Slashdot Mirror
Slashdot Asks: Should Businesses Switch To Biometric Passwords? (hbr.org)
This question was inspired by a recent article in Harvard Business Review:
It's become abundantly clear that passwords are an untenable way to secure our data online. And asking your customers to keep track of complicated log-in information is a terrible user experience... The threat to security when relying on passwords is one reason businesses are increasingly migrating to biometric systems. Identity verification through biometrics can ensure greater security for personal information, while also providing customers with a more seamless experience in the digital environment of smartphones, tablets, sensors, and other devices... the idea is to verify someone's identity with a high degree of assurance by tying it to multiple mechanisms at once, known as biometric modalities [which] when used in concert, can provide a significantly safer environment for the customer, and are much easier to use... [I]f an app simultaneously requires a thumbprint, a retina scan, and a vocal recognition signature, it would be close to impossible for a bad actor to replicate that in the seconds needed to open the app.
This got me curious -- are Slashdot's readers already seeing biometric verification systems in their own lives? Share your experiences in the comments, as well as your informed opinion. Do you think businesses should be switching to biometric passwords?
This got me curious -- are Slashdot's readers already seeing biometric verification systems in their own lives? Share your experiences in the comments, as well as your informed opinion. Do you think businesses should be switching to biometric passwords?
I can see a whole lot of privacy and "Big Brother" problems with biometric authentication...
If you want news from today, you have to come back tomorrow.
No.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
And you know that.
Slashdot, fix the reply notifications... You won't get away with it...
Biometrics are subject to replay attacks and, once compromised, can never be changed.
Biometry is not suitable for authentication. Essentially using biometry is like using a password you cannot change, but constantly tell anybody around you.
It's trivial to keep your passwords secure, it's much harder to keep your fingerprint or iris pattern secure. Both can even be read out remotely.
Too much room for false positives/negatives. I mean look at your phone: You can put a fingerprint on it but it'll require a backup PIN in case that doesn't work. You don't gain any security if there has to be a backup password, it is just a convenience thing.
The right answer is a smart card (or other device with that chip in it like Yubikey). Here you go to token+PIN. It's two factor, thus much harder for an adversary to get around, and it allows for a much shorter, easier to remember password. Reason is that the password/PIN is stored on the card itself, and you get only a small, fixed number of attempts to try it (3 normally) before it locks and can only be unlocked with an administrative code. That means it isn't the kind of thing subject to brute force and thus doesn't need to be long and complex.
There's also no issue with replay attacks since it is PKI, you actually auth by doing a challenge response with a private key stored only on the secure element of the card. At no time does your password/PIN transit the network and even if someone captures all the traffic it is useless since all they get is that particular challenge/response communication, it will be difference next time.
Downside is cost and complexity, of course, but really it is worth it and works damn well. You basically eliminate the problem of accounts getting stolen, and once users get used to it it is easier. Especially since the ID card can be the same card they use to open the doors and so on. HID makes combo cards that work with their existing ISOProx readers and function as NIST PIV smart cards too, or you can get readers that work directly with the smart card certificate.
Biometrics is neat, and I think bio+token could be great in the future, but for now it just seems too problematic. It is useful on a phone, as a convenience thing, but you are actually decreasing your security for it.
Biometric is a ONLY username, not a password. It does not matter how much combo you think you can put together to eliminate bad actors, all those technics do is verify who you are, and if they can be fooled each single, chance is that they can be all fooled taken together. And once your system is compromised, what do you do ?
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
As usual, this will bring a collection of new problems for some. Will work fine for some people but others will struggle. Fingerprints will not be much use for me; my prints were clear when I was younger, but they have faded. To the extent that at a border control earlier this year where fingerprint capture was mandatory, the immigration clerk had difficulty with my left hand and found it impossible with my right. He wrote a brief report which said that he could just see the patterns but could not capture them. I might have been lucky not to be refused admission, but it seems this situation was not new to them.
