54

I've read articles suggesting that passwords will eventually go the way of the dinosaur only to be replaced by biometrics, PINs, and other methods of authentication. This piece claims that Microsoft, Google, and Apple are decreasing password dependency because passwords are expensive (to change) and present a high security risk. On the other hand, Dr. Mike Pound at Computerphile claims that we will always need passwords (I think this is the correct video).

But as this wonderful Security StackExchange thread notes, biometrics are not perfect. Granted, the criticisms are roughly six years old, but still stand. Moreover, and perhaps I have a fundamental misunderstanding of how biometric data is stored, but what if this information is breached? Changing a password may be tedious and expensive, but at least it can be changed. I'm uncertain how biometric authentication addresses this problem--as I cannot change my face, iris, fingerprint, and etc.--or if it needs to address this problem at all.

Are those who argue that we can eliminate passwords prematurely popping champagne bottles or are their projections correct?

pancake-house
  • 781
  • 1
  • 5
  • 13
  • 4
    We have to read use fingerprint during the 2000s. During the test we have a colleague whos fingerprint cannot be detected by the algorithms. We have figured out that this is more than one expected. A cut in the fingerprint part, a burn, can also affect the algorithms. So, the security of the system reduced to a smartcard + password which can be transferred to a third person. – kelalaka Jul 05 '20 at 13:23
  • 3
    It is going to depend on how you define "password". Supplying a user-changeable string as an authentication mechanism is likely not going away. The real question is, can we eliminate the need for people to devise and remember those strings, or can we automate it or have hardware do it for us? – schroeder Jul 05 '20 at 13:23
  • 1
    Thanks @schroeder. You've exposed a great question from my post. Should I break your question out into a different topic so I don't muddy the waters? – pancake-house Jul 05 '20 at 16:03
  • It all depends on what you want to ask, really. – schroeder Jul 05 '20 at 16:05
  • 40
    Note that a PIN is really just a low-entropy and easily guessed password, so I wouldn't include that in the list of "things that might replace passwords". – Conor Mancone Jul 05 '20 at 19:00
  • 69
    "passwords are expensive to change" - LOL, wait until they learn how expensive it is to change biometric information! – whatsisname Jul 06 '20 at 01:45
  • Your question confuses me... dinosaurs were replaced by biometrics? – musefan Jul 06 '20 at 10:12
  • Moreover @whatsisname, the price of biometric technology! – pancake-house Jul 06 '20 at 18:34
  • 1
    @whatsisname I'll like to see someone change a biometric password 6 feet away! Nevermind remotely like on a different continent. – Nelson Jul 07 '20 at 02:49
  • I don’t have the references (or time:) for a full answer, but the "what if biometrics are ‘breached’" question is fundementally a misunderstanding. Knowing what someone looks like doesn't let you (necessarily) immitate them enough to pass as them. – andrewf Jul 07 '20 at 14:24
  • 5
    Somewhere I read that biometrics are more like user names than passwords, in that they're hard to keep secret. – Mark Ransom Jul 07 '20 at 16:22
  • 1
    I predict that 2021 will be the "Year of the Password". Just like every year. – President James K. Polk Jul 08 '20 at 01:30
  • I'm surprised no one has mentioned Steve Gibson's SQRL project. https://www.grc.com/sqrl/sqrl.htm – Henry Lee Jul 22 '20 at 19:25

8 Answers8

91

First of all, let's keep in mind that vendors of biometric solutions have a vested interest in badmouthing passwords to promote their own products and services. There is money at stake. They have something to sell to you, but that doesn't mean you will be better off after purchasing their stuff. So one should not take those claims from vendors at face value.

Moreover, and perhaps I have a fundamental misunderstanding of how biometric data is stored, but what if this information is breached? Changing a password may be tedious and expensive, but at least it can be changed. I'm uncertain how biometric authentication address this problem--as I cannot change my face, iris, fingerprint, and etc.--or if it needs to address this problem at all.

This is precisely the biggest problem with biometric. The compromised 'tokens' cannot be revoked. Breaches have already happened on a large scale. A devastating occurrence that will have consequences for many years to come is the OPM data breach.

Faces cannot be protected. They literally are public knowledge. Lots of people have their face on the Internet nowadays. Fingerprints can be seized off a glass. These are not secrets.

