Heartbleed: Biometrics are not the answer

12 Apr

Following on from Heartbleed, there have been poorly judged calls from many to change all your passwords.

Quite rightly many are using this to say we have to do better than passwords. However, I heard one (nameless) commentator on BBC Radio 5 suggest using biometrics, citing the iPhone 5s; the BBC also refer to biometrics in their Heartbleed article.

Sir, you are confused! 

I have used biometrics on my laptop for a while; it makes logging onto the laptop easier. It makes logging into some web sites easier.

But this does not solve my password issue.

Fundamentally, the biometric is used to release a password, that the underlying software then copies into the web site password box for you. The underlying security mechanism is still a password, so still vulnerable. In this context, sure, use biometrics, but for usability, not security.

See Also

2 Responses to “Heartbleed: Biometrics are not the answer”

  1. Chris Edwards April 14, 2014 at 09:12 #

    In the case of heartbleed, passwords weren’t the cause – they were the (potential) victim. The risk of exposing data through forcing an effective buffer overflow to reveal the session key was there, regardless of the authentication mechanism used.
    As far as biometrics are concerned, when used as the key to a password vault then no, they do not solve the password problem. However, if you use a fingerprint to authenticate to a private key held securely on your device, then authenticate using challenge-response, they can actually present a viable solution. This could be used for certificate-based authentication (replacing the PIN with a biometric, as per match-on-card PIV cards) but is also the motivation behind FIDO, where a certificate-less PK protocol provides both convenience and high security. It is early days yet, but there is some hope that the days of passwords are numbered.


  2. Colin Robbins April 14, 2014 at 09:41 #

    Hi Chris, I agree entirely. As you say, early days yet for biometrics to be used in this mode – too early to be pushing as today’s Heartbleed fix.

    I did note however, that PayPal and Samsung have teamed up to do biometric verification of PayPal transactions…



Please join the discussion, we welcome your views...

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: