Effects of Biometrics Co-Used with Password - Pentestmag

Effects of Biometrics Co-Used with Password

Jan 26, 2018

It appears that, amazingly, many people are still trapped in a false sense of security that biometrics helps us for security in cyberspace, although it actually does the opposite.

On a number of tech media, we still see confused reports circulating so rampantly about the password and biometrics co-used in cyberspace. We could assume that the people who circulate the befuddled perception may well have mixed up the following two views.

A: Biometrics brings some security (better than nothing).

B: Biometrics brings the security better than a password.

A is correct but B is false. Logic tells us that biometrics deployed with a backup/fallback password brings down the security to the level lower than a password-only authentication, as shown in this short video.

Two questions come up; (1) were those tech-reporters are mistaken and (2) who is behind the birth and growth of this confused perception?

Are they mistaken?

  1. Unknown Nature of Biometrics

It is getting known that NIST no longer allows biometrics to be used on its own but requires it to be used ‘only as part of multi-factor authentication with a physical authenticator (something you have)’ in view of the inherent vulnerabilities of biometrics as stated in 5.2.3 ‘Use of Biometrics’ of Digital Identity Guidelines 800-63B.

Privacy issues of biometrics are relatively well known. Most people are aware that it will be catastrophic when biometrics data are leaked, since it is impossible to change or cancel biometrics data (‘when’ rather than ‘if’ in view of the long lists of data breach by sophisticated attacks).

But the security aspect of biometrics brought by the co-use with a fallback password is unknown. It is probably due to the indifference of the participants to those facts as quoted below.

- Perfectly fake-proof biometrics would still be less secure than a password where it is co-used with a backup password; two entrances placed in parallel provide nice convenience to criminals.

This is what we witness in so many biometrics products deployed in cyberspace.

- False acceptance of 1/1,000,000 is not necessarily better than that of 1/50,000; we need to know the corresponding false rejection rates before judgment.

False Acceptance Rates and False Rejection Rates are not just mutually dependent but are in a trade-off relation.

- ‘Unique’ is not ‘Secret’; biometrics data may be unique but not secret.

Identification that follows unique but non-secret data does not act for authentication that requires shared secrets.

- The same biometrics solution provides different levels of security in physical space and in cyber space; what helps the former could ruin the latter.

  1. Misunderstood Security in Cyberspace

The security we need is for the safer life of good citizens. We do not need such security measures that help criminals and tyrants.

- A password-less life is a dystopia; where we can be authenticated while we are unconscious, it would be horrible for most of us.

A society where identity authentication is allowed without users’ volition would be the society where democracy is dead. The password as memorized secret is absolutely necessary.

- Solutions that come with a password in some way or other cannot be an alternative to the password; a walking stick cannot displace a person with a walking stick.

ID federations and multi-factor authentications are the extensions, not displacement, of password authentication.

  1. Overlooked Nature of Humans’ Identity

Having our identity authenticated is for social activities in human communities, in which our identity is not separated from our volition and personal memories.

- We must discuss our identity as ‘a citizen in society’, not as ‘a chunk of bone, flesh, fat and skin’.

Democracy must require the individuals to have the rights not to get their identity authenticated without their knowingly confirming it.

- Tech-media love to deride weak passwords; creating strong passwords is one thing.

Remembering them is another. And, recalling the relations between the accounts and the corresponding passwords is yet another. We need to be mindful of the nature of our memory and cognitive capability.

Who are behind the problem?

The confused perception does not come up from nowhere. There are people behind it.

We could think of three groups of people - who generate the fallacy, who pour fuel on it and who disperse it.

- Those who generate the fallacy; presumably researchers, developers and vendors of biometrics sensors

- Those who pour fuel on the fallacy; Perhaps not a few security professionals who wrongly endorsed the fallacy and are now turning a blind eye to what has now grown to be an anti-social phenomenon.

- Those who disperse this misinformation; probably corporate users, financiers and the tech reporters who are misguided by those who generate and pour fuel

To err is human. We know that NIST admitted that they had long been mistaken in their old password guidelines. We should not blindly trust all that professionals, experts and gurus tell us, but should rely on our own logical reasoning.

The above people may have been trapped unwittingly in the wrong belief that the biometrics should help cyber security because it helps physical security. Many of them may now be aware specifically that the biometrics products are actually bringing down the security in cyberspace and that biometrics could be better used for identification in physical space, not for authentication in cyberspace. Some people might be looking forward to the opportunity to admit the fact, desirably without affecting their reputation.

Having made this clear, we could then move next to the true question; what will eventually succeed the hard-to-manage password?

Author: Hitoshi Kokumai

President, Mnemonic Security, Inc.

- Hitoshi Kokuman is the inventor of Expanded Password System that enables people to make use of episodic image memories for intuitive use and secure identity authentication. He has kept raising the issue of wrong usage of biometrics with passwords and the false sense of security it brings for 16 years.

- Mnemonic Security Inc. was founded in 2001 by Hitoshi Kokumai for promoting Expanded Password System. "Mnemonic" and "Mneme" used in the company name and logo imply that our identity must be protected with our own memory and volition. Following the pilotscale operations in Japan, it is currently searching for the location to set up the global headquarters.


Biometrics & Password - FA, FR & Threshold


- Fallacies and illogics generated and dispersed by professionals, big businesses and tech-media


- Identity & Episodic Memory


Related Article by this Author:

- Make sure not to mix up ‘Identification’ with ‘Authentication’


Recommended Reading
Beginner's Guide to Cybersecurity

Cybersecurity refers to the practice of protecting systems, networks, and programs from digital attacks. These

A New Frontier in Cybersecurity: Drone Pentesting

In the ever-evolving landscape of cybersecurity, a novel approach has emerged that combines cutting-edge technology

Drone Cybersecurity: Ensuring the Security of Unmanned Aerial Vehicles

Drones are also known as unmanned aerial vehicles, or UAVs, and their use and attractiveness

Unmasking Phishing: Why Browser Security Strategies Are Essential in Today’s Digital World

Phishing attacks have become more cunning, leveraging legitimate domains and sophisticated tactics to slip past

January 26, 2018
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023