On top of that the collection of biometric data is a formidable enabler for the mass surveillance of individuals. Even the most democratic governments cannot be trusted. Technology also changes the nature of government and social interactions - not always in a good way.

We have to consider the trade-offs: what do you have to gain vs what could you possibly lose. Is the convenience worth the risk ? Not everyone is convinced.

So it is not just a technical issue but a societal issue that has enormous implications. Hint: China is the benchmark.

The false or negative positives rate is also a problem. Some people cannot be enrolled because of their physical characteristics. A password is unambiguous. You either know it or you don't. Biometrics = calculation of probability.

Relying on biometrics alone is not wise for critical applications. Hence the emergence of multi-factor authentication.

As an example 3-factor authentication would be:

  • something you have: for example a smart card
  • something you are: this is where biometrics comes into play
  • something you know: for example a password

It would be objective to say that biometrics are gaining momentum in some markets/applications, without eliminating passwords altogether. It does not have to be a zero-sum game.

Kate
  • 7,092
  • 21
  • 23
  • Palm and Iris scans? – kelalaka Jul 05 '20 at 18:14
  • 1
    I'm a bit dubious about your first paragraph, but the rest is fairly reasonable. – Conor Mancone Jul 05 '20 at 19:02
  • 6
    To amend the answer above: In fact some biometric**-like** approaches may be helpful, but **they are NOT what is usually meant under "biometrics"**. [There are ways](https://bojinov.org/pdfs/usenixsec2012-rubberhose.pdf) to record information into the human nervous system in the way so the recorded information cannot be extracted by [applying a rubber hose](https://en.wikipedia.org/wiki/Rubber_hose_cryptoanalysis), [a wrench](https://xkcd.com/538/) or more advanced purpose-designed tools and then verify if it is recorded, if the system knows what exactly to check. – KOLANICH Jul 05 '20 at 22:06
  • 2
    Based on your argument `a face is public knowledge` the biometrics factor is equal to *something you have* since you '(probably) have that face' or a photocopy of it. – jaaq Jul 06 '20 at 07:50
  • 5
    @jaaq "Something you have" usually implies that "having" is transferrable. Faces usually are not transferrable. Only if the photocopy will work, too, you have that problem... – I'm with Monica Jul 06 '20 at 11:50
  • 7
    @kelalaka An Iris Pattern ( or fingerprint, or palm print) can be recreated from a high-enough quality photograph, so falls into the same bucket as Faces and Fingerprints. Retina scans are better in this regard. This is also why some newer Fingerprint tech is focussed on scanning the pattern of blood vessels *inside* the finger. – Chronocidal Jul 06 '20 at 12:23
  • 2
    @Chronocidal ah, when I say palm, I was simply considering the blood vessels. Thanks. – kelalaka Jul 06 '20 at 12:26
  • 1
    This is a good answer, but the conspiratorial tone of the first paragraph drags it down. – Schwern Jul 06 '20 at 17:27
  • 1
    @jaaq: A face is not "something you have" in the authentication sense because the party you're authenticating to can't tell whether you have it. All they can tell is whether you *know* a suitable digitization of it. And sufficient information to derive a suitable digitization is public knowledge, not a secret. Therefore it is not at all suitable as an authentication method. – R.. GitHub STOP HELPING ICE Jul 06 '20 at 20:29
  • 1
    Conor and Schwern's complaints about the first paragraph are unwarranted. It's not "conspiratorial"; it's honest about how incentive structures work. Conspiracies are largely impossible because nobody can keep a secret. But phenomena like what Anonymous is describing here are natural consequences of alignment of incentives. – R.. GitHub STOP HELPING ICE Jul 06 '20 at 20:31
  • Can we just remove the first paragraph to make this a better answer? While I agree with the statement itself, it doesn't really add anything but an edgy tone to it. Or at least rephrase it into something neutral and informative. – Num Lock Jul 07 '20 at 08:14
  • The "cancellation problem" with biometrics only exists if you're trying to use your biometric as a password and depending on keeping it secret. The measure of security for a biometric system is how secure it is *when the biometric data is public knowledge*. In other words, the key claim in answer misses the point as completely as someone saying "AES is not secure because the algorithm isn't secret." It isn't supposed to be. – Josiah Jul 07 '20 at 17:24
  • 7
    `Biometrics are usernames, not passwords` – mgarciaisaia Jul 07 '20 at 19:52
