28

In the last couple of days there were a lot of talking about passwords and passphrases, not only here, but on several blogs and forums I follow (especially after XKCD #936 saw the light of this world). I heard quite a few pros and cos of both of them and this got me thinking.

Why do we use password and passphrase at all instead of biometrics? I know biometrics are not the holy grail of authentication and/or identification, but (And the most popular password is... from ZDNET) at least I can be pretty sure that majority of users won't have the very same and easy to guess biometrics. Also I can't forget my finger or iris (while I can forget password / passphrase). With the era of cloud coming, the major strength of passphrases (length) might easly be ephemeral.

Like I said, I know biometrics are not perfect, but if we know that passwords / passphrases are the Achilles' heel of almost every system, why are biometrics underused? According to Tylerl (Biometric authentication in the real world from this site, second answer), biometrics is used even less than it used to be. I mean, even if fingerprints are easily forged, it's still better than having many users with password 123456 or qwertz, at least from my point of view (feel free to prove me wrong).

So, in short, what are the biggest problems / obstacles which are stalling widespread adoption of biometrics?

EDIT

I won't comment each reply, but put my thoughts here. Also I would like to clarify some things.

Problem of normalization

I don't know how is it in USA, but in UK law states that you need at least 5 (or 7, I'm not sure) referent points used in matching. This means that even if you don't have perfect scan, system can still do matching against vector (which is representing fingerprint) stored in DB. System will just use different referent points. If you are using face as biometric characteristic EBGM can recognized person even if face is shifted by ~45°.

Problem of not-changeable (characteristics)

Well, you can actually change characteristics - it's called cancelable biometric. It's working similar as salting. The beauty of cancelable biometric is that you can apply transformation daily is needed (reseting password every day could result in a lot of complains).


Anyway, I feel like the most of you are only thinking about fingerprint and face recognition, while in fact there are much more characteristics which system can use for authentication. In bracket I'll mark the chances of fraudery - H for high, M for medium and L for low.

  • iris (L)
  • termogram (L)
  • DNA (L)
  • smell (L - ask dogs if you don't believe me :] )
  • retina (L)
  • veins [hand] (L)
  • ear (M)
  • walk (M)
  • fingerprint (M)
  • face (M)
  • signature (H)
  • palm (M)
  • voice (H)
  • typing (M)

Ok, let say biometric hardware is expensive and for simple password you have everything you need - your keyboard. Well, why there aren't systems who are using dynamic of typing to harden the password. Unfortunately, I can't link any papers as they are written in Croatian (and to be honest, I'm not sure do I even have them on this disk), however few years ago two students tested authentication based on dynamic of typing. They made simple dummy application with logon screen. They uploaded application on one forum and post the master password. At the end of this test there were 2000 unique tries to log with correct password into the application. All failed. I know this scenario is almost impossible on the webpages, but locally, this biometric characteristic without need of any additional hardware could turn 123456 password into fairly strong one.

P.S. Don't get me wrong, I'm not biometric fanboy, just would like to point out some things. There are pretty nice explanations like - cost, type 2 error, user experience,...