Let's have businesses do 4 things:
1. Don't enforce needlessly strict / complicated security policies for websites that don't matter that much.
2. Don't make me reset my password when I've merely forgotten it - it just puts me into a never-ending loop of creating harder and harder to remember passwords that need to be constantly reset.
3. Provide easy to use 2 factor authentication that lets me use simpler passwords, or even delay the "authentication" to be when I pay for something and validate my billing address. 4. Take on more of the security burden yourselves, and detect when malicious agents are doing unusual things, rather than requiring the users to negotiate needlessly secure procedures.
Maybe after all these things are in place, we can talk about biometric methods.
For remote use, there is not a lot of difference between biometrics and passwords, except that:
-- you can't change the biometrics if they are compromised
-- there is little scope for using different credentials for different sites
Can't see any advantages to them, and I really don't want to be authenticating to my bank with the same credentials I use for Slashdot.
First time poster, long time reader.
Biometric elements regarding authentication fail regarding two major issues.
First issue, they can't be revoked. There won't ever be a "change your retina" or "forgot my bird to flip" form. Forget being forgotten, forget witness protection etc.
Second major issue : risk shifting.
If my credentials have value, then it stands to reason I can be assaulted to get them. To protect itself, my employer asks me at least two factors and I am OK with what I know and what I have. Both can be acquired without major hurt to my person (yes, under duress I will gladly give them and no one could blame me).
Biometric elements, provided that a copy of what I am cannot fool the system WILL have to be harvested from me.
Therefore, Biometrics is still heck of a bad idea
Let's take a look at the characteristics of a username:
And let's take a look at the characteristics of a password:
Now, let's take a look at what a fingerprint or other biometric property is:
Conclusion: biometric properies are more like usernames, not like passwords. So, use them for identification, not authentication. Any biometric system supplier telling you otherwise is just telling marketing nonsense.
[1]: http://www.tomsguide.com/us/ph...
It doesn't have to be like this. All we need to do is make sure we keep talking.
The problem with most biometric systems is that we literally leave our password behind on everything we touch.
Biometrics as a sort of user ID, on the other hand...
Why solve a problem already solved? Just use 2FA. Problem SOLVED.
maybe just a card you can scan than an actual body print. Just a physical card mailed to you so you can just scan it in,
[($)]
Easy to steal, not protected by any laws, cannot be changed should they be compromised. Worst system imaginable.
Matching bio data isn't an exact 1:1 match. The mechanism is a proximity comparison. So the original data can't be protected by a one way encryption. Therefore it is way easier to steal that information for reuse. After all any biometric reader attached to a personal device can be simulated by an attacker and the stolen bio data fed in directly - so it is even easier than any of the current 2FA (the use case for readers in protected locations, think doors, is only slightly better). In summary having a unchangeable second factor lowers security, especially when the second factor can't be protected properly #badidea
Except being unable to change the "something you have" makes it easy to be compromised. Someone steals a password database or the 2FA key seeds, you reset them. You can't reset your bio data.
Bio data is less "something - only you - know", but, after a few breaches, "something freely traded on black markets for anyone who pays to know"
Apart from the basic fact that you cannot change it when it is compromised, and it will be, there is also that real problem in that they are extremely unreliable. You sweat and the scanner has trouble reading your fingerprint or you get an eye infection and the machine cannot recognise your iris. When we installed fingerprint scanner on all the POSs we had to remove them soon after as staff had to jam the tills open all the time because they kept failing to open when they should. Biometrics are a security risk that is not worth taking.
I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.
... when someone steals them?
Watch this Heartland Institute video
In most cases there's no good reason to prove your identity. What you need to prove is your right to do whatever it is you're doing. I don't want to give an online store the information that would let them buy things with my credit card, or which could be stolen and misused by others. The information I give to buy something from Amazon should not be sufficient to buy something from Apple.
By all means, have a biometric username, but never have a biometric password. It's a basic rule for anyone that actually understands how to implement auth in the real world.