  • "So one should not take those claims from vendors at face value." sounds entirely reasonable to me. On the other hand, the incentive structures of, say, banks are much better aligned with wanting their customers to access their money and no-one else (except perhaps the bank! ;) ) When banks are happy to let you log into their app with your voice or your thumbprint intead of a password, that's probably because they've concluded it's sufficiently more secure at the inconvenience level their customers will accept that it's worth paying said biometrics vendor. – Josiah Jul 07 '20 at 20:11
  • "On top of that the collection of biometric data is a formidable enabler...governments cannot be trusted" This is a great philosophical issue to wrestle with, and the tech industry definitely needs to do better at wrestling with the philosophical implications of their inventions. Still, it really has nothing to do with whether biometrics are secure (except perhaps in driving research that makes them more so!) – Josiah Jul 07 '20 at 20:15
  • "The false or negative positives rate is also a problem." Yes. Kinda. The real tradeof is convenience vs security. High false positives: poor security. High false negatives: lower convenience. However, that lower convenience may still be better than the best convenience for passwords. In the time it would take me to type a minimal security password (6 all lowercase letters) I could retry my thumbprint scanner 3 times. So if my phone thumbprint scanner randomly (and the randomly is important) misses me 5% of the time, 99.99% of the time I authenticate faster than with even a weak password. – Josiah Jul 07 '20 at 20:28
  • 2
    @Josiah you're assuming one specific type of failure causing a false negative, a completely random failure. Suppose your thumbprint only worked when the temperature was low, or high, or at certain times of day, etc? Suppose the device is slowly degrading over time? (These are all real problems that have happened with biometric devices.) – barbecue Jul 07 '20 at 21:47
  • Yes, that's why I said "And randomly is important". The sweaty thumb problem is the "Your capslock is on" problem for fingerprint sensors. It's why if you want to use biometrics on your phone, the phone forces you to enable an alternative. Even so, even if retapping won't help on the 5% of the time you can't get in, most people find that the 95% makes it worthwhile. – Josiah Jul 07 '20 at 21:59
  • Even better, it's easier to persuade people not to use "qwerty" as their password if you tell them they'll only have to put it in 5% of the time. In other words, in an "either of" single factor authentication model, having the biometric option available can make the password option stronger! – Josiah Jul 07 '20 at 22:00
  • 1
    Also, passwords can be given to someone else. That's rather important in companies and also in many personal situations (e.g. death). – Sulthan Jul 14 '20 at 08:39
  • @Sulthan, solid security schemes allowing for authorised second users work by identifying and authenticating the authorised second user, not by the second user impersonating the first. That's why banks and such say "Don't give your password to anyone, not even us." Any bank employee who needs to check your account does it as a bank employee, not as a pretend you. Likewise if, say, you want a friend to manage your Facebook account after you die, you can set them up as a "Legacy Contact". Again, this authorises them to do some things in some situations, not to pretend to be you. – Josiah Jul 28 '20 at 07:46
  • In fact, the fact that passwords can be shared is generally considered one of the biggest problems with passwords. The company security team consider it important that people don't share their passwords. This is because, first, people aren't generally as good as we think we are at spotting untrustworthy sorts and tend to share with people they shouldn't. Second, because if something does go wrong they want to know for sure who did it. If I can log into my colleague's account to download and leak the company database, they'll fire the wrong person. – Josiah Jul 28 '20 at 07:54
  • 1
    "So one should not take those claims from vendors at face value." - ironically that's exactly what these vendors want to do with Biometrics – Shmuel Newmark Apr 12 '21 at 15:50
8

but at least it can be changed

They change frequently - depending on how much you've eaten/drunk. Ambient lighting has a big impact. Age. Variations in the devices performing the measurement. Biometrics work by the measured attributes being sufficiently close to some baseline record to be considered a match by the software. "Close enough" doesn't work for encryption keys - only for authentication. Its an even worse problem for 2FA tokens - that just proves you own a secret with sharing the secret. The secret needs to be available in plain text at both ends of the authentication process.

