Passwords vs. Biometrics
Network access control (NAC) is a hot topic in today’s news. In a recent Reuters article by Jim Finkle about iPhone 5S bug can thwart device wiper, he quoted Mr. Chris Morales, a hacking expert and research director with NSS Labs of Austin, TX, that, “…members of the security community have long known: biometrics are not as secure as passwords.” Morales continues by saying, “As bad as passwords are, it’s more secure to know something than to be something. Biometrics only extends security for people who are extremely lazy.”
With no disrespect to Mr. Morales he is partially correct and partly wrong. No, I’m not straddling the fence but rather there is more to this story when comparing biometrics to passwords to determine which is better. So, to quote the late and great Paul Harvey, “And now for the rest of the story.”
Start with understand authentication
When it comes to network access control there are only three ways to securely authenticate someone: 1) Something you have, 2) Something you know and 3) Something that’s you. These points are also knows as the “three factors of authentication.”
Any one factor by itself (single-factor authentication) is extremely weak no matter which one you choose. Security is raise exponentially when any two are combined (two-factor authentication). Finally, the mother lode is when all three are used together (three-factor authentication).
Biometrics includes any unique characterizes that differentiates one person from another. It can be a voice, face, iris, fingerprint, hand geometry, etc. A software algorithm then takes specific feature to create a digital value called a template. In most biometric applications the actual image is never stored. The drawback is that someone’s biometrics never changes. Should security require a new template to be calculated then that new value has to be replaced everywhere the old one was used. What a minute… that sounds more like a management problem then a security or technology one.
Finally, the storage of biometric templates has to be just as secure as the storage of passwords. Both still require storage in encrypted files and every biometric template needs “salting”. That why, independent of how data is created, a password and a biometric template are kind of same thing, a series of stored 0’s and 1’s that a computer can read.
Since ones brain is often used to generate passwords, and people often don’t think alike, maybe one could argue that a password is also a biometric template. Just something to think about. However, two attributes that passwords offer over biometrics are 1) most every piece of software uses password authentication, and 2) passwords are easy to change in frequency, length and complexity.
Passwords are not bad. What is bad is that security has put people with no security knowledge in charge of generating and managing their passwords. Writing down passwords, reusing passwords, using simple passwords are just a few examples of poor password management. There’s that management issue again
To conclude, biometrics and passwords will never go away as long as they make up the quintessential factors of authentication. The security dilemma is not that one technology is better than another, but rather the management of the technology and the data created. A company that touts that one security factor is better than another typically has a vested interest in only one of the factors. In other words, Marketing BS.
True network access control requires layers, like a parfait. Anyone who relies on just single factor authentication, no matter which one, deserves the hacking and cracking their network is about to receive.