Slashdot Mirror
Slashdot Asks: Should Businesses Switch To Biometric Passwords? (hbr.org)
This question was inspired by a recent article in Harvard Business Review:
It's become abundantly clear that passwords are an untenable way to secure our data online. And asking your customers to keep track of complicated log-in information is a terrible user experience... The threat to security when relying on passwords is one reason businesses are increasingly migrating to biometric systems. Identity verification through biometrics can ensure greater security for personal information, while also providing customers with a more seamless experience in the digital environment of smartphones, tablets, sensors, and other devices... the idea is to verify someone's identity with a high degree of assurance by tying it to multiple mechanisms at once, known as biometric modalities [which] when used in concert, can provide a significantly safer environment for the customer, and are much easier to use... [I]f an app simultaneously requires a thumbprint, a retina scan, and a vocal recognition signature, it would be close to impossible for a bad actor to replicate that in the seconds needed to open the app.
This got me curious -- are Slashdot's readers already seeing biometric verification systems in their own lives? Share your experiences in the comments, as well as your informed opinion. Do you think businesses should be switching to biometric passwords?
This got me curious -- are Slashdot's readers already seeing biometric verification systems in their own lives? Share your experiences in the comments, as well as your informed opinion. Do you think businesses should be switching to biometric passwords?
No.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Biometry is not suitable for authentication. Essentially using biometry is like using a password you cannot change, but constantly tell anybody around you.
It's trivial to keep your passwords secure, it's much harder to keep your fingerprint or iris pattern secure. Both can even be read out remotely.
Biometric is a ONLY username, not a password. It does not matter how much combo you think you can put together to eliminate bad actors, all those technics do is verify who you are, and if they can be fooled each single, chance is that they can be all fooled taken together. And once your system is compromised, what do you do ?
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
As usual, this will bring a collection of new problems for some. Will work fine for some people but others will struggle. Fingerprints will not be much use for me; my prints were clear when I was younger, but they have faded. To the extent that at a border control earlier this year where fingerprint capture was mandatory, the immigration clerk had difficulty with my left hand and found it impossible with my right. He wrote a brief report which said that he could just see the patterns but could not capture them. I might have been lucky not to be refused admission, but it seems this situation was not new to them.
More generally, if the information gets stolen, you can never change it. Locks, passwords, and challenge-response seeds can all be replaced. No other authentication method has this glaring weakness. The burden of manual authentication is here to stay, I think, until we get password manager brain implants.
Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
First time poster, long time reader.
Biometric elements regarding authentication fail regarding two major issues.
First issue, they can't be revoked. There won't ever be a "change your retina" or "forgot my bird to flip" form. Forget being forgotten, forget witness protection etc.
Second major issue : risk shifting.
If my credentials have value, then it stands to reason I can be assaulted to get them. To protect itself, my employer asks me at least two factors and I am OK with what I know and what I have. Both can be acquired without major hurt to my person (yes, under duress I will gladly give them and no one could blame me).
Biometric elements, provided that a copy of what I am cannot fool the system WILL have to be harvested from me.
Therefore, Biometrics is still heck of a bad idea
Let's take a look at the characteristics of a username:
And let's take a look at the characteristics of a password:
Now, let's take a look at what a fingerprint or other biometric property is:
Conclusion: biometric properies are more like usernames, not like passwords. So, use them for identification, not authentication. Any biometric system supplier telling you otherwise is just telling marketing nonsense.
[1]: http://www.tomsguide.com/us/ph...
It doesn't have to be like this. All we need to do is make sure we keep talking.
Matching bio data isn't an exact 1:1 match. The mechanism is a proximity comparison. So the original data can't be protected by a one way encryption. Therefore it is way easier to steal that information for reuse. After all any biometric reader attached to a personal device can be simulated by an attacker and the stolen bio data fed in directly - so it is even easier than any of the current 2FA (the use case for readers in protected locations, think doors, is only slightly better). In summary having a unchangeable second factor lowers security, especially when the second factor can't be protected properly #badidea
However most of security problems are not from targeted attack but from broad sweeping ones. Back in the 1980 an insecure server was a server that didn't need a password to login. And for the most part they were safe because they didn't have information that people wanted or were such a small group they were not targeted for anything as to connect to the server they needed to know the telephone number and at $0.10 per call it was expensive to war dial. Once computers started to be connected to the internet at a significant level then they really needed authentication because it got easier and cheaper to just try a bunch of IP addresses. Biometric may not be good for access to a secure location or a high targeted attack. But for the bulk of the systems who are more or less just fallout from a wide attack can be much safer.
The real problem with biometric is the relative difficulty to program. We still have newly developed apps that store the passwords in clear text. Expecting developers to widely use a biometric alorithms which is much harder to code then a
SELECT uid FROM users WHERE loginname=@login and password=@password
Most institutions will not pay for skilled developers so they have kids out of college or an offshore developer with just rudimentary stills who may have energy and ambition but lack the experience to think of problems in term of full lifecycle needs. Forcing most programs to use the same biometric API and treating the data in the most haphazard way possible.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Don't make me reset my password when I've merely forgotten it
If a site doesn't make you reset, never go back. It means they have your password in plaintext, and that they'll send it to you in plaintext.