Easy to change a real password, impossible to change a biometric password..
- This sig deliberately left blank. Nothing to see, move along.
"It's become abundantly clear that passwords are an untenable way to secure our data online."
Can you please provide some evidence for this "abundantly clear" claim?
Even better yet, what if you're deceased and you can't just fly in to help them out?
Any discussion of biometrics without discussing the crossover rate (or Equal Error Rate) is woefully incomplete. see this explanation: https://security.stackexchange.com/questions/57589/determining-the-accuracy-of-a-biometric-system
The crossover rate is that point in the sensitivity settings of the system that yield minimum errors, where the False Acceptance Rate = the False Rejection Rate. In layman's terms, you're letting in unauthorized bad guys at the same rate you're keeping authorized good guys out. Any biometric system that doesn't list their crossover rate is pure snakeoil. Run away.
Another data point few consider. A Large Theme Park used biometrics a few years back for their annual ticket holders. It soon became known as the "identical twins two-for-one sale". Can your biometrics discern identical twins? Few can.
Except that real users don't follow those rules anyway. If they did, they'd have to break
* rule number 5 -- keep your passwords in your head, not written down where they can be stolen.
You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
Having to give the company you work for biometric data would be an incredible invasion of privacy... and if you work in a position that makes you a target for something like "tiger kidnapping" it would be possible to use your biometrics just by having you along. No need to get a passcode out of you, just stuff your eye in front of the scanner, or your finger onto a fingerprint reader, or your hand on a hand sensor. It would probably make such attacks more frequent, because there would be no need to coerce people in these positions by kidnapping their families etc.., just bring the one person along. It also means that, at least in the U.S., the police could forcibly open any data device protected with biometrics without a warrant etc.., due to recent court rulings in regard to that.
Most biometric scanners have poor resolution and are easily defeated with very modest resources. MythBusters did a very good episode about the ease of replicating fingerprints, and found recent scanners that could be defeated by copying a fingerprint on a laser printer and simply moistening the printout. There was also an infamous paper, available at https://cryptome.org/gummy.htm, describing more sophisticated approaches with the image transferred to gelatiin. That has never been refuted since its original publication. American police, and many security groups worldwide, collect large libraries of fingerprints that can be copied wholesale for just such intrusion.
Fingerprint scanners, which are the most common biometric device, remain quite vulnerable to targeted breakin. Fingerprints may be a handy access option, but they can't be considered robust security.
Your biometric password can't be changed. Just because we don't know how to hack them now doesn't mean it won't be trivial in the future. finger print readers are wafer thin right now, whose to say a wafer thin electrode array can't drive one of these with some one eleses fingerprint. As for getting that finger print well, you will have it from any one of the biometric devices that the person gave it to.
It's just a passing phase in password land where biometric passwords are convenient but no ubiquitous enough and not standard enough that anyone wants to invest the time to hack them. But hack them they will once it becomes useful to do so. then you are struck with a permanent reminder of a temporary feeling.
Some drink at the fountain of knowledge. Others just gargle.
Having a combination of a CHIP card and an RSA Security Device or key seems to wok just fine. When I lived in Europe, for remote access to work, I used an RSA Security key which consisted of a 6 digit code which changes every 90 seconds and an assigned static 4-digit code. The MAC address of the machine was registers and that seemed adequate. Personal/banking transaction were handles with a CHIP card, 4-digit PIN, and an RSA security device that looked like a calculator. By using the combination I could not only sign in to online banking with a unique password every time, but I could validate each financial transaction using a calculated checksum provided by the RSA device that looked like a calculator with a slot for the CHIP card. We should have this system in the United States, but we should also get over our paranoia of a national ID card. The national id card in the country where I lived was a CHIP card as well and you could purchase a USB reader to insert your your identity card to access federal social websites. Biometrics has the potential of making the current American police/surveillance state even more pernicious. Notice the ubiquity of police cameras seen at the Occupy Wall Street protests and other demonstrations. Just like collecting fingerprints sans probable cause, the government is face-printing the population in order to preemptively round people up if necessary at a later time. We've already seen preemptive raids and the seizing of computers of people suspected of possibly disrupting the Republican Convention in 2012. There are other, better methods for securing transactions, however, in America the corporations rules and the government claims powerlessness no force them to provide adequate security to their customers.
