“Kill Biometrics” is as silly as “Kill Passwords”

Biometrics is no more secure than passwords. Maybe lessSounds silly, right? It is. And it’s just as silly to say “kill passwords.” Here’s why. Currently, there are only three recognized “factors” – something you Know (password or PIN), something you Have (technology), and something you Are (biometrics). There are two more coming (location and behavior), but adopting those could take a while. Killing any one factor accomplishes nothing. It simply limits your security resources. Factors don’t need to be killed, they need to be secured and combined with other factors.

It’s clear that the future of digital identity lies in using multiple factors to verify a user’s authenticity. So, you can imagine my confusion when people suggest that one factor is better than all others and should replace all others. A single factor like biometrics, no matter how cool the technology is, will never (or should never) replace multi-factor authentication (MFA). Even if you utilize more than one biometric, you would still be using only one “factor”. Real cyber security requires combining more than one factor. A card can be stolen, a password can be revealed, and biometrics can be lifted, stolen or duplicated. Hacking two or three factors at once is far more difficult than compromising just one factor, no matter which factor it is.

SMS codes are NOT true multi-factor authentication. At best, they are double-single factor. Since the gatekeeper is the computer and not the user, look at the process from the computer’s perspective. Users type in their user name and password (knowledge) and then type in a computer-generated code (knowledge). At no point does the token or phone connect directly to the computer to authenticate that it’s legit. Replacing all user names and passwords with a laborious three-step process is no solution at all. And it’s not just cumbersome, it’s also insecure.

Many of the current token based authentication processes are laborious. In addition to their three-step process (type in user name, password, and code), many One-Time Password (OTP) devices only sync to a single server. So, if you have accounts on multiple servers, you must carry multiple tokens. That’s cumbersome for users, and expensive and laborious for IT to manage.

On the flip side, token based authentication can be made easy and secure. When MFA is tied to the employee ID badge, the end user experience becomes more convenient, IT management is streamlined, and security is improved. Users only have to remember one PIN to the card and don’t have to know or even type any passwords. If the badge is lost, the employee can’t get into the building, so security is notified right away and the card can be easily deactivated. A smartcard ID badge utilizes two factors: Know (PIN) and Have (card). Biometrics can always be added as a third factor, making servers even more secure. Biometrics has been around for a long time for authentication. What is needed is the combination of biometrics with a Have or Know factor.

Biometrics is not Perfect, but then what is?

Here are some inherent issues with biometrics as a single factor of authentication:

  • It cannot be changed, unless you want a new face, fingertip or eye.
  • The seed to calculate the template can change, but then re-enrollment is required for everyone. This can be improved if the seed is based and stored in a smartcard for example. Similar to the way a hash is salted.
  • Biometrics is public information and can be taken without the user’s knowledge: a photo, lifting a print, or stealing the data template and replaying it back. A lot of new biometric readers are coming to market to prevent false entry. The reason why new reader protections keep coming out is that hackers break the current ones with regularity. When biometric data is managed as poorly as password data has been managed, templates become even less secure than passwords because of the effort it takes to change the template.
  • Combining physical biometrics with behavioral biometrics is Double-Single Factor Authentication.
  • Passwords are the only form of authentication protected by the 5th Amendment as held by US Supreme Court and the 11th District Court. Knowledge based authentication is covered under the protection of self-incrimination.

This is why there are different factors. One factor’s weakness can be offset by another factor’s strength.

I see behavior-based authentication solutions taking a very long time before being adopted. When I started my career in cybersecurity and smartcards back in 1993, the buzz was that smartcards and biometrics will keep us safe. How long has it taken for the US to start adopting smartcards? How many false starts occurred because of poor management? How many times has the industry misperceived the abilities of hackers and criminals? Far more often than I would like to say.

One last point on biometrics is that they should never be stored in any central database. This is what the hackers will target. Instead they need to be stored in something like a smartcard. This way, if there is a breach, it only affects one person, and not the thousands to millions that make up Big Data. Just look at what happened to OneLogIn. That was not a password issue. It was a password management/storage issue.

Biometrics is a viable factor of authentication. It must be properly combined with at least one other factor (Have or Know). Templates must stay in the possession of the user. Smartcard chips are more secure than smartphones. I just bought a new phone this week and within seconds the sales guy moved everything from my old phone to my new one. That reminded me just how easy it is to clone a phone!

Cybersecurity is not about one product, but rather a combination of different products that come together to build a formable barrier.

***

~Dovell Bonnett– Author of “Making Passwords Secure: Fixing the Weakest Link in Cybersecurity”

I’m passionate about securing passwords with technology! Passwords are not secured by silly tactics used to generate and remember them. Passwords are secured by using the same methods that secure encryption keys. Access Smart’s Power LogOn® uses the same technologies and best practices that secure keys to now secure passwords, at a fraction of the time, cost and management of certificate based systems.