Passwords have problems. 2FA tokens have problems. Biometrics have problems. Short of DNA sequencing (not viable) the most viable approach to strong security is to combine different methods.

symcbean
  • 18,418
  • 40
  • 74
  • 2
    Even DNA sequencing has problems! – Captain Man Jul 06 '20 at 18:32
  • 5
    ... including but not limited to [chimerism](https://en.wikipedia.org/wiki/Chimera_(genetics)#Humans). – Eric Towers Jul 06 '20 at 20:30
  • And then you throw in cell level diseases, and cancer, and well, DNA is not exactly easy to deal with. – Nelson Jul 07 '20 at 03:17
  • I don't understand the _"...problem for 2FA tokens - that just proves you own a secret with sharing the secret."_ part. The "secret" that is at both ends can only be extracted by great in-person inconvenience or using deliberately broken equipment at the time of registration. – Michael Jul 07 '20 at 15:53
  • @CaptainMan That’s *technically correct* but since there are a lot of misconceptions flying around about this in the popular press, let me note that modifications of your DNA during your lifetime are *exceedingly rare* (less than one change in a million), and would be completely irrelevant in the context of this discussion. Chimerism (as noted by Eric) and, more importantly, *mosaicism*, would be a much more relevant issue (but can also be trivially worked around). For all intents and purposes, your DNA is completely constant. – Konrad Rudolph Jul 22 '20 at 09:59
  • DNA sequencing cannot tell the difference between twins. Only fingerprints can. – A. Hersean Jul 24 '20 at 16:01
7

I don't quite get where the idea of changing a password being expensive comes from, having worked in/on password storage and website logins changing a password isn't very expensive, not more so than opening a new web tab, and receiving an email.

PIN's are essentially weaker passwords (at least as my definition of what a "PIN" is).

Biometrics have one problem; if they get breached you can't really willingly quickly change them. Furthermore as soon as someone has access to you (like when you are arrested) they can take your biometrics and get access to all your accounts.

Decreasing dependency. Many companies are decreasing dependency on passwords and have started using two factor authentication. This comes in many forms but may be anything from having to confirm changes with an email link, entering a code sent to you by text, or having a special app that you have to use to confirm your decision. Two factor authentication is not perfect and has several flaws, and is annoying and tedious, but is also rather effective.

Biometrics storage. This is the sketchy part. whereas passwords can be stored in super secure ways biometrics can't really, as you need to compare a profile with the input, which means that that profile can be stolen. Biometrics are also rather vulnerable as they are constantly visible on you. (finger prints, iris, DNA, speech, facial recognition) This makes it easy to steal/copy them, which is a lot more difficult with passwords, if they are managed properly.

To sum it up passwords are pretty good, if used properly (which most people don't) and can be greatly improved using two factor authentication (or more factors as @Anonymous pointed out).

