Biometrics as additional access route weaker than password-only protection
Biometrics as additional access route weaker than password-only protection

Most biometric solutions deployed in cyber-space are used with a password as a fallback means of access. Unfortunately,  the result is that the collective security is lower than if password-only authentication had been used.  Yet many people still appear to misguidedly believe that they are better protected by the addition of biometrics.


Presumably this is the result of confused reports circulating and rampantly promoted via various tech media. We would assume that the people who circulate this befuddled perception may well have mixed up the following two views.


A: Biometrics brings some security (better than nothing).


B: Biometrics brings a level of security which is better than a password.


A is correct but B is wrong. Logic tells us that adding biometrics does not automatically strengthen access security and does the opposite when it increases the attack surface as an alternative route in rather than as an additional control on a single route in; biometrics deployed with a backup/fallback password brings down the security of password protection, offering better convenience to users and criminals alike, as shown in this short video. (https://youtu.be/wuhB5vxKYlg) .


We see two questions coming up; (A) where, why and how are those tech-reporters mistaken and (B) who is behind the birth and growth of this confused perception.


Where, why and how are they mistaken?


Nature of biometrics


It increasingly known that NIST no longer allows biometrics to be used on its own but requires it to be used ‘only as part of multi-factor authentication with a physical authenticator (something you have)' in view of the inherent vulnerabilities of biometrics as stated in 5.2.3 ‘Use of Biometrics' of Digital Identity Guidelines 800-63B.


Privacy issues with biometrics are relatively well known. Many people are aware that it would be catastrophic for biometrics data to be leaked, since it is impossible to change or cancel biometric data. (‘when' rather than ‘if' this happens in view of the long lists of data breaches by sophisticated attacks.)


But the security aspect of biometrics brought by the co-use with a fallback password is not known. It is probably due to the indifference of the participants to the following:


False acceptance of 1/1,000,000 is not necessarily better than that of 1/50,000; we need to know the corresponding false rejection rates before judgment.


  • False Acceptance Rates and False Rejection Rates are not just mutually dependent but are in a trade-off relation.


  • Perfectly fake-proof biometrics would still be less secure than a password where it is co-used with a backup password; two entrances placed in parallel increase the attack surface for criminals.


This is what we see in so many biometric products deployed in cyber-space


  • ‘Unique' is not ‘Secret'; biometrics data are unique but not secret.


Identification that follows unique but non-secret data does not act for authentication that requires shared secrets.


  • The same biometric solution provides different types of security in physical space and in cyber-space; what helps the former could ruin the latter.


Security in cyber-space


The security we need is to provide a safer life for law-abiding citizens. We do not need security measures that help criminals and tyrants.


  • A password-less life is a dystopia; a situation where we can be authenticated while we are unconscious would be horrible for most of us.


A society where identity authentication is allowed without users' volition would be a society where democracy is dead. The password as memorised secret is absolutely necessary.


  • Solutions that come with a password in some way or other cannot be an alternative to the password; ID federations and multi-factor authentications are the extensions, not displacement, of password authentication.


Nature of humans' identity


Having our identity authenticated for social activities in human communities  is one in which our identity is not separated from our volition and personal memories.


  • We must discuss our identity as ‘a citizen in society', not as ‘a chunk of bone, flesh, fat and skin'.


  • Tech-media love to deride weak passwords; creating strong passwords is one thing, remembering them is another and recalling the relation between the accounts and the corresponding passwords is yet the other.


What is behind the confused perception?


The confused perception does not come from nowhere. There are people behind it.


We could think of three groups of people - those who generate the fallacy, those who pour fuel on it and those who disperse it.


  • Those who generate the fallacy; presumably researchers, developers and vendors of biometrics sensors


  • Those who pour fuel on the fallacy; Perhaps not a few security professionals who wrongly endorsed the fallacy and are now turning a blind eye to what has now grown to be an anti-social phenomenon.


  • Those who disperse this misinformation; probably corporate users, financiers and the tech reporters who are misguided by those who generate and pour fuel


To err is human. NIST has admitted that it had long been mistaken in its old password guidelines.  We should not blindly trust all that professionals, experts and gurus tell us, but should rely on our own logical reasoning.


Many people may have been trapped unwittingly in the wrong belief that the biometric products could improve security in cyber-space as well as it does in physical space.  Probably many people have not thought through the implications of what they are doing, but simply leapt onto high-tech buzzwords - or things that look cool.  


Many of them may now be aware specifically that wrongly deployed, biometric products are actually bringing down the security of password protection in cyber-space (if used as an alternative rather than additional factor access control) and look forward to the opportunity to admit the fact, preferrably without affecting their reputation.


Accepting that this is the case, we can then move to the true question; what will eventually succeed the hard-to-manage password?


Contributed by Hitoshi Kokumai, president, Mnemonic Security, Inc.

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.