1

Would a password with multi factor authentication be more secure than biometrics? I am asking due to the fact that if biometric data gets compromised, there is no way to change it, and in data breaches in the past , millions of sets of fingerprints were compromised. In 2014, HD pictures were used to gain access to a German government facility. Given that technology will increase, and so will the abilities to spoof biometric features, how are these better than a password + biometrics or another form of multi factor authentication? Biometric data is constantly readily available for an attacker to try to spoof, even without interacting with you. Also, an attacker could presumably force someone to open a device using their biometric data, against their will. With all these considered, it appears to me that the push to get rid of passwords is not the best for security.

john doe
  • 668
  • 4
  • 15
  • It depends ***entirely*** on your threat model and where your vulnerabilities are. – schroeder Jul 24 '19 at 15:48
  • Who is wanting to replace all passwords with static biometrics (fingerprints, face, eye, etc. )? I am unaware of anyone wanting to do this. – schroeder Jul 24 '19 at 15:49
  • @schroeder Just one example, on top of every new phone advertising biometrics as a complete replacement of passwords https://www.microsoft.com/en-us/security/technology/identity-access-management/passwordless – john doe Jul 24 '19 at 15:50
  • I think you misunderstood what MS is offering. They are not replacing all passwords with biometrics. – schroeder Jul 24 '19 at 15:51
  • I just read the paper. Biometrics is just one factor. – schroeder Jul 24 '19 at 15:54
  • My question is why remove the password from multi factor? It prevents a wide array of attacks. A hardware key and biometrics in addition to a password is much more secure than the key and biometrics alone. I don't see the reasoning to lessen the security, other than convenience – john doe Jul 24 '19 at 16:01
  • I think the paper does a good job explaining that – schroeder Jul 24 '19 at 16:11
  • Anecdotally, I have done a lot of work assessing biometric solutions for clients, and every one of them that attempts to completely replace passwords with biometrics at any scale tends to have significant flaws: poor false positive and negative rates, inability to identify replay attacks or fake media, security issues with enrolment, inability to enforce policy on account types that can enrol, issues with who has control over bypass and reset functions... the list goes on. Single-factor biometric auth is simply too flawed to be safe at scale. – Polynomial Jul 24 '19 at 22:09

0 Answers0