Why do biometric fanatics want to “Kill Passwords?”
When biometric fanatics evangelize “Kill Passwords!” in favor of biometrics they create a false security narrative. Replacing one form of Single Factor Authentication (SFA) with an alternate form of Single Factor Authentication adds nothing. It simply trades one factor for another. The whole security argument against any Single Factor Authentication is that the hacker only needs one piece of information to break in.
While biometric fanatics like to tout the weaknesses found in knowledge based authentication, (and I readily admit there are some), there are also a number of inherent weaknesses in biometrics. In this series of short blog posts, I will outline those weaknesses. My ultimate goal is for the reader to understand that if we go down the “either/or” cybersecurity path in choosing biometrics over passwords, everyone loses. The smart and secure cybersecurity solution is the “and” path, also known as Multi-Factor Authentication (MFA).
All Biometrics are public knowledge
The biggest security issue with biometrics is that a person’s biometric information is public. Your fingerprints can be lifted off that water bottle you just threw in the garbage. Your photo is available on Facebook or easily taken with any seen or unseen camera. And your voice can be recorded from a webinar, social encounter or phone call. U.S. courts have ruled with biometrics there is no expectation of privacy. And once your data is compromised, it’s compromised forever. You can’t slip on new fingertips, pull a new set of eyes out of a drawer, or have your current face removed and replaced. When the U.S. Government Office of Personnel Management (OPM) was hacked in March 2014, twenty-one million federal employees had their personal information stolen. The biggest security threat that often goes unreported includes the theft of the complete fingerprint images and photos from which fake credentials can be created.
Passwords, on the other hand, can be changed easily and frequently. Passwords are knowledge-based, so they are not publicly available unless the user slips up and makes them so. That issue can be easily fixed with smartcard technology. What you may not know is the Virginia District Court ruled that passwords are “knowledge,” so they are protected by the U.S. Constitution’s Fifth Amendment regarding self-incrimination. Biometrics can not offer the same legal protections. So what does this really mean?
Law enforcement can’t use a rubber hose to make you give up your password. However, they can grab your arm and force you to place your finger on a scanner. Any fighting back is regarded as resisting police authority.
Implementing New Safeguards is a Never Ending Cycle
If there was one basic Law of Security, it would be “Anything created by humans will eventually be broken by humans given enough time, money, resources and determination.” This has been true since the dawn of time. When the first defenses were erected to protect a village from raiders, the raiders found ways to defeat the defenses. Siege weapons, counter measures and anti-whatevers are constantly created to neutralize defenses and security. Biometric Fanatics who assume their security is impregnable are dangerous because hackers rarely ever attack head on. They exploit peripheral weaknesses, where many gate keepers rarely look.
The argument from the biometric community is that they have developed new technologies to block fake fingers and photo images. These include testing for a pulse, elasticity, electrical resistance, heat and many other so called safeguards. Now, ask yourself, why have these new safeguards been implemented?
Answer… because a hacker figured out how to break their previous technology solution. What’s worse, these new technology improvements may have a higher cost, which them makes them affordable only to the government and huge corporations, leaving SMBs vulnerable. Think about it, if the U.S. Government is correct in blaming China for the OPM breach, I think it’s fair to say Chinese engineers have the technology and know-how to fool any man-made sensor and software algorithm. Even a college professors can crack a Samsung biometrically protected smartphone for under $500.
On July 28, 2016 Forbes Magazine published an article “$500 Fingerprint Clone Unlocked Murder Victim’s Samsung S6 – It Can Hack iPhones Too”. The article explained how Dr. Anil Jain used an image created from a standard computer printer and inductive ink to unlock the Samsung S6, S7, and iPhone 6. With what Dr. Jain shared with Michigan police, plus the inexpensive means to create a clone, the police department is now looking into having a fingerprint cloning lab in every station. If police can now hack biometrics, then so can criminals.
Here’s the bottom line – You don’t Kill Passwords:
Passwords and biometrics both have their place in cybersecurity and authentication, but not as competing Single Factor Authentications. Instead, their strength comes when they are combined together for Multi-Factor Authentication. A smartcard that requires biometric authentication keeps authentication local. Once card ownership is established, then the smartcard with its own unique security features, can securely authenticate to the computer network where passwords can be complex, managed, and changed to meet different security levels. Every account, computer and website can have their own unique password and the user never has to generate, remember, type, know or manage it. Like I said earlier, you don’t kill passwords because the smart and secure cybersecurity solution is the “and” path.
So, why the big push by large corporations and governments to kill passwords in favor of biometrics? Government conspiracy theorists might say it’s a way to build a national database of everyone’s biometrics, or it’s a way to circumvent the U.S. Constitution’s protection from self-incrimination, or both.
Biometric fundamentalist need to get the head out of the sand and understand that each factor of authentication offer their own unique and valuable properties to be leveraged together. The bickering back and forth between the two camps as to which is better only adds marketplace confusion, delays in implementation, and continues vulnerability to all our networks and data.
About Access Smart
At Access Smart we created Power LogOn – a multi factor authentication enterprise password manager. We can use biometrics or a PIN just to authenticate that the person with the physical card is the rightful owner. After card authentication Power LogOn uses a secure password manager to access all types of accounts. It’s our belief that, “It’s not a password problem. It’s a password management problem!” By removing the weakest link in cybersecurity – the human element – our networks become stronger.
About Dovell Bonnett – “The Password Guy”
Dovell Bonnett has been creating computer security solutions for over 20 years. His passionate belief that technology should work for humans, and not the other way around, has lead him to create innovative solutions that protect businesses from cyber-attacks, free individual computer users from cumbersome security policies, and put IT administrators back in control of their networks.
He has spent most of his career solving business security needs, incorporating multiple applications onto single credentials using both contact and contactless smartcards. The most famous example of his work is the ID badge currently carried by all Microsoft employees.
In 2005, he founded Access Smart LLC to provide logical access control solutions to businesses. His premiere product, Power LogOn, is a multi-factor authentication, enterprise password manager used by corporations, hospitals, educational institutions, police departments, government agencies, and more.
Dovell is a frequent speaker and sought-after consultant on the topic of passwords, cybersecurity, and building secure, affordable and appropriate computer authentication infrastructures. His most recent book is Making Passwords Secure: How to Fix the Weakest Link in Cybersecurity.