– Biometrics Co-Used with Password –
On a number of tech media still circulating so rampantly are confused reports about the password and biometrics deployed in cyberspace. We could assume that the people who circulate the befuddled perception may well have mixed up the following two views.
A: Biometrics brings some security (better than nothing).
B: Biometrics brings the security better than a password.
A is correct but B is a fallacy. Logic tells that biometrics deployed with a backup/fallback password brings down the security of password protection, offering better convenience to users and criminals alike, as shown in this short video. (https://youtu.be/wuhB5vxKYlg)
Two questions come up; (1) where, why and how those tech-reporters are mistaken and (2) who are behind the birth and growth of this confused perception.
Where, why and how are they mistaken?
- Unknown Nature of Biometrics
It is getting known that NIST no longer allows biometrics to be used on its own but requires it to be used ‘only as part of multi-factor authentication with a physical authenticator (something you have)’ in view of the inherent vulnerabilities of biometrics as stated in 5.2.3 ‘Use of Biometrics’ of Digital Identity Guidelines 800-63B.
Privacy issues of biometrics are relatively well known. Not a few people are aware that it will be catastrophic when biometrics data are leaked, since it is impossible to change or cancel biometrics data. (‘when’ rather than ‘if’ in view of the long lists of data breach by sophisticated attacks.)
But the security aspect of biometrics brought by the co-use with a fallback password is unknown. It is probably due to the indifference of the participants to those facts as quoted below.
– Perfectly fake-proof biometrics would still be less secure than a password where it is co-used with a backup password; two entrances placed in parallel provide nice convenience to criminals.
This is what we witness in so many biometrics products deployed in cyberspace
– False acceptance of 1/1,000,000 is not necessarily better than that of 1/50,000; we need to know the corresponding false rejection rates before judgment.
The lower a False Acceptance Rate is, the higher the corresponding False Rejection Rate is. The lower a FRR, the higher the corresponding FAR. That is, FAR and FRR are not just mutually dependent but are in a trade-off relation.
– ‘Unique’ is not ‘Secret’; biometrics data may be unique but not secret.
Identification that follows unique but non-secret data does not act for authentication that requires shared secrets.
– The same biometrics solution provides different levels of security in physical space and in cyber space; what helps the former could ruin the latter.
Biometrics could be better used for identification in physical space, not for authentication in cyberspace.
- Overlooked Security in Cyberspace
The security we need is for safer life of good citizens. We do not need such security measures that help criminals and tyrants.
– A password-less Life is a Dystopia; where we can be authenticated while we are unconscious, it would be horrible for most of us.
A society where identity authentication is allowed without users’ volition would be the society where democracy is dead. The password as memorized secret is absolutely necessary.
– Solutions that come with a password in some way or other cannot be an alternative to the password; a walking stick cannot displace a person with a walking stick.
ID federations and multi-factor authentications are the extensions, not displacement, of password authentication.
- Ignored Nature of Humans’ Identity
Having our identity authenticated is for social activities in human communities, in which our identity is not separated from our volition and personal memories.
– We must discuss our identity as ‘a citizen in society’, not as ‘a chunk of bone, flesh, fat and skin’.
Democracy must require the individuals to have the rights not to get their identity authenticated without their knowingly confirming it.
– Tech-media love to deride weak passwords; creating strong passwords is one thing.
Remembering them is another. And, recalling the relations between the accounts and the corresponding passwords is yet another. We need to be mindful of the nature of our memory and cognitive capability.
Who are behind the confused perception?
The confused perception does not come up from nowhere. There are people behind it.
We could think of three groups of people – who generate the fallacy, who pour fuel on it and who disperse it.
– Those who generate the fallacy; presumably researchers, developers and vendors of biometrics sensors
– Those who pour fuel on the fallacy; Perhaps not a few security professionals who wrongly endorsed the fallacy and are now turning a blind eye to what has now grown to be an anti-social phenomenon.
– Those who disperse this misinformation; probably corporate users, financiers and the tech reporters who are misguided by those who generate and pour fuel
To err is human. We know that NIST admitted that they had long been mistaken in their old password guidelines. We should not blindly trust all that professionals, experts and gurus tell us, but should rely on our own logical reasoning.
The above people may have been trapped unwittingly in the wrong belief that the biometrics that could help physical security should also help cyber security. Many of them may now be aware specifically that their biometrics products are actually bringing down the security in cyberspace and looking forward to the opportunity to admit the fact, desirably without affecting their reputation.
Making this clear, we could then move to the true question; what will eventually succeed the hard-to-manage password?