That's why people should adopt the philosophies of "biometrics = who you are (username)", leaving "passwords = something you know", and allowing for "tokenization = something you have". If usernames and passwords are decoupled to the point where biometric authentication serves as a realtime handshake of the resulting hash by the destination server, even to the point where they are stored in different tables with the functional equivalent of public key vs private key components, than the compromise of a single system would effectively result in a rainbow table only that needs to be iterated for all users on the system.
Thirty four characters live here.
Any discussion of biometrics without discussing the crossover rate (or Equal Error Rate) is woefully incomplete. see this explanation: https://security.stackexchange.com/questions/57589/determining-the-accuracy-of-a-biometric-system
The crossover rate is that point in the sensitivity settings of the system that yield minimum errors, where the False Acceptance Rate = the False Rejection Rate. In layman's terms, you're letting in unauthorized bad guys at the same rate you're keeping authorized good guys out. Any biometric system that doesn't list their crossover rate is pure snakeoil. Run away.
Another data point few consider. A Large Theme Park used biometrics a few years back for their annual ticket holders. It soon became known as the "identical twins two-for-one sale". Can your biometrics discern identical twins? Few can.
More generally, if the information gets stolen, you can never change it.
This is true, but irrelevant. Replaceability is unnecessary for biometric security. Your biometrics wouldn't be any more (or less) secure if you could replace them.
That's why people should adopt the philosophies of "biometrics = who you are (username)"
This is also wrong. Biometrics are terrible identifiers. They have no uniqueness guarantees and cannot be matched exactly, which makes them prone to Birthday Paradox problems.
Here's my screed on fingerprint / biometric security, which I'm going to post on every /. article where these incorrect ideas come up. Maybe it will help.
Claim:Fingerprint authentication is serious James Bond shizzle and it's totally secure.
No. No, it's not. See below.
Claim:Fingerprint authentication is insecure because you only have ten fingers, and when you've used them all you have no more new "passwords".
This is wrong, because it assumes that fingerprints (or other biometrics) are just a slightly different sort of password. They're not. Biometric authenticators are nothing at all like passwords; the security model is completely different. To understand how and why, we first need to understand the password authentication security model.
Why are passwords secure (when they are)? Passwords are secure when the attacker doesn't know them or can't guess them. That seems simple and obvious, but some subtleties arise when you think about howan attacker might acquire them. There are two primary ways: stealing copies somehow, and repeated guessing, also known as a "brute force search". These interact—in some cases the attacker can steal some information and guess the rest—and there are many methods of optimizing both, but it all boils down to getting a copy, or guessing.
Suppose the attacker has obtained a copy of your password, and you don't know it. Your security is compromised, but now the attacker has a choice. He can change your password, lock you out of your own account/device and use it for his own purposes, or he can leave your password and make covert use of your account/device/whatever. In many cases, the attacker opts for the latter approach because the former is too noticeable and the account/device often quickly gets shut down. Or suppose the attacker has obtained a copy of your password but hasn't gotten around to using it yet. In either case, changing your password shuts off the attacker's access, closing the window of vulnerability.
But there's another reason to change your password from time to time, and that's to protect it against compromise by guessing. Depending on how the system is built, what information the attacker has to start with and the attacker's resources, the attacker will be able to make guesses at some rate. If you change your password before the attacker can guess your password, the attacker has to start over. Another way to look at it is that as the attacker guesses, he gains knowledge about your password, because he knows a bunch of things it is not. When you change your password, that knowledge is invalidated.
In a nutshell: Password security derives from password secrecy, and you remove whatever knowledge the attacker has when you change it (assuming you don't just change a character or two). Another way of looking at it is that password secrecy erodes over time, and rotation restores it.
But... your fingerprints are not secret. You leave them on almost everything you touch. From a security perspective the only reasonable way to think about biometrics is that they are public information. We have to assume the attacker already has your fingerprints. In the case of smartphone or a credit card, odds are good that there are nice fingerprints on the device itself.
The purpo
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Biometrics aren't passwords, they are user IDs.
Treating them as passwords is a popular idea but will inevitably lead to disaster. Who would choose a password they could never change and then give that same password to countless other parties? Even if we did that, what would be the equivalent to good practices like storing password hashes instead of the originals in case of compromise?
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Every so often it requires me to use my regular login credentials.
It works very well indeed.
And yes, if someone cut off my finger or thumb, and it was one of the ones registered in the phone, or if someone caught my fingerprints some where, and went on a MythBusters type effort, where they lifted the print, and went through gyrations to duplicate it. Yup, they could break into my phone.
y tho?