The_Moth
  • 97
  • 3
  • 4
    The idea of changing a password being **expensive** is indeed strange. The thing is, it is not always possible for the user to change it. For example to reset a password in Active Directory **IT support department** will have to intervene and **manually** reset it (and verify the request is legitimate and not a possible **social engineering** trick). It happens so many times that employees forget their password. Sometimes, the **password policy** is the cause of the problem: employees rotate their passwords using a pattern that is more or less constant, and after a while they are confused. – Kate Jul 06 '20 at 11:31
  • 1
    So the first explanation is that passwords can be "expensive" in terms of clerical work involved (IT support) when it is in fact a cost of doing business. Hardly anybody says that computers are "expensive". The other meaning of "expensive" is as outlined in one of the articles: *"Passwords are a very serious and expensive security risk"*. Meaning that a compromised password can have very detrimental consequences, which is self-evident. A compromised password leading to a breach is expensive for the victim. That still does not mean that alternatives are less expensive. – Kate Jul 06 '20 at 11:40
  • 2
    When the OP says changing a password is tedious and expensive, I read that to mean ***for the user***. Because no matter how streamlined the process, it's not one password, it's one hundred. We have password managers to deal with this flood, but they are difficult to get a typical user to adopt. Even with a password manager and automatic notification of password breeches, resetting compromised passwords is a tedious, manual, constant process for the user. – Schwern Jul 06 '20 at 17:33
  • 2
    The wording suggests 2FA is a replacement for passwords. The "two" in two-factor authentication a password AND a second code; it's an extra layer of security. However, a password reset via emailed link is often used as a replacement for infrequently used accounts. Users using password reset avoid having yet another password illustrates password exhaustion. – Schwern Jul 06 '20 at 17:38
  • @Schwern I'm not sure I understand that argument. Unless the thing that was breached was your personal password database, then any breach should be of one or two individual passwords that should be relatively straightforward to change -- unless someone has already exploited the breach and changed your account details, but then that's going to be a problem regardless. Or unless you're using the same password on hundreds of sites -- which is exactly the same problem that using biometrics would cause. – Miral Jul 06 '20 at 22:17
  • @Miral One or two individual passwords this time. And again. And again. On repeat, forever. For each one has to go to the website, remember their username and password (most people don't have a password manager), login, find where to change the password (they're all different), maybe put in the password again, maybe also 2FA, come up with a new password, come up with another one that meets the policy, and remember it. Biometrics are *not* the answer, but password fatigue is a real problem. Password resets are frustrating out of proportion to the effort; even with a manager I hate it. – Schwern Jul 06 '20 at 23:09
  • Indeed, most people don't have a password manager, and yet there are free, proven and open source solutions available on the market today. What's the holdup, apathy, ignorance ? People could make their life simpler but instead they keep using bad passwords. They know they are bad but they are still doing it. My password manager even has a browser plugin. This is nice if you are lazy: almost no keystrokes required. I have complex passwords for each site and I don't have to remember them. Not a perfect solution but one of the best tools we have. – Kate Jul 06 '20 at 23:58
  • I don't use a password manager, but I also use a unique password for every site. I just remember them all. On the occasion I forget one, the password reset is usually easy to find and only takes a few seconds to use. (Usually the only time I have problems remembering a password is when the site has a stupid policy in place, which is one reason why I agree with xkcd that this actually lowers security.) – Miral Jul 07 '20 at 02:32
  • @Anonymous: the holdup is that using bad passwords costs almost everyone almost nothing, almost all the time. If the mean time between your bank account being hacked was, say, 2 days, then the average person might start to see the issue, but it is not. And it's no coincidence that many of the services that it would actually matter financially if they get hacked, are the same sites encouraging 2FA. – Steve Jessop Jul 07 '20 at 03:16
  • In fact an authentication app on your phone has some features in common with a password manager plugin: it generates "passwords" (not literally passwords, but data used to authenticate you) too secure for you to be able to remember. But it uses better protocols than, "I'll just send the exact same secret every time, shall I? That will probably be OK." – Steve Jessop Jul 07 '20 at 03:26
7

TLDR:
To sum up, your question was "what if this information is breached?"
The answer is "the grown ups in the biometrics space assume it is by default."
An intrinsic part of their security model is the additional checks each time authentication happens to distinguish real people from replays and replicas. inasmuch as replays and replicas are not accepted, the secrecy of the actual face, fingerprint, etc isn't a part of the security model.


For background, I worked for 3 years as a developer in the research team of a biometrics startup. The industry definitely has its fair share of crackpots and mavericks and I got to hear all sorts of unlikely claims and philosophically dubious standards of measuring their effectiveness. As I mentioned in a comment, if your biometric security system relies the face (or fingerprint or whatever) being secret, you're one of the quacks. Likewise if you're dismissing biometrics because they're not kept secret, you're wasting your time arguing with quacks.

However, there are grown ups involved too. The major players do know what they're doing, and are suitably dismissive of the quacks. By major players, I'm talking major companies like Apple and government agencies like NIST. But on top of that, most everyone uses biometrics, they just don't use state-of-the-art tech for it.

Here's how it works. You want to start a new job, and before anything else happens you're asked for some sort of government ID with a photo. Why the photo? Because they want to check that you (the human) match the id (the photo). Keep this distinction in mind: even though most face recognition systems can match two photos of faces, biometrics is specifically about matching a human. HR or IT security or whoever it is has to check two things: You look like the photo, and you're a human.

Likewise, every non-quack biometric authentication system has to check these two things. There will be a matcher and there will be a presentation attack detection system (PADS). The matcher confirms that you look like the stored photo (or stored mathematical representation in whatever sense) and the PADS is responsible for checking that you're not just a photograph. For example the iPhone FaceID uses an infrared dot projector and directly measures the 3d structure of your face, as well as using the camera to check you look like you. Other PADS systems measure other properties: perhaps motion, temperature, heartbeat, electrical capacitance, or some combination. The goal is to identify things properties that humans have by default but are hard, expensive work to forge.

If you use, say, a banking app that uses FaceID, it doesn't forward your face to the bank for checking. That would be fairly pointless. All the bank could verify is that someone has a picture of your face. In fact, Apple won't actually let the bank send that data; they won't let the biometric data leave the phone! Instead the phone verifies the person, and then sends a suitable message to the bank to the effect of "I, Josiah's phone, confirm that I have just seen a person and the person looks like Josiah." (Probably with an additional "And I'm signing this message with my private key." for good measure).