Biometric authentication is like a password that can never be reset, can be stolen off your body, and in some cases, that you accidentally leave copies of all over the place (fingerprints). They're fine as a second factor but the hard, cold, fad-deflating truth is that nothing beats the security of the good ol' password. A strong password can be hard to crack and is the hardest form of credentials to steal (requires torture or an fMRI machine). People are often careless with passwords but biometrics are no solution to that, for the reasons I mentioned before.
"When information is power, privacy is freedom" - Jah-Wren Ryel
Biometrics aren't passwords, they are user IDs.
Treating them as passwords is a popular idea but will inevitably lead to disaster. Who would choose a password they could never change and then give that same password to countless other parties? Even if we did that, what would be the equivalent to good practices like storing password hashes instead of the originals in case of compromise?
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Yeah... just waiting for the next headline from "Slashdot Asks"
Slashdot Asks: Should I Saw Off An Employee's Legs To Keep Him From Leaving The Company
Anons need not reply. Questions end with a question mark.
Relatively easy to fake, and can't be repudiated once compromised. Brilliant.
Every so often it requires me to use my regular login credentials.
It works very well indeed.
And yes, if someone cut off my finger or thumb, and it was one of the ones registered in the phone, or if someone caught my fingerprints some where, and went on a MythBusters type effort, where they lifted the print, and went through gyrations to duplicate it. Yup, they could break into my phone.
y tho?
That's a metric fuckton of trouble to go to, and if the standard login pops up on them, they wasted a lot of effort to spoof my fingerprint. Then steal my phone, and somehow keep me from erasing the phone as soon as I noticed it gone. And my credit card puts a hold on any large purchase, and calls a different number for verification before it allows it, and if not verified as legit, cancels the card.
It isn't perfect. But it's pretty good. Perfection is too often the enemy of pretty good.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
I don't even give my company access to medical history, what makes you think I would give them biometric data ?
With unique personally identifiable information now traversing the corporate networks, are they going to be forced to implement HIPAA standards to protect it ?
I doubt most companies will want to go that route due to cost, upkeep and penalties should that data get compromised.
Mod parent up, please
This message is encrypted with Quad ROT-13 to protect the author's copyright under the DMCA.
I tried to use a FIDO U2F security key in my side business. Most of my vendors don't support using two-factor authentication with a security key. My web host provider plans to implement it Really Soon. Google will prompt me for my key if I make a major change to my YouTube account. Biometric passwords aren't going to work if vendors don't get onboard to upgrade their login systems.
Businesses should not switch to biometric passwords. They could use biometry for convenience paired with password for security, but biometry isn't enough for one main reason: if someone figures a way of replicating even a single biometric identification, the whole system is defeated.
It's a difference between replacing a single user password versus possibly having to recall and replace all hardware, and the entire system behind it.
You can easily replace passwords. Biometrics cannot be replaced.
It uniquely identifies people and is uniquely tied to each one, which also creates a problem regarding privacy.
It's always a bad idea to use something that is uniquely identifiable as a password, because you end up running in scenarios where anonymity becomes impossible.
And in the end, the problem with security systems is that they are prone to failure due to a bunch of different factors.
Smartphone fingerprint readers were easily defeated just recently because they were implemented to work faster.
http://www.computerworld.com/a...
Technology catches on. We'll always be one step from a scanner with high enough resolution and a printer of some sort with high enough definition and usage of the right materials.
