I have seen a variety of banks allowing access to their remote banking environment with just your fingerprint (via iphones and similar devices). Are these valid examples of a wider group of cases where pure biometric authentication is acceptable, or is this just a failure of the banks in question?
-
1Possible duplicate of [Why do we even use passwords / passphrases next to biometrics?](http://security.stackexchange.com/questions/6349/why-do-we-even-use-passwords-passphrases-next-to-biometrics) – Thomas Weller Sep 07 '16 at 15:00
-
Biometrics are a password you can never change using information about your Identity. If anything it should only be used as a username of sorts because it effectively states who you are and never as a password or anything that would be considered secret. – Trey Blalock Sep 07 '16 at 15:14
-
@Thomas Why would you say that's the same question? That one is the literal absolute opposite of this one. It asks why we do something we (should) do (have passwords next to biometric authentication), I ask why we do the opposite (major parties using just biometric authentication in certain situations) and when it can be justified. – David Mulder Sep 07 '16 at 15:19
-
1Yeah, just negate all answers. – Thomas Weller Sep 07 '16 at 15:19
2 Answers
I am of the school of thought that Biometrics are NEVER acceptable to use as the only authentication method, you leave your Biometric data everywhere, it is almost a security paradox. I can lift fingerprints off of your keyboard, car, or elevator panel, I can make a voice recording of you, I can take your picture, get your face off a security camera, and I am Bad Guy Bob - I will jump you at your car and cut off/scoop out whatever I need.
Some other examples/articles of people who think BMs are negligent to use:
- http://www.makeuseof.com/tag/6-reasons-biometrics-not-way-future/
- http://www.usatoday.com/story/cybertruth/2013/09/12/why-biometrics-dont-work/2802095/
- http://www.csoonline.com/article/2891475/identity-access/biometric-security-is-on-the-rise.html
You also have to realize that there is an error-of-margin built into these Biometric security solutions, all it takes is for your to roll your finger on the scanner wrong or squint with a retinal scanner for it to scream at you and say ACCESS DENIED - making them easier to defeat, and unlike changing a password, or salting a hash, you cannot change your fingerprints easily nor change your retinas - once you are compromised, and use biometrics extensively, there is no way to quickly change.
- 65,052
- 24
- 180
- 218
- 240
- 1
- 5
-
1This hardly answers the question why major parties disagree with your evolution. Not to say I disagree with it, but major banks aren't the kind of players I would put aside just because I adhere to a certain school of thought. – David Mulder Sep 07 '16 at 15:25
-
@DavidMulder i hardly think banks are a pinnacle of security. (example: https://www.troyhunt.com/whos-who-of-bad-password-practices/) – d0nut Sep 07 '16 at 15:41
-
@DavidMulder Major banks are the kind of players that use 4 digit pins for cards, or that restrict online passwords to 6-8 characters. Without a quote, I wouldn't even think that they would disagree with the gist of this answer, but may possibly say that it's still good enough, especially because it is likely not the only authentication, or a breakin isn't considered that serious. – tim Sep 07 '16 at 15:45
-
Gesture typing for the win @evaluation turning in evolution. Regardless of that 5 year old article, I know a lot of banks who go out of their way to use random readers and the like to access your banking interface and the 4 digit pin problem is long recognized but a problem of everyone having to come together (1 of my banks allows longer pins, but it wouldn't work everywhere). Regardless, I know at least two banks who accept iOS fingerprint authentication as their only login. – David Mulder Sep 07 '16 at 16:13
-
@DavidMulder https://support.apple.com/en-us/HT204587 (Security SafeGuard). The odds of a false positive is 1 out of 50,000. The odds of randomly guessing a 4 digit code is 1 out of 10,000. Outside of the technicalities regarding how much easier it is to get fingerprint data as opposed to extracting your 4 digit pin code, fingerprint security is only marginally better (obviously with security, search space should be compared logarithmically) – d0nut Sep 07 '16 at 19:59
Using only biometrics for authentication is a bad idea, as have been said many times before. So the answer to the question "when to use only biometrics" is never or at least not if you are protecting anything of value. You can use it if you only want identification, and not authentication - i.e. if you had been fine with replacing the finger swipe with a text box and the instruction "enter your name here".
If people use biometrics only in other situations, e.g. banking, it is because they are either incompetent, lazy or just don't care. However, biometrics can be a part of a multi factor authentication scheme, where your fingerprint represents "something you are".
Actually, the example you give with banking on an iPhone is probably an example of this, where the phone - "something you have" - is the other factor. I am asuming here that you can only use your fingerprint on a phone that you have connected to your account.
However, it is not a very good 2FA, because the likelihood that the first factor being breached if the second factor is breached is quite high. Think of your spouse using your finger on your phone while you sleep.
However, if there is a PIN - "something you know" - on the phone suddenly you might have three factors. But the bank can't know if you have a good PIN on your phone or not. If I was a bank, I would want a passowrd for the banking app as well.
-
1Gotta give it to you, that's a very interesting take. It hadn't occurred to me that indeed by authorizing your phone it becomes 'something you have' and a part of the authentication. Which makes me reevaluate a variety of authentication schemes I know (for example my primary bank stores a cookie which allows logging in with a 6 digit PIN instead of random reader + card after first log in). Thanks for the insightful answer :) . – David Mulder Sep 07 '16 at 16:20