In terms of performance, matcher software have made incredible progress in the last few years. For example, during my time in the industry, the state of the art in face matchers got about a thousand times better (as measured on NIST's FRVT competition). They're far better than that HR official who checked your passport and set you up with your company account in the first place. In fact, they're into the level of performance where they could successfully distinguish many people from every other human being on the planet. That's really impressive for identification, but it's still not the antidote to malicious spoofing.

PAD systems also continue to improve. This is more of a mixed bag because their performance depends so much on what hardware they're using, and Apple's fancy IR projector will be better camera only systems that rely on, say, asking the person to blink. Generally, PAD systems are still the weakest link, but a strong PAD system still moves a typical attack overhead from "Pull up their facebook profile picture and take a snapshot" to "Gather a team of experts and set them a multi-week 3d fabrication project." On top of that, of course, you need access to the validation system: if we're assuming a setup like "You log in by doing FaceID on your phone" then you need their phone. Now that's perhaps still faster/cheaper than breaking the password of the sort of person who spends time on security.stackexchange, but it's a whole lot slower/less scalable than just trying "qwerty" as the password for each of the employees in the company you want to break.

To sum up, your question was "what if this information is breached?" The answer is "the grown ups in the biometrics space assume it is by default."

That's what the PADS is for. It doesn't have to be high tech PADS. In some settings, a human monitoring the camera stations, watching for charletans holding a printout to the camera, is a reasonable PADS. If you don't have a PADS; if just knowing what someone looks like means you can impersonate them; then you don't have a biometric authentication system. You just have a moronic password system where everyone's password is tatooed onto their forehead. But if you do have a good PADS, you have a system that can offer a good level of security at an excellent level of convenience even for the sorts of person who asks why they can't leave the password field blank.


I would be remiss if I did not clarify that biometrics is not solely an authentication technology, and other uses do not always require a PADS. When the police match fingerprints from a crime scene against a database, they don't check that the prints are attached to a human. When a Casino uses face recognition to look for known card counters, they take for granted that no-one is trying to impersonate a counter. For these sorts of things, it entirely comes down to matcher performance. It is strictly for authentication that the PADS is key.

Josiah
  • 1,848
  • 9
  • 14
  • 1
    Not OP but thanks a lot for so many valuable points. Just wanted to ask can you point me in the right direction about how the template can be protected against replay attacks? So for example someone capturing fingerprint template of a person and then replaying it every time a new authentication challenge is requested? – void_in Jul 09 '20 at 18:53
  • If replay attacks are a problem, you're generally in the realm of biometrics-as-a-password. Under, say, an iPhone TouchID/FaceID model (or a webAuthN model as mentioned by mattymcfatty), you don't get the template transmitted at all, so there's nowhere for an attacker to do a replay in. Instead it's the device that reads the biometric in the physical world and knows that it's a fresh reading that makes the match call. – Josiah Jul 09 '20 at 20:50
  • If you do want to transmit the biometric template for some reason (perhaps because you/your regulator wants an audit trail of some sort), again the only thing that can know it's fresh is the device that reads it. One reasonable option is to have the sensor sign not just a message to the effect of "I've confirmed the match", but to package together "I've just read this biometric at T time in response to N challenge code" and sign that with a cryptographic signature. – Josiah Jul 09 '20 at 20:53
  • 1
    The one thing that this model really doesn't work well for is logins from unregistered hardware using only knowledge of the biometric (because, again, the biometric isn't secret). Perhaps a fingerprint scanner on an ATM could be trusted (I wish! Another story.), but I can't go to my cousin's house, borrow her laptop, and log in with my finger. If I could, then indeed an attacker who stole my print could just replay a stolen biometric. Attestation of "Hello, I Jasmine's laptop confirm that I've just seen a person that looks like Josiah." should deserve a "I know Josiah, but who are you?" – Josiah Jul 09 '20 at 20:59
  • 1
    Thank you so much. Yeah we are indeed in the realm of using biometric as a password issue. The sensor will take the fingerprint and transmit the template to be authenticated from a central DB. I will see which sensors are capable of signing the template so that the freshness could be determined from the received template. Thanks once again. – void_in Jul 10 '20 at 15:29
  • 2
    Just remember that in this model you're trusting the device, and in security "Trusted" means "Able to break everything". That is, it's not an absolute guarantee of freshness, it's just the device's guarantee of freshness. If an attacker can compromise the device, then they can do a replay and get the device to certify that it's new. – Josiah Jul 10 '20 at 16:47
6