That's a metric fuckton of trouble to go to, and if the standard login pops up on them, they wasted a lot of effort to spoof my fingerprint. Then steal my phone, and somehow keep me from erasing the phone as soon as I noticed it gone. And my credit card puts a hold on any large purchase, and calls a different number for verification before it allows it, and if not verified as legit, cancels the card.
It isn't perfect. But it's pretty good. Perfection is too often the enemy of pretty good.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
Businesses should not switch to biometric passwords. They could use biometry for convenience paired with password for security, but biometry isn't enough for one main reason: if someone figures a way of replicating even a single biometric identification, the whole system is defeated.
It's a difference between replacing a single user password versus possibly having to recall and replace all hardware, and the entire system behind it.
You can easily replace passwords. Biometrics cannot be replaced.
It uniquely identifies people and is uniquely tied to each one, which also creates a problem regarding privacy.
It's always a bad idea to use something that is uniquely identifiable as a password, because you end up running in scenarios where anonymity becomes impossible.
And in the end, the problem with security systems is that they are prone to failure due to a bunch of different factors.
Smartphone fingerprint readers were easily defeated just recently because they were implemented to work faster.
http://www.computerworld.com/a...
Technology catches on. We'll always be one step from a scanner with high enough resolution and a printer of some sort with high enough definition and usage of the right materials.
You know what people said about fingerprint readers in the past? That it would be close to impossible to replicate because of how complex our fingerprints are. That argument being made by Harvard Business Review in the end of the quote is just the same. We can't assume how hard it's gonna be to replicate even if you are tying a bunch of biometrics together because it hasn't been out yet, nor there's any incentive for people to break it just yet. If someone haphazardly implements it through a wide range of businesses, then all bets are off.
Also, companies behind such systems will always fail to recognize the problem because recalling and replacing devices will always be impossibly expensive, and in several instances we're basically relying on security through obscurity.
https://www.forbes.com/sites/e...
https://hackaday.com/2015/11/1...
Now, with things as they stand, imagine this scenario: as we all know, several companies nowadays are basically building entire dossiers about each and every costumer with all sorts of information about them to sell for advertisers and whatnot. Imagine if biometrics got into that, and then innevitably one of those companies gets hacked or leaks their entire databases. Instead of people scrambling to reset and change their passwords, we'd get people who could do nothing about it, biometrics in the wild, just waiting for someone to come up with a way to use/replicate them. This happens to enough businesses and enough databases, biometric data becomes something as easy to find out as an address or name.
Fair enough, but those examples only apply to poorly-considered naming schemes (and the accompanying human assumptions) or improperly implemented mail systems. Per RFC 5321, "the local-part of a mailbox MUST BE treated as case sensitive." These could lead to multiple identifiers that all map to a single email address (in the case of a case insensitive local-part), but not a single identifier mapping to multiple email addresses (the birthday paradox manifestation).
The fuzzy matching was more about the fact that every time you "read" a biometric property, you have a good chance of getting a slightly different reading. A biometric property is not a static property that can be read with 100% fidelity. The standard approach to handling this is to pick a number of the (assumed or measured to be) most invariant features use those as the reading, tossing out the rest. This process is not very robust, though, and you determine acceptable matches by whether the matched features to total features ratio exceeds a threshold (fuzzy matching). Barring shitty programming or improper assumptions, email addresses can be read with 100% fidelity and either match or don't match an entry in your database. Any fuzziness is deliberately imposed on an inherently non-fuzzy system.
If you want a vision of the future, imagine a youtube comments section scrolling - forever.
all can ultimately be transformed into Something You (or a computer) Knows. Therefore, almost every multi-factor authentication system depends on several things that an attacker can discover, and mimic.
The security industry has found that biometerics have a major down side, in that they can't be changed. Once they are discovered by attackers, they are permanently discovered.
For example, the major compromise of the US Office of Personnel Management by the Chinese in 2015 disclosed 5.6 million recorded fingerprints. This included everybody who had a security clearance, and all covert agents in Intelligence and law enforcement. Since biometerics can't be changed, it will take decades before this compromise stops causing harm to the US government. US Covert agents can be identified. Any attempt to use fingerprint biometerics for these people can now be more easily attacked: https://en.wikipedia.org/wiki/...
Every government has aggressively begun to collect biometeric information from every possible source. Shortly afterwards, almost every government database of collected biometerics has been successfully compromised. Biometric information is collated by insurance, law and intelligence agencies. It is sold and resold on the various criminal marketplaces.
Part of this flourishing criminal marketplace in biometeric information includes permanent, unchangeable health and medical information: https://hipaahealthlaw.foxroth...
Also, US courts have ruled that biometeric info has almost no legal protections against collection, resale or forced disclosure.
Therefore, some security professionals now believe that well funded attackers can overcome the biometeric parts of an authentication system with less expense than overcoming a password.
"you can never change it"
Your employer can change it with trivial effort. Just fire you and hire someone else.