StupidOne
  • 2,812
  • 22
  • 35
  • 2
    I do not understand how cancelable biometric solves the "Problem of not-changeable (characteristics)" point. Even with passwords, if you like, you may generate a new hash by modifying the salt each day, while the actual password remains the same (and no user's complaint). The issue here is that, while with passwords a user has got the _ability_ to choose another password, with biometric a user loose this possibility and cannot choose another thumbprint over time or for different applications... – WhiteWinterWolf Nov 16 '13 at 09:32
  • Because, there isn't a single (or very few) piece(s) of information about thumbprint stored in DB (or where ever you store data). Forging thumbprint is not really an option (unlike password). Think of it as black and white picture (with none or next to none grey-scale colors) - where was the blue color in the original image? Was there any? Yet, we can assume, each this b&w picture stored in DB is unique. – StupidOne Nov 16 '13 at 13:16
  • From the information stored in DB you cannot deduce the thumbprint, it is equivalent to a password hash. So if this DB info is used for some authentication and has been stolen, changing the salt or using cancelable biometric will change this database representation and make the stolen information useless. However, if someone reproduced the fingerprint, no matter how this database representation is changed the fake fingerprint will always work. When a password is stolen, one can change it. When your thumbprint is stolen, how do you change it? Does cancelable biometric help? – WhiteWinterWolf Nov 18 '13 at 15:32
  • You can't reproduce fingerprint. You can't even use stolen credentials to gain access (in the same fashion you would with passwords) [link](http://www.scholarpedia.org/article/Cancelable_biometrics) – StupidOne Nov 18 '13 at 16:35
  • 1
    **1)** Fingerprint.... What about handicapped people with no hands? **2)** Face Recognition.... do you want your twin to log in to your account? What if instead of 1 other twin, you actually have 11 of them.. http://voices.yahoo.com/tunisian-woman-allegedly-pregnant-4089411.html – Pacerier Jan 31 '14 at 05:02
  • I Don't want to write an answer about this, but you can use different passwords on 100 different but you cant do the sane for biometrics. Once one account is hacked, they all are. – thesecretmaster Nov 12 '15 at 18:33

14 Answers14

36

Passwords and biometrics have distinct characteristics.

Passwords are secret data. Data is abstract: it flows quite freely across networks. Cryptography defines many algorithms which can use secret data to realize various security properties such as confidentiality and authentication. The shortcomings of passwords are due to the fact that they are meant to be memorized by human beings (otherwise we would just call them "keys") and this severely limits their entropy.

Biometrics are measures of the body (in a wide sense) of a human user. Being measures, they are a bit fuzzy: you cannot take a retinal scan and convert it into a sequence of bits, such that you would get the exact same sequence of bits every time. Also, biometrics are not necessarily confidential: e.g. you show your face to the wide World every time you step out of your home, and many face recognition systems can be fooled by holding a printed photo of the user's face.

Biometrics are good at linking the physical body of a user to the computer world, and may be used for authentication on the basis that altering the physical body is hard (although many surgeons make a living out of it). However, this makes sense only locally.

There is a good illustration in a James Bond movie (one with Pierce Brosnan; I don't remember which exactly): at some point, James is faced with a closed door with a fingerprint reader. James is also equipped with a nifty smartphone which includes a scanner; so he scans the reader, to get a copy of the fingerprint of the last person who used it, and then he just puts his phone screen in front of the reader; and lo! the door opens. This is a James Bond movie so it is not utterly realistic, but the main idea is right: a fingerprint reader is good only insofar as "something" makes sure that it really reads a genuine finger attached to its formal owner.

Good fingerprint readers verify the authenticity of the finger through various means, such as measuring temperature and blood pressure (to make sure that the finger is attached to a mammal who is also alive and not too stressed out); another option being to equip the reader with an armed guard, who checks the whole is-a-human thing (the guard may even double as an extra face recognition device). All of this is necessarily local: there must be an inherently immune to attacks system on the premises.

Now try to imagine how you could do fingerprint authentication remotely. The attacker has his own machine and the reader under his hand. The server must now believe that when it receives a pretty fingerprint scan, it really comes from a real reader, which has scanned the finger just now: the attacker could dispense with the reader altogether and just send a synthetic scan obtained from a fingerprint he collected on the target's dustbin the week before. To resist that, there must be a tamper-resistant reader, which also embeds a cryptographic key so that the reader can prove to the server that:

  • it is a real reader;
  • the scan it sent was performed at the current date;
  • whatever data will come along with the scan is bound to it (e.g. the whole communication is through TLS and the reader has verified the server certificate).

If you want to use the typing pattern, the problem is even more apparent: the measuring software must run on the attacker's machine and, as such, cannot be really trustworthy. It becomes a problem of defeating reverse engineering. It might deter some low-tech attackers, but it is hard to know how much security it would bring you. Security which cannot be quantified is almost as bad as no security at all (it can even be worse if it gives a false sense of security).