I'm surprised no one is mentioning WebAuthN. It uses public key exchange to sign a challenge with a private key and eliminate passwords all together. The new WebAuthN standard combines something you have (private keys on a device) with something you are (your fingerprint) and has the capability to include something you know (PIN/password). On the server, only the public key and the key ID are stored, so an attacker has nothing to gain by compromising the site's database and collecting everyone's public keys. Biometric data are only used locally to unlock the private keys on the authentication device. They are never sent to the server.

I'm a web application penetration tester by day and I can tell you that eliminating password spraying, brute force, and all those style attacks against a system makes my job much harder. I would have to get malware on your machine and somehow trick it into signing a WebAuthN challenge to login as your user. Or hop on a plane, fly to your house, steal your key, pull a fingerprint off of the wine glass you used last night...you get the idea. This is much less likely than me sitting at home and spraying a password re-use attack from a recent breach.

It does have some drawbacks; most significantly a "lost device" scenario. But from a security perspective, it really raises the bar.

  • It may be worth acknowledging one intrinsic weakness of biometrics: because measurements are noisy, unlike passwords, they cannot be readily turned into keys. As such "Biometric data are only used locally to unlock the private keys on the authentication device." is true, but it's an "if match(biom) {return data;}" sort of unlocking rather than a "decrypt(biom, data)" sort of unlocking. This means your device does need to be properly tamperproof, or the biometric step can be bypassed and it's just a "something you have" authenticator. – Josiah Jul 07 '20 at 22:25
2

Passwords are not bad per se, they are only bad because users are stupid and lazy, and because people who are responsible for security policies are often even more stupid than users. As a result, you end up with policies such as users being forced to change the password every week, some particular length, and including at least so and so many digits and special chars, and the last 100 passwords are saved. Whatever, you know.

So guess what you will get from such an obnoxious policy. That's right, you'll get loveyou01 through loveyou99, which is much less secure than a well-chosen unguessable password that can as well stay valid for many months (possibly years).

There remains the problem of having to remember a lot of unmemorizably long and complicated passwords, of course. But this problem has been solved, it's called password manager.

Now, biometry, on the other hand side, is not without troubles, either. The three major problems with biometric identification are that

  1. biometric data does not change
  2. biometric data changes
  3. biometric data cannot be withheld

The fact that biometric data changes, all the time, requires the authentication procedure to be somewhat fuzzy and "intelligent". Now, artificial intelligence is a very significant oxymoron. Computers aren't intelligent, no matter what marketing tells you. They can do some fuzzy matching at best.

What's good enough, your twin sibling's face? A photo of yours? A rubber replicate of your fingerprint? What about manufacturing patterns in your cheap Chinese screen protector (the famous Galaxy S10 story...)?

The problem is that the identification hardware/software must account for variable, changing input (fingers are held at different angles, ridges are deeper or less deep depending on how much you drank and depending on how hard you press, you get scratches on your finger, and scratches heal with time, your face looks different when you lose weight, etc etc).

The other problem is, of course, that biometric data doesn't change. Someone steals my fingerprint data. Now what am I going to do? Cut off my finger and wait for my body to grow a new one? That might be worth trying, but I'm somewhat sceptical whether it's a practical approach. Let's hope this doesn't happen several times, what will I do the 11th time my prints are compromised?

The last problem is that I can take your fingerprints while you're passed out drunk (or otherwise unconscious) without you having to do anything. I can do it when you're dead, even (though some detectors require blood circulation). Or, I can just take your fingerprints off a surface that you've touched when you aren't even present.

Passwords are somewhat better in that respect. You can tie me to a chair and beat me until I reveal a password, that's right (known as rubber hose attack, or wrench attack). If I am some very important person protecting some very important secret, and you force me to reveal the password, I might give you a "distress" password which does an emergency lockdown and calls in the seals, whatever, and you cannot tell unless you actually try (in which case, if it's indeed the distress password, it's too late).

