It appears that, amazingly, many people are still trapped in a false sense of security that biometrics helps us for security in cyberspace, although it actually does the opposite.
On a number of tech media, we still see confused reports circulating so rampantly about the password and biometrics co-used in cyberspace. We could assume that the people who circulate the befuddled perception may well have mixed up the following two views.
A: Biometrics brings some security (better than nothing).
B: Biometrics brings the security better than a password.
A is correct but B is false. Logic tells us that biometrics deployed with a backup/fallback password brings down the security to the level lower than a password-only authentication, as shown in this short video.
Two questions come up; (1) were those tech-reporters are mistaken and (2) who is behind the birth and growth of this confused perception?
Are they mistaken?
Unknown Nature of Biometrics
It is getting known that NIST no longer allows biometrics to be used on its own but requires it to be used ‘only as part of multi-factor authentication with a physical authenticator (something you have)’ in view of the inherent vulnerabilities of biometrics as stated in 5.2.3 ‘Use of Biometrics’ of Digital Identity Guidelines 800-63B.
Privacy issues of biometrics are relatively well known. Most people are aware that it will be catastrophic when biometrics data are leaked, since it is impossible to change or cancel biometrics data (‘when’ rather than ‘if’ in view of the long lists of data breach by sophisticated attacks).
But the security aspect of biometrics brought by the co-use with a fallback password is unknown. It is probably due to the indifference of the participants to those facts as quoted below.
- Perfectly fake-proof biometrics would still be less secure than a password where it is co-used with a backup password; two entrances placed in parallel provide nice convenience to criminals.
This is what we witness in so many biometrics products deployed in cyberspace.
- False acceptance of 1/1,000,000 is not necessarily better than that of 1/50,000; we need to know the corresponding false rejection rates before judgment.
False Acceptance Rates and False Rejection Rates are not just mutually dependent but are in a trade-off relation.
- ‘Unique’ is not ‘Secret’; biometrics data may be unique but not secret.
Identification that follows unique but non-secret data does not act for authentication that requires shared secrets.
- The same biometrics solution provides different levels of security in physical space and in cyber space; what helps the former could ruin the latter.
Misunderstood Security in Cyberspace
The security we need is for the safer life of good citizens. We do not need such security measures that help criminals and tyrants.
- A password-less life is a dystopia; where we can be authenticated while we are unconscious, it would be horrible for most of us.
A society where identity authentication is allowed without users’ volition would be the society where democracy is dead. The password as memorized secret is absolutely necessary.
- Solutions that come with a password in some way or other cannot be an alternative to the password; a walking stick cannot displace a person with a walking stick.
ID federations and multi-factor authentications are the extensions, not displacement, of password authentication.
Overlooked Nature of Humans’ Identity
Having our identity authenticated is for social activities in human communities, in which our identity is not separated from our volition and personal memories.
- We must discuss our identity as ‘a citizen in society’, not as ‘a chunk of bone, flesh, fat and skin’.
Democracy must require the individuals to have the rights not to get their identity authenticated without their knowingly confirming it.
- Tech-media love to deride weak passwords; creating strong passwords is one thing.
Remembering them is another. And, recalling the relations between the accounts and the corresponding passwords is yet another.We need to be mindful of the nature of our memory and cognitive capability.
Who are behind the problem?
The confused perception does not come up from nowhere. There are people behind it.
We could think of three groups of people - who generate the fallacy, who pour fuel on it and who disperse it.
- Those who generate the fallacy; presumably researchers, developers and vendors of biometrics sensors
- Those who pour fuel on the fallacy; Perhaps not a few security professionals who wrongly endorsed the fallacy and are now turning a blind eye to what has now grown to be an anti-social phenomenon.
- Those who disperse this misinformation; probably corporate users, financiers and the tech reporters who are misguided by those who generate and pour fuel
To err is human. We know that NIST admitted that they had long been mistaken in their old password guidelines. We should not blindly trust all that professionals, experts and gurus tell us, but should rely on our own logical reasoning.
The above people may have been trapped unwittingly in the wrong belief that the biometrics should help cyber security because it helps physical security. Many of them may now be aware specifically that the biometrics products are actually bringing down the security in cyberspace and that biometrics could be better used for identification in physical space, not for authentication in cyberspace. Some people might be looking forward to the opportunity to admit the fact, desirably without affecting their reputation.
Having made this clear, we could then move next to the true question; what will eventually succeed the hard-to-manage password?
Author: Hitoshi Kokumai
President, Mnemonic Security, Inc.
- Hitoshi Kokuman is the inventor of Expanded Password System that enables people to make use of episodic image memories for intuitive use and secure identity authentication. He has kept raising the issue of wrong usage of biometrics with passwords and the false sense of security it brings for 16 years.
- Mnemonic Security Inc. was founded in 2001 by Hitoshi Kokumai for promoting Expanded Password System. "Mnemonic" and "Mneme" used in the company name and logo imply that our identity must be protected with our own memory and volition. Following the pilotscale operations in Japan, it is currently searching for the location to set up the global headquarters.
Biometrics & Password - FA, FR & Threshold
- Fallacies and illogics generated and dispersed by professionals, big businesses and tech-media
- Identity & Episodic Memory
Related Article by this Author:
- Make sure not to mix up ‘Identification’ with ‘Authentication’