Local contexts where there is an available honest systems are thus the contexts where biometrics work well as authentication devices. But local contexts are also those where passwords are fine: if there is an honest verifying system, then that system can enforce strict delays; smartcards with PINs are of that kind: the card locks out after three wrong PINs in a row. This allows the safe use of passwords with low entropy (a 4-digit PIN has about 13 bits of entropy...).


Summary: biometrics can bring good user authentication only in situations where passwords already provide adequate security. So there is little economic incentive to deploy biometric devices, especially in a Web context, since this would require expensive devices (nothing purely software; it needs tamper-resistant hardware).

Biometrics are still good at other things, e.g. making the users aware of some heavy security going on. People who have to get their retina scanned to enter a building are more likely to be a bit less careless with, e.g., leaving open windows.

Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955
  • 2
    I guess the main idea (but which you didn't explicitly mention) is one that Bruce Schneier already remarked: [“Biometrics are unique identifiers, but they're not secrets.”](http://www.schneier.com/blog/archives/2009/01/biometrics.html). Crucial here is the distinction between *identification* and *authentication*. Identification is nothing more than to say “I am Foo”. Whether this happens via a name, a number or a fingerprint is irrelevant, but those are all just identification tools, not authentication. – Joey Nov 04 '11 at 09:55
  • @Joey, Biometrics can be secret too, well of course if you decide to use your finger or face it wouldn't be. – Pacerier Jan 31 '14 at 04:56
  • Having just (in 2016) stumbled across this answer, I'll note that while the idea that biometrics are only useful "in situations where passwords already provide adequate security" may or may not have been largely correct in 2011, some important developments have occurred since them. In particular, biometric authentication options have come into wide use that work with the secure modules in common devices to protect and use info that is used to authenticate the user to remote services. (For eg.: fingerprint recognition with the secure enclave on iPhone, Windows Hello with the TPM on a PC.) – mostlyinformed Jul 08 '16 at 23:18
  • Thus, you have an emerging model of the user doing biometric authentication to a local element that will then cryptographically attest of that user's identity to the remote service. This approach, of course, still has some flaws and limits. (Among them that the user can only use this way to access a service on devices where he or she has enrolled his or her biometric info into the device's secure element.) But it (perhaps) holds the potential to replace the hassle of using the now-ideal password + strong 2nd auth factor (eg. entering a code from a hardware token) combination in many scenarios – mostlyinformed Jul 08 '16 at 23:38
19

Abstracted across a network, most biometrics implementations can still be boiled down to the category of "something you know". For a discussion of how that happens with "something you have," take a look at How is "something you have" typically defined for "two-factor" authentication?.

Biometrics suffers from a problem where once a credential is compromised, you can't change it. There are also some rather amusing compromises against fingerprint systems. Biometrics are great in certain areas, but logging into my bank account with a generic device and no password is not one of them.

Finally, because there is no uniform standard, there's a cost issue that's hard to surmount. Not only are devices not already an integral part of the computer like a keyboard is, but they different models need different systems to interface with them.

Jeff Ferland
  • 38,170
  • 9
  • 94
  • 172
  • 1
    This is actually a great point - biometrics, currently at least, work as if they are a secret - which they really aren't. So, a better biometric authentication is one that would assume that the biometrics are public, and still succeed (somehow?) in performing the authentication. Interesting idea, needs more research.... – AviD Aug 28 '11 at 15:10
  • One protective measure to this is "liveness detection", in which the scanner tries to detect input from dead/non-biometric input (by checking the blood flow, precipitation etc.) There are some technologies out there in the wild already. – Enno Shioji Sep 15 '11 at 06:27
14

There are significant problems with all of these as a primary identifier.