Passwords sure aren't perfect, but at least there still remains some control on my side. Also, you can't extract the password from me when I'm unconscious or dead. Or from a glass that I held while drinking.

schroeder
  • 125,553
  • 55
  • 289
  • 326
Damon
  • 5,211
  • 1
  • 20
  • 26
0

Changing a password may be tedious and expensive, but at least it can be changed. I'm uncertain how biometric authentication addresses this problem--as I cannot change my face, iris, fingerprint, and etc.--or if it needs to address this problem at all.

I suppose people who want to sell software will proclaim the benefits of software, and likewise for hardware manufacturers. Each has benefits and drawbacks. An effective combination of the strengths of each seems the best solution.

My Samsung phone has a password manager that is easy to setup.

It uses a combination of facial, iris, and fingerprint recognition to unlock its password manager, and supply a different password to each website (without disclosing your biometrics).

Samsung Galaxy Password Manager screen

You can use long and complicated passwords which are different for every website; accessed using encrypted biometric keys, stored in a Trust Zone, that never leave your phone.

It is possible to change which finger you scan and update your facial data for more accurate processing. Your phone has other tricks up it's sleeve, for example, it can be remotely tracked and locked through Samsung's website. While that may be a different security and privacy issue one must weigh who they will trust versus the convenience of use. You wouldn't want to access websites only by showing up in person with three pieces of identification.

There are fingerprint and password USB key fobs for laptop and desktop use, these can provide a similar level of additional security over and above your OS's password; though a key fob with facial recognition and GPS tracking could be fairly pricey.

Rob
  • 530
  • 1
  • 3
  • 13
-1

Passwords do need to be eliminated, but all the ideas you've cited as replacements are wrong. Passwords are not expensive to change. But they are prone to weak choices, compromise via reuse, and (most importantly) social engineering into disclosure to the wrong party (this encompasses phishing and a lot more).

Biometrics are not secrets whatsoever, and are not "something you have" unless you have a locally trusted digitization device whose sensors can't be tampored with to feed in prerecorded data. In the absense of that, they're a "something you know" that happens to be something everybody knows, and thus completely unsuitable for authentication. There is a trend to use tamper-resistant hardware to unlock the actual (non-user-facing) key/token stored inside it in response to biometric measurements (fingerprint and facial unlock of phones, etc.) but these are all defeatable with laughably bad fakes.

PINs work in a somewhat similar way, as a mechanism to unlock the real key/token, but use the tamper-resistant device to throttle against brute-forcing, so that you can get away with much shorter/simpler "something you know" secrets. These are less trivial to defeat, but still not strong. There will essentially always be attacks to bypass throttling or to extract all the data, at which point it can be quickly brute-forced on another machine.

The right replacement for passwords is public key authentication, with the private key held in an isolated device (something you have) and protected by a passphrase (something you know). The only difference between this and PIN is the strength that the word "passphrase" is intended to convey: the derived symmetric key used to encrypt the private key is sufficiently strong that, even if device is stolen and all data extracted, it can't be brute forced. Users of such a system must know never to enter the passphrase anywhere but on the isolated device, and to revoke and regenerate keys if they suspect the passphrase has been disclosed.

  • Second paragraph: biometrics are "something you ARE", not something you have or something you know. – andrewf Jul 07 '20 at 14:20
  • @andrewf: My whole point is that that's false. Bio **metrics** are measurements and thus a "know" not an "are". Are-ness is not something you can evaluate in an authenticator. – R.. GitHub STOP HELPING ICE Jul 07 '20 at 15:41
  • "unless you have a locally trusted digitization device whose sensors can't be tampored with to feed in prerecorded data" is indeed a requirement of biometric systems. Ideally, as you suggest, that device will be doing some sort of public key authentication when it confirms you are you. Something like this perhaps: https://www.bbc.co.uk/news/av/technology-49322217/testing-the-debit-card-with-a-fingerprint-sensor – Josiah Jul 07 '20 at 19:53
  • "Unless you have [something that doesn't and can't exist]"... – R.. GitHub STOP HELPING ICE Jul 07 '20 at 22:47
  • @R..GitHubSTOPHELPINGICE, A biometric system necessitates a sensor which makes a real measurement of a real eyeball/fingerprint/face/whatever. Sure, there will always be ways to fool a system, but password systems are notoriously fragile too. There are always tradeoffs. Just because there is no Platonic-ideal perfect biometric system, doesn’t mean there are no _useful_ biometric authn systems. – andrewf Jul 08 '20 at 10:35