Biometrics deployed with a fallback password: statistics on false sense of security

Hitoshi Kokumai provides follow-up statistical data regarding "False sense of security" confirming eroneous perceptions exist regarding identity verification when two factors are used but not not linked.

Hitoshi Kokumai, president, Mnemonic Security, Inc.
Hitoshi Kokumai, president, Mnemonic Security, Inc.

On 10th March, Hitoshi Kokumai wrote an opinion article titled "False sense of security spreading on a gigantic scale" and wants to tackle a brief survey on the perception of identity verification.

Subsequently some people have been in contact to ask whether there is any objective data on the false sense of improved security or it is just a theoretical possibility.  Here we refer to the outcome of a brief survey on the perception of identity verification.

Two university researchers in Japan carried out a brief survey in November 2014 about how the security of (1) PKI, (2) fingerprint scan and (3) onetime password are perceived by 49 university students in science and technology sectors. Below are the results. (In the brackets are the numbers of students who are learning information security as their major field of study.)

(1.) Do you know PKI?  Yes: 34 (31), No: 15 (0)

(To those who answered Yes) Do you think that a PKI-loaded IC card provides higher security than a password?  Yes: 12 (12), No: 1 (1), No change: 4 (4), Do not know: 12 (9), Depends: 4 (4),  No Answer: 1 (1)

(2) Do you know about fingerprint scanners loaded on smart devices?  Yes: 44 (28), No: 5 (3)

(To those who answered Yes) Do you think that a fingerprint scan provides higher security than a password?  Yes: 16 (11), No: 7 (5), No change: 4 (2),  Do not know: 12 (8), Depends: 5 (2)

(3) Do you know OTP (onetime password)?  Yes: 39 (30), No: 10 (1)

(To those who answered Yes) Do you think that a onetime password provides higher security than a remembered password?  Yes: 17 (5), No: 1 (1),  No change: 3 (2),  Do not know: 10 (8),  Depends: 7 (6), No Answer: 1 (1)

The answers we expected were either “Do not know” or “Depends” for all three questions, preferably followed by “because there are no objective data that enable us to directly compare the security of PKI/OTP/Finger-Scan operated on its own and that of the password operated on its own. And, PKI/OTP/Finger-Scan operated with a password by AND/Conjunction (we need to go through both the former and the latter) is securer than the same password alone, but PKI/OTP/Finger-Scan operated together with a password by OR/Disjunction (we need only to go through either the former or the latter) is less secure than the same password alone.”

That many students gave “Yes” to (1) and (3) is understandable because PKI and OTP are generally operated with a password by AND/Conjunction. But it is very worrying that so many students learning information security (11 out of 28) answered “Yes” to (2). For Apple's Touch ID and most other finger-scanners on the market are operated together with a fallback password by OR/Disjunction in case of the false rejection.

This survey is not large enough to extract a decisive conclusion, but we could well imagine that this chilling false sense of security is even more rampant among people who have not studied or are not studying information security as a major subject. I am very interested to know what things are like in other countries. Readers' feedback would be very much appreciated.

With respect to the video linked to from the article, some people said that the presence of a backdoor would not cause a problem if it is stronger than the front door. I would like to answer this question as well. 

Let us think of a very weak fallback password (Y1) and a very strong fallback password (Y2). We will then get to (x + y1- xy1) > (y1) and (x + y2 - xy2) > (y2), which means that we are safer when we use only the weak password than when we use the biometrics with the weak fallback password, and that we are also safer when we use only the strong password than when we use the biometrics with the strong fallback password.

We could consider the comparison between (x + y2 - xy2) and (y1) but it could lead us nowhere. Whoever can manage a strong password Y2 together with biometrics must be able to manage Y2 on its own. Then, again, we are safer when we use only the strong password Y2.  Moreover, rarely used/recalled passwords tend to be very weak, ie, what we would actually get would be (x + y1 - xy1) >>> (y2).

Therefore it is not possible to say that when biometrics is used together with a fallback password, that it is stronger than a password used on its own.

Also it would be fruitless to spend time comparing the strength of biometrics used on its own with that of passwords used on their own. There are no objective data on the vulnerability of biometric products (not just false acceptance rate when false rejection is sufficiently low but also the risk of forgery of body features and the risk of use when the user is unconscious) and that of the passwords (not only that the entropy may be as low as 10 bits or as high as 100 bits but also that it can be stolen and leaked.)

Contributed by Hitoshi Kokumai, president, Mnemonic Security, Inc.