You know what people said about fingerprint readers in the past? That it would be close to impossible to replicate because of how complex our fingerprints are. That argument being made by Harvard Business Review in the end of the quote is just the same. We can't assume how hard it's gonna be to replicate even if you are tying a bunch of biometrics together because it hasn't been out yet, nor there's any incentive for people to break it just yet. If someone haphazardly implements it through a wide range of businesses, then all bets are off.
Also, companies behind such systems will always fail to recognize the problem because recalling and replacing devices will always be impossibly expensive, and in several instances we're basically relying on security through obscurity.
https://www.forbes.com/sites/e...
https://hackaday.com/2015/11/1...
Now, with things as they stand, imagine this scenario: as we all know, several companies nowadays are basically building entire dossiers about each and every costumer with all sorts of information about them to sell for advertisers and whatnot. Imagine if biometrics got into that, and then innevitably one of those companies gets hacked or leaks their entire databases. Instead of people scrambling to reset and change their passwords, we'd get people who could do nothing about it, biometrics in the wild, just waiting for someone to come up with a way to use/replicate them. This happens to enough businesses and enough databases, biometric data becomes something as easy to find out as an address or name.
No question, Bio passwords should be mandatory. HOWEVER, along with this, we have to come up with a way that this doesn't turn into tracking.
Reading the commentary here it is obvious that biometrics is a mess. Some think it's a user ID, others a password, and the list goes on.
If it is so confusing here just imagine how bad it would be for the millions of implementers out there who can't even grasp the concept of going beyond a cleartext version of a password in a database.
Caution: Contents under pressure
Why are you continuing to argue something that can not currently happen, and quite frankly may never happen? The first time I can let slide, but defending a hypothetical.. Really? Irrationality at it's finest.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
all can ultimately be transformed into Something You (or a computer) Knows. Therefore, almost every multi-factor authentication system depends on several things that an attacker can discover, and mimic.
The security industry has found that biometerics have a major down side, in that they can't be changed. Once they are discovered by attackers, they are permanently discovered.
For example, the major compromise of the US Office of Personnel Management by the Chinese in 2015 disclosed 5.6 million recorded fingerprints. This included everybody who had a security clearance, and all covert agents in Intelligence and law enforcement. Since biometerics can't be changed, it will take decades before this compromise stops causing harm to the US government. US Covert agents can be identified. Any attempt to use fingerprint biometerics for these people can now be more easily attacked: https://en.wikipedia.org/wiki/...
Every government has aggressively begun to collect biometeric information from every possible source. Shortly afterwards, almost every government database of collected biometerics has been successfully compromised. Biometric information is collated by insurance, law and intelligence agencies. It is sold and resold on the various criminal marketplaces.
Part of this flourishing criminal marketplace in biometeric information includes permanent, unchangeable health and medical information: https://hipaahealthlaw.foxroth...
Also, US courts have ruled that biometeric info has almost no legal protections against collection, resale or forced disclosure.
Therefore, some security professionals now believe that well funded attackers can overcome the biometeric parts of an authentication system with less expense than overcoming a password.
"The result is that biometrics make the employee/customer/citizen(!) expendable."
They already are. What's the problem?
Biometrics are good for identification, i.e. you take someone's fingerprint and compare it to a database. Someone can't show up with a severed or fake one and fool you with it.
It does not work for authentication, however. Imagine a password that you can never change and you leave pieces of it everywhere you go... well that's exactly what your fingerprint is. Maybe retina scans are better, but I have serious doubts, the biggest being that if it ever does become compromised, again, you can't change it. Voice recognition is not secure either, you could easily be recorded and/or have your voice synthesized.
Also this:
[I]f an app simultaneously requires a thumbprint, a retina scan, and a vocal recognition signature, it would be close to impossible for a bad actor to replicate that in the seconds needed to open the app.
is complete bullshit.
Only crack the nuts that crack. You don't put the ones that don't crack in the sack.
And like they need more data -_-. Besides, you then got to hope that the IT people are complete sh*t heads and most are.
Do you think businesses should be switching to biometric passwords?
No