Tech media seem busy arguing on which biometrics is better than the others. But it is all nonsense from security’s point of view. All of them provide the level of security lower than that of a password-alone authentication in cyberspace. We should instead ask why security-lowering measures have been touted as security-enhancing solutions.
Whether dead or alive, conscious or unconscious, individuals could be identified by biometrics. It often leads people to take it for granted that a good identification of individuals makes a valid authentication of our identity.
Caveats! It is not the case. Biometrics follows‘unique’ features of individuals’ bodies and behaviors. It means that it could be well used when deployed for identification of individuals who may be conscious or unconscious, alive or dead. Due respect could be paid to biometrics in this aspect.
Being ‘unique’ is different from being ‘secret’, however. It would be a misuse of biometrics, which follows 'unique (not secret) features', if deployed for security of the identity authentication. ‘Password’ must not be displaced by ‘User ID’.
Because of its inherent characteristics, biometrics depends on a fallback means in case of false rejection. In physical security, it could be handled by personnel in charge other than the user. In cybersecurity, however, it needs to be handled by the user themselves, in most cases by way of a password that the user themselves needs to feed. This operation brings down the overall security to below that of a password-alone authentication.
Therefore, so long as the biometrics is backed up by a fallback password, irrespective of which are more accurate than the others, its security is lower than that of a password-only authentication as illustrated in this video
We cannot but wonder why and how the biometrics has been touted as a security-enhancing tool for so long, with so many security professionals being silent about this fact.
There could be various explanations – from agnotology, neuroscience, psychology to sociology, behavioral economics and so on. This phenomenon will perhaps be found to have provided an excitingly rich material for a number of scientists and researchers in those fields.
Anyway, as such, confusing “Identification” with “Authentication”, we would be building a sandcastle in which people are trapped in a terrible false sense of security. The huge biometrics business had thus been made out of a fallacy.
We could also think about the situations where we cannot rely on anything but memorized secrets; identity assurance in emergencies.
What is practicable in a calm indoor environment is not necessarily practicable in the turbulent outdoor environment, although the reverse can be said. The difference would be most striking in the cases of battlefield and disaster recovery.
Can we be certain that the biometrics measures, whether static or behavioral, are practicable for the people who are injured or caught in panic? Can we take it for granted that the people in such emergencies must be holding the cards and tokens for their identity authentication?
Related slide “Identity Assurance in Emergencies”.
Also we must not forget the meaning of our volition in the authentication.
Democracy in Peril
Democracy must require the individuals to have the rights not to get their identity authenticated without their knowingly confirming it. This volitional process can be achieved only with ‘volitional’ identity authentication made possible by memorized secrets.
Some security people are advocating that the password should be killed dead. I wonder if they are aware of what they mean by what they say. A society where login without users’ volition is allowed would be the society where democracy is dead. It’s a tyrant’s utopia.
We know that the password is an indispensable factor for multi-factor schemes and that the security of password managers and single-sign-on schemes needs to hinge on the reliability of the master-password. Biometrics, which relies on a backup password, can by no means be an alternative to the password.
The password (memorized secret) is absolutely necessary. We must not accept any form of password-less login.
Coming back assuredly to the absolute necessity of the password for both technical and societal reasons, we cannot be indifferent to the latest NIST password guidelines.
This article talks about the old and new NIST password guidelines.
It is nice to see repealed the odd recommendations like the complicated hard-to-recall passwords, which would result in reusing the same password across many accounts, and the regular password change, which would result in using the easiest-to-guess passwords. It is not nice, however, to see ‘passphrase’ and ‘password manager’ being touted so naively. Caveats should come with these recommendations.
Passphrase: It could be longer and yet easier to remember but it does not necessarily mean a higher entropy despite the troubles of tiresome typing. It is generally made of known words that are just vulnerable to automated dictionary attacks.
The cartoon shown in the linked article reads that a 44-bit entropy is hard to guess. It may be extremely hard for humans to guess, but it would be so easy a prey for criminals who possess the automated attack software with the intelligent dictionaries.
Password Manager: It remembers all my passwords when un-hacked and loses all my passwords to criminals when hacked. It should be operated in a decentralized formation or should be considered mainly for low-security accounts, not for the high-security business accounts that should desirably be protected by all different strong passwords unique to each account.
Then what can we look to?
Intuitive Password Proposition
Being able to create strong passwords is one thing. Being able to recall them is another. And, being able to recall the relations between the accounts and the corresponding passwords is yet another.
At the root of the password predicament is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly unforgettable images, as well as conventional texts.
We propose ‘Expanded Password System’ for mitigation of the password predicament.
Related article “Intuitive Password Proposition Post-biometrics Identity Authentication”
Author: Hitoshi Kokumai
Hitoshi Kokuman is the inventor of Expanded Password System that enables people to make use of episodic image memories for intuitive and secure identity authentication. He has kept raising the issue of wrong usage of biometrics with passwords and the false sense of security it brings since 15 years ago.
Mnemonic Security Inc. was founded in 2001 by Hitoshi Kokumai for promoting Expanded Password System. "Mnemonic" and "Mneme" used in the company name and logo imply that our identity must be protected with our own memory. Following the pilotscale operations in Japan, it is currently searching for the location to set up the global headquarters.