For example:

  • Fingerprints/Palm - What happens if I fall off my bike and scuff my hand across the ground? My fingerprints are ruined for some time - possibly permanently.
  • DNA - have you seen how easy it is to pick up blood or other material containing DNA?
  • Typing - this has some success, but the responses depend on tiredness, emotional state, differing keyboards etc

They are all susceptible to both false positives and negatives - you can get that crossover point down to a low level, but you can't eradicate it entirely.

When compromised, you cannot change the identifier - this problem rules it out entirely!

Another issue with some of the biometrics generally considered more resistant to attack (for example the retina pattern) is that users really dislike the invasive nature of the scan. While many end users now accept a fingerprint scanner (despite fingerprints being proven not to be unique) having a retina scanner is seen as intrusive and even scary.

So the current process - use ID, password, token etc as initial identifiers (all replaceable if needed - things you know or have ) and a biometric as an additional preventative measure do mitigate the risk of the previous mechanisms being stolen and used by an attacker (something you probably are) seems to be the optimum in terms of:

  • support
  • resilience
  • layered security
Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
  • Well, even if you do permenatly damage your hand, you will have unique scars. Also, there is not likely to injure your palms badly enough to wipe your epiderms (with mehanicals injuries). However, with fire or acid you could do it. Anyway, you actually remind me of something - hand-foot syndrom - people with this syndrom don't have fingerprints at all. There is also problem with poor scanning - can scanner penetrate deep enough into skin (some people might have altered upper layer, let say if they work with lime). All in all, at least to me, so far the best answer :) – StupidOne Aug 18 '11 at 09:38
12

One issue with rolling out biometrics everywhere is registration. Should I have to turn up to Facebook's office in Palo Alto with my government-issued ID so that they can fingerprint me before I can log in to their website, versus typing "correcthorsebatterystaple" into my browser? How long would that take for 650M+ users? How many staff? How expensive is it to train the staff? How many errors would they make? Can you accept that many errors? Would users feel comfortable with the idea of Facebook owning their fingerprint details?

  • Why would I have to go to Palo Alto? If I have scanner, I would use it in registration form (for the sake of conversation, let say this is an option when registrating to FB) like I'm using passwords now. If I wanted to log in with fingerprint, I would have scanner locally, like I'm having keyboard right now. – StupidOne Aug 18 '11 at 13:39
  • 4
    @StupidOne, See the James Bond example that Thomas Pornin gives for one sort of risk of what you propose. Generally speaking, there are more attacks on biometrics when they are read remotely by an untrusted terminal. – D.W. Aug 18 '11 at 21:21
10

Put simply: cost. In this instance cost takes two forms, resource cost and monetary cost. Chances are great that if you have a computer or system of any type (desktop, server, mainframe, distributed, cloud, etc.) it has a built-in authentication mechanism: passwords. The time and money that it takes to bolt-on or integrate biometrics for average uses is too great. Only the most secure environments or data require anything greater than a password.

The most common use cases I see for biometrics are physical security and system log-ins (think Active Directory). Biometrics have a decent adoption rate in physical security because some sort of device is already required for security, a lock or a guard or a laser. Opting for better security and manageability in biometrics is a tangible decision. Regarding system log-ins, what we have already accomplishes the business task of allowing access to a system. The Security Guys are left to deal with all of the repercussions.

Trent
  • 101
  • 2
10

Systems can fail, so you need a defense in depth approach. Bio-metric security systems rely upon fuzzing matching. They can suffer from whats called a type-II error, which means an attacker is successfully authenticated.

Also Mythbusters has hacked it. (and they aren't the only ones.)

rook
  • 47,004
  • 10
  • 94
  • 182
10

The many technical problems with biometrics are well canvassed above. Biometrics as a class still faces deep skepticism, and rightly so. Security professionals are conservative and cautious, and they find the following issues problematic:

  • Very few of the technologies on the list above are commercially mature. I myself don't know why DNA, gait and smell are even listed in any serious discussion.
  • Many biometric products and techniques are barely out of the R&D lab. Cancellable biometrics are still a hot research topic; liveness detection is more theoretical than practical. In security, it is important that candidate solutions are mature, thoroughly shaken down in the real world, and certified. This takes a decade or more.
  • All biometric testing is conducted under "Zero Effort Imposter" conditions, where only accidental matches are consiered. There are no standardised testing protocols for evaluating deliberate fraud, which is astonishing when you think about it, for we are talking about security solutions that are used to resist crime. As the FBI says: "For all biometric technologies, error rates are highly dependent upon the population and application environment. The technologies do not have known error rates outside of a controlled test environment" (see http://www.biometriccoe.gov/SABER/index.htm).
  • Finally the industry does itself no favours in the way it presents its specifications. In particular, error rates are often presented in a dishonest way, with best case False Match and False Reject rates quoted side-by-side. But the sensitivity-specificity tradeoff means that as False Matches go up, False Rejects go down. Vendors often keep their Detection Error Tradeoff curves secret. I've tried to obtain the DET curves from a particular vascular biometric vendor for five months and have only been stonewalled.
7

Biometrics (something you are) + password/passphrase (something you know) = 2 factor authentication. That's why they're used together.

The other reason biometrics isn't used more widely is 1) biometric systems are expensive to implement and 2) biometric systems need a very, very low false positive rate. You wouldn't want the system to allow access to someone who had a similar fingerprint/iris/whatever so you'd need many points of reference in the system (fingerprint/iris map) to allow for that kind of accuracy. The caveat to requiring all those points of reference is that the system would need a very reliable way to read your body part each time that is very repeatable and that isn't possible with the biometric readers we have today. You don't swipe your finger the exact same way in a fingerprint reader every time and you don't position your head in an eyeball reader the exact same way every time, but the system would need to demand that level of precision to get all the data points it needs to verify you every time you need access. This leads to a lot of re-swiping/re-scanning which is very frustrating to the user and may lock them out depending on the system.

August
  • 179
  • 2
  • 1
    I suspect the spirit of the question is: ok, why do we want 2 factor authentication, if one of the factors is biometrics? – D.W. Aug 18 '11 at 21:18
7

If your body is your password, and your account is compromised in some way, there's no way to change your password.

ddyer
  • 1,984
  • 1
  • 12
  • 20
  • The promise made by biometrics is that if your body is the password, the password cannot be "compromised". Which obviously definitely rules out fingerprints, unless your are "securing" your children access to their toys. (And maybe, not even so.) – curiousguy Oct 19 '11 at 02:10
  • 2
    Perhaps true if you actually present yourself to a secure scanner, but the result of the scanner is a stream of bits, which is effectively your body's password. An insecure scanner can keep a copy of that stream of bits and reuse it without your presence. – ddyer Nov 30 '11 at 19:35
  • Again, I think you misunderstand biometrics. **You** are using your body to authenticate **to the scanner**. The scanner is authenticating you. The scanner is trusted by definition. "_An insecure scanner can keep a copy of that stream of bits and reuse it without your presence._" There is no "stream of byte" that can be reused. The scanner output is just "this is ddyer's body." (possibly encrypted with the scanner's key). Your body is not a password. The traditional version of a "scanner" is a guard who can recognise you (and cannot output a "stream of bits" that is your password). – curiousguy Dec 01 '11 at 07:29
  • (...) "_An insecure scanner can keep a copy of that stream of bits and reuse it without your presence._" Yes, but he would have to build a replica of you matching this "stream of bits". For fingerprints, this is not very difficult. – curiousguy Dec 01 '11 at 07:37
  • (...) I wrote: "Your body is not a password." it means: "Your body is not a secret string of octets that could be transmitted on a wire." You are not a string of octets, and you are not "secret". The biometric recorded image of you that the scanner compares to you is not always a "secret" (your face, your fingerprints are hardly secrets by any reasonable definition of secrecy). That biometric information can easily be captured by anyone without your knowledge. (Same for DNA, BTW.) – curiousguy Dec 01 '11 at 07:58
  • One thing that people do not understand about biometrics: your body is here, so you can be authenticated here. It only works if there is a trusted scanner where you are. **It does not work remotely.** It is useless for authentication on the net. – curiousguy Dec 01 '11 at 08:11
  • 1
    I think that's the crux of the distinction. If you *are* the building and you're deciding if you should let some guy in, and you trust your scanners, biometrics are fine. On the other hand, if you can't trust your scanners (remember "Ocean's eleven"?) you are likely to be deceived. – ddyer Dec 01 '11 at 18:40
3

