability.

But there's another reason to change your password from time to time, and that's to protect it against compromise by guessing. Depending on how the system is built, what information the attacker has to start with and the attacker's resources, the attacker will be able to make guesses at some rate. If you change your password before the attacker can guess your password, the attacker has to start over. Another way to look at it is that as the attacker guesses, he gains knowledge about your password, because he knows a bunch of things it is not. When you change your password, that knowledge is invalidated.

In a nutshell: Password security derives from password secrecy, and you remove whatever knowledge the attacker has when you change it (assuming you don't just change a character or two). Another way of looking at it is that password secrecy erodes over time, and rotation restores it.

But... your fingerprints are not secret. You leave them on almost everything you touch. From a security perspective the only reasonable way to think about biometrics is that they are public information. We have to assume the attacker already has your fingerprints. In the case of smartphone or a credit card, odds are good that there are nice fingerprints on the device itself.

The purpo