Letter to the Editor: Biometrics - does it strengthen or weaken security?

Biometrics can actually weaken authentication security if not implemented correctly says Hitoshi Kokumai, who asks, what exactly does the NIST Authentication Guideline have to say on this issue?

Letter to the Editor: Biometrics - does it strengthen or weaken security?
Letter to the Editor: Biometrics - does it strengthen or weaken security?

Dear Editor,

Since the publication of my article “False sense of security spreading on a gigantic scale” of 10 March, 2016, outlining why biometric authentication can weaken security if used to provide an alternative rather than required additional authentication, I have been watching NIST (US National Institute of Standards & Technology) to see what they have to say about this issue.

NIST is now inviting comments from the public on –“DRAFT NIST Special Publication 800-63B Digital Authentication Guideline”.  In “5.2.3. Use of Biometrics” it reads “Biometrics SHALL be used with another authentication factor (something you know or something you have)” at one place, which leads us to assume that NIST allows only the operation of biometrics and another factor by AND/Conjunction (we need to go through both of them).

However, at another place, it reads “The biometric system SHALL allow no more than 10 consecutive failed authentication attempts. Once that limit has been reached, the claimant SHALL be required to use a different authenticator or to activate their authenticator with a different factor such as a memorised secret”, which leads us to assume that NIST allows only the operation of biometrics and the second factor by OR/disjunction (we need only to go through either of the two.)  As you may easily appreciate, the former increased security and reduced convenience while the latter decreased security and increased security, with the two being mutually exclusive to each other.

Expecting that NIST would make it clear, I submitted the following comment under the title of To Avoid the False Sense of Security.

(5.2.3 reads) "The biometric system SHALL allow no more than 10 consecutive failed authentication attempts. Once that limit has been reached, the claimant SHALL be required to use a different authenticator or to activate their authenticator with a different factor such as a memorised secret."

 It is desirable to see the above sentence in 5.2.3 followed by such a footnote as "It should be noted that the security in such cases is necessarily lower than when the second authenticator alone is used".

As the rationale for the suggestion I stated the following.

It reads "(The biometric system SHALL allow no more than 10 consecutive failed authentication attempts.) Once that limit has been reached, the claimant SHALL be required to use a different authenticator or to activate their authenticator with a different factor such as a memorised secret."

This implies that the second authenticator (factor) and the biometrics are used by OR/disjunction, which necessarily makes the security lower than that of the second factor alone.  In other words, the security is better when the second factor alone is used.

There is a two-minute video outlining the rationale.- Biometrics in Cyber Space - "below-one" factor authentication

This article may also help. - Misuse of Biometrics Technology

* Biometric authentication is good for physical security but ruins the security of password protection and can generate a false sense of security in cyber-space. Deployed with a fallback password against false rejection, it provides a level of security that is even poorer than a password-only authentication.

I was confident that it would trigger a constructive exchange of observations and opinions.  The thread of my suggestion was, however, abruptly closed and made invisible after a couple of odd replies (*1)

Another suggestion (*2) I submitted thereafter, in which I asked for their view about which of a house with two entrances placed in parallel (not in tandem) and a house with one entrance is less vulnerable to burglars, was unilaterally closed without any reply the following day. 

For clarity's sake the whole history of the events is published here.

I hope that I am very wrong in suspecting that NIST is determined to stick to a story that a house with two entrances placed in parallel, not in tandem, is less vulnerable to burglars than a one-entrance house, presumably because agreeing that a two-entrance home is more vulnerable to burglars than a one-entrance home is tantamount to declaring that most of the biometric products and solutions on the market and in commercial use are actually more vulnerable to attackers than a password-only authentication.  

I hope I am also very wrong in suspecting that this would be too inconvenient for too many people and it might also be inconvenient for NIST which did not give any alarms or warnings whatsoever about the spread of this misconception and the false sense of security that trapped so many people in it.

If the current worrying situation is left as it is, they and the public at large would have to suffer an even more devastating damage in the future. If we need to rectify the situation, we need to act as quickly as possible.

Readers' feedback would be very much appreciated.

Yours sincerely,

Hitoshi Kokumai, president, Mnemonic Security, Inc.

Remark 1  Brief summary of exchange of comments over the first suggestion.

First, a NIST person indicated in their reply that NIST only allows the OR/disjunction operation adding "it is still two-factor".  I submitted a suggestion on the assumption that NIST only allows OR/disjunction operation.

The person's second reply said "If two-factors are required, two-factors need to be authenticated or the claimant will not get access."  It led me to assume that NIST probably does not allow OR/disjunction and perhaps forces AND/conjunction.  I submitted a new suggestion accordingly.

Then, the second NIST person abruptly stepped in and closed this thread after supposedly alleging that the OR/disjunction operation is valid for security.  My appeal for continuing the discussion was met with silence and the thread was finally locked.

Remark 2  The text of another suggestion.

"It is desirable to see the above sentence in 5.2.3 followed by such a footnote as "This way of operating biometrics with a second authenticator by OR/disjunction shall be recommended where convenience matters, not where security matters since the security in such cases is necessarily lower than when the second authenticator alone is used. It is convenience that is improved by this way of operating biometrics and a fallback means, and this improvement is obtained by the sacrifice of security".

Here is a further explanation of the rationale.