Got to remember that many biometrics are not universally available. Some professions (hair-dressing, bricklaying...) routinely render fingerprints unreadable. And that's ignoring congenital defects which render fingers unavailable, or accidents which remove them... A proportion of the population cannot use retinal scanners, either mechanically (reaction to the scanner) or because their retinas are unreadable (medical condition). So the ideal biometric solution would involve multiple methods, not all of which are needed at any one time. The words "huge" and "cost" spring to mind at this point. Multiple simultaneous methods, however, would get around some of the issues of non-uniqueness (as with DNA, for example)...

Rik
  • 31
  • 1
  • Well, I could counter your statement (retina and medical conditions) with - passwords and Alzheimer. IMHO, the vast majority of people could use biometrics without any problem at all. – StupidOne Dec 01 '11 at 13:18
3

The biggest problem is implementation. Imagine, for a moment, that Facebook decided passwords were too insecure and determined to go with biometric identification instead. How would they do it? The hardware just isn't there; it's not standard, it's not ubiquitous, it's not well-understood.

Bad example? Ok, then what would be a good example? Your bank? Same problem. Even at high-security terminals such as ATMs, they rely on passwords (4-digit passwords to boot!) primarily because of the inertia in the system which has led people to expect that ATMs use a 4-digit pin, while ATM hardware around the world has no input capability other than the number pad.

Think for a moment about the IPv6 transition: The situation is urgent, the transition is inevitable, the technology is ubiquitous and widely-supported, the cost is minimal. And yet, we're over a decade into the transition, and yet just about right where we're we started at approximately 0% adoption.

Now, consider such a transition to biometrics, where it it's neither urgent nor inevitable, the technology is poorly supported and understood, and the cost is high. Just how long would such a transition take? I dare say such a time will never come.

tylerl
  • 82,665
  • 26
  • 149
  • 230
2

While many valid points are already discussed, no one yet came up with thoughts with regard to the Fifth Amendment (in US Law) and self-incrimination. There is similar law in other countries as well.

The consensus is, that having a password will put you in advance against law enforcement, because is something that is protected by the amendment, where the biometrics are not.

E.g. you can be forced to give a fingerprint, that subsequently is the used by law enforcement to unlock, say, your phone. However, you can not be forced to tell your/a password.

Among many other posts, there is an article from the TIME Magazine (Why the Constitution Can Protect Passwords But Not Fingerprint Scans), that points it out quite clearly.

Marcel
  • 3,536
  • 1
  • 19
  • 37
0

It is generally possible to completely avoid situations where it may be necessary to change an authentication credential. On almost any decently-designed system, a password may be replaced if compromise is suspected. By contrast, if an adversary has managed to make a glass duplicate of someone's eyeball, replacing that person's eye is apt to be a much tougher proposition.

supercat
  • 2,049
  • 11
  • 10
-2

Bio-metric identification would seem to hold great promise in many applications. For instance at home diagnosis or having a remote checkup by a medical professional; Allowing students to engage in Computer Based Training, with the instructor's role being that of a 'facilitator' and also providing an environment in which students could progress at their individual pace. Not to mention security clearance when flying from point A to point B. If it's a matter of imperfect technology, then the technology will evolve as long as there is a demand for the product.

John
  • 1
  • 3
    Welcome to IT Security, John! You might want to take a look at our FAQ. We have a question-and-answer format; answers are expected to respond to the specific question (we are not a general discussion site). This answer doesn't answer the question that was asked, so it probably doesn't really fit this particular question very well. – D.W. Nov 12 '12 at 23:53