Biometrics do not solve password problems

21 Apr

One year on from the Heartbleed episode, we see more and more reports of passwords being stolen. Every time it happens some commentator or vendors will come forward and say biometrics are the answer.

They are not…

… at least not yet. Here’s why. Most users will use passwords in at least two different scenarios:

  • Local device logon. The (username and) password you use to logon to the computing device you want to use. For example your logon password for a laptop/PC or the PIN number for a mobile device.
  • Remote Access. For example the password to gain access to a web site, via the web browser application.

For local device logon, I am content with biometrics (if implemented well.1). I use biometrics via the built-in reader in my Dell laptop to login to Windows.

Reading Fingerprint

It’s remote access where I have the issue. In the majority of applications, the biometric is used to unlock access to a local password manager. The local password manager2 then uses a pre-stored password to gain access to the site. I.e., this is not a biometric solution at all, but a password manager with a biometric to unlock the password vault. SO all the issues with passwords stolen for the server remain; all the issues with brute force attacks remain and if the user is not savvy the complexity and uniqueness arguments remain too.

My concern – marketing will drive many users into a false sense of security. This is back to the “Tell the Truth” message in 5 Observations on Moving the Cyber Industry Forward.

My solution

There is no ideal, but my current approach is described in Changing 40+ Passwords: Thanks Heartbleed.

In short:

  • Two-factor/two step verification for stuff I really care about;
  • An offline password manager for stuff I really care about that does not support 2FA and
  • An online password manager for all the things I am forced to have logins on, but don’t have much to hide.

Longer Term

There is growing momentum behind FIDO

Footnotes
1. Many are not well implemented, and are an example of what I dislike about the remote access solutions.
2. Whether password managers are good or bad is a different debate for a different blog article.

One Response to “Biometrics do not solve password problems”

  1. wofaiiwara May 3, 2015 at 16:29 #

    Reblogged this on wofaiiwara.

    Liked by 1 person

Please join the discussion, we welcome your views...

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: