False sense of security spreading on a gigantic scale
Hitoshi Kokumai explains how increased access options improve convenience, but actually reduce security if each autonomously offers access, while creating a false sense of improved security as two factors get mentioned.
Hitoshi Kokumai, president, Mnemonic Security Inc.
Imagine that you are considering choosing one of two models of smart phones - Model A with Pincode; and Model B with Pincode and Fingerprint Scan. Which of the two models do you think is more secure?
1. You consider that Model A is protected by Pincode alone while Model B is protected by both Pincode and Fingerprints
2. You consider that Model A can be unlocked by Pincode while Model B can be unlocked by both Pincode and Fingerprints
3. You consider that Model A can be attacked only by Pincode while Model B can be attacked by both Pincode and Fingerprints
Is your perception the same for all three situations?
Blind spot in our mind and eye-opening experience
Now let us imagine that there are two houses – (1) one with an entrance and (2) one with two entrances in parallel. (not in tandem). Which house is safer against burglars?
The answer is plainly (1). It is blindingly obvious for every one of us. Who would dare to allege that (2) is safer because it is protected by two entrances?
Similarly, the login by a Pincode/password alone (1) is safer than the login by a biometric sensor backed up by a fallback Pincode/password (2).
(A and B) or (A or B)
Biometric products could help improve cyber-security ONLY WHEN operated together with both a password AND/ in conjunction with biometrics (we need to go through both of biometrics and the password), NOT WHEN operated with a password OR /Disjunction (we only need to go through either one of the two) as in the case of the above mentioned house with two entrances, this is the situation with most biometric products on the market. (*1)
Biometrics and passwords operated together by OR/Disjunction only increase the convenience by bringing down the security. Mixing up the case of OR/Disjunction with that of AND/Conjunction, we would be trapped in a false sense of security (We wrongly feel safer when we are actually less safe).
Jeopardy of “below-one” factor authentication
Biometric products operated together with a fallback password can be compared to a house with two entrances placed in parallel (not in tandem), and may be defined as a “below-one” factor authentication because they offer the level of security lower than a password-only one factor authentication.
There is nothing wrong in saying that a house with two entrances is more convenient than a house with one entrance. But shouting “A house with two entrances is safer against burglars than a house with one entrance” would be just silly.
Similarly, there is nothing wrong with a biometric product operated with a fallback password when the product is offered as a tool for increasing convenience. However, it would not be just silly but unethical and antisocial to make, sell and recommend those products as a tool for increasing security.
This misconception is sadly supported and circulated by several big businesses, leading financial institutions and government agencies as well as not a few security professionals and global media. They are misled and in turn misleading, with the chains of vicious cycles growing exponentially.
This is not an issue of the relative comparison between "good" and "better", but the absolute judgment of "harmful" against “harmless”. Something must be done before such critical sectors as medicine, defence and law enforcement get contaminated in a horrible way.
A false sense of security is often worse than the lack of security itself. Biometric solutions should never be recommended to the people who need strong security in cyber-space. They could instead be recommended to those who want increased convenience.
Contributed by Hitoshi Kokumai, president, Mnemonic Security, Inc.
*1 More about “OR/Disjunction”
Biometric sensors and monitors, whether static, behavioural or electromagnetic, can theoretically be operated together with passwords in two ways, (1) by AND/conjunction or (2) by OR/disjunction. The cases of (1) are hardly known in the real world because the falsely rejected users would have to give up the access altogether even when they are able to feed their passwords.
Most of the biometric products are operated by (2) so that the falsely rejected users can unlock the devices by registered passwords. This means that the overall vulnerability of the product is the sum of the vulnerability of biometrics (x) and that of a password (y). With (x) and (y) being smaller than 1, the sum (x + y - xy) is necessarily larger than the vulnerability of a password (y), say; the devices with biometric sensors and fallback passwords are less secure than the devices protected by a password-only authentication.
Also see video.