Why Biometric Technology Is Still Not The Absolute Replacement For Passwords
I've read articles suggesting that passwords will eventually go the way of the dinosaur only to be replaced by biometrics, PINs, and other methods of authentication. This piece claims that Microsoft, Google, and Apple are decreasing password dependency because passwords are expensive (to change) and present a high security risk. On the other hand, Dr. Mike Pound at Computerphile claims that we will always need passwords (I think this is the correct video).
Why Biometric Technology Is Still Not the Absolute Replacement for Passwords
But as this wonderful Security StackExchange thread notes, biometrics are not perfect. Granted, the criticisms are roughly six years old, but still stand. Moreover, and perhaps I have a fundamental misunderstanding of how biometric data is stored, but what if this information is breached? Changing a password may be tedious and expensive, but at least it can be changed. I'm uncertain how biometric authentication addresses this problem--as I cannot change my face, iris, fingerprint, and etc.--or if it needs to address this problem at all.
First of all, let's keep in mind that vendors of biometric solutions have a vested interest in badmouthing passwords to promote their own products and services. There is money at stake. They have something to sell to you, but that doesn't mean you will be better off after purchasing their stuff. So one should not take those claims from vendors at face value.
Biometrics storage. This is the sketchy part. whereas passwords can be stored in super secure ways biometrics can't really, as you need to compare a profile with the input, which means that that profile can be stolen. Biometrics are also rather vulnerable as they are constantly visible on you. (finger prints, iris, DNA, speech, facial recognition) This makes it easy to steal/copy them, which is a lot more difficult with passwords, if they are managed properly.
I would be remiss if I did not clarify that biometrics is not solely an authentication technology, and other uses do not always require a PADS. When the police match fingerprints from a crime scene against a database, they don't check that the prints are attached to a human. When a Casino uses face recognition to look for known card counters, they take for granted that no-one is trying to impersonate a counter. For these sorts of things, it entirely comes down to matcher performance. It is strictly for authentication that the PADS is key.
The right replacement for passwords is public key authentication, with the private key held in an isolated device (something you have) and protected by a passphrase (something you know). The only difference between this and PIN is the strength that the word "passphrase" is intended to convey: the derived symmetric key used to encrypt the private key is sufficiently strong that, even if device is stolen and all data extracted, it can't be brute forced. Users of such a system must know never to enter the passphrase anywhere but on the isolated device, and to revoke and regenerate keys if they suspect the passphrase has been disclosed.
Every time you unlock a smartphone screen with a facial recognition, ask Siri for a weather update, or log in to your online bank account using your fingerprint, you're using biometrics. You might use the technology every day to authenticate your identity or communicate with a personal device, but there are plenty of other uses for biometrics.
Fingerprints are just one form of biometrics. One of the emerging forms of biometric technology is eye scanning. Usually the iris is scanned. Handwriting, voiceprints and the geometry of your veins are other biometrics that are uniquely yours and useful for security applications.
While biometric systems provide convenience to commercial users, U.S. law enforcement agencies like the FBI and Department of Homeland Security also use biometrics. The original biometric was the ink-fingerprint process still used by law enforcement today. The rise of biometric identification has helped law enforcement agencies in major ways, but like any technology, this personal information can be misused by cybercriminals, identity theft scammers, and others in the case of a data breach.
Even some of Australia's banks are tapping into using it as a security option for users to access their online banking. Recently, Suncorp Bank announced it introduced Fingerprint Login to its mobile banking app, which leverages Apple's biometric technology to allow customers with compatible iPhone and iPad devices to log into their accounts at the touch of a finger.
On occasions when malicious attacks do occur, people are often able protect themselves again by changing their unique passwords or replacing a credit card. But IBRS advisor and IT security industry analyst James Turner told ZDNet that when it comes to biometrics being stolen, it's not possible for it be revoked, which he says should be a concern for many.
Steve Wilson, Constellation Research vice president and principal analyst, and Lockstep Group founder, said biometrics is still too immature to be used for security, and believes that a national standard needs to be set to define a secure level for biometric technology use.
1Password is compatible with all the operating systems and browsers that most people use: Standalone apps for Windows, macOS, iOS, and Android all allow you to view and edit all the items in your vault. 1Password also has browser extensions for Chrome, Firefox, Brave, and Microsoft Edge that handle basic functions like autofilling passwords and creating new ones. If you use Safari on Mac, you need to download the desktop app, which includes the extension for Safari. Figuring out exactly which program to download is often confusing for newcomers and still manages to trip us up sometimes. We recommend downloading the desktop and mobile apps for your operating systems, along with the browser extensions for whatever web browsers you use.
Second, in identification mode the system performs a one-to-many comparison against a biometric database in an attempt to establish the identity of an unknown individual. The system will succeed in identifying the individual if the comparison of the biometric sample to a template in the database falls within a previously set threshold. Identification mode can be used either for positive recognition (so that the user does not have to provide any information about the template to be used) or for negative recognition of the person "where the system establishes whether the person is who she (implicitly or explicitly) denies to be". The latter function can only be achieved through biometrics since other methods of personal recognition, such as passwords, PINs, or keys, are ineffective.
In recent times, biometrics based on brain (electroencephalogram) and heart (electrocardiogram) signals have emerged. An example is finger vein recognition, using pattern-recognition techniques, based on images of human vascular patterns. The advantage of this newer technology is that it is more fraud resistant compared to conventional biometrics like fingerprints. However, such technology is generally more cumbersome and still has issues such as lower accuracy and poor reproducibility over time.
In Dark Matters: On the Surveillance of Blackness, surveillance scholar Simone Browne formulates a similar critique as Agamben, citing a recent study relating to biometrics R&D that found that the gender classification system being researched "is inclined to classify Africans as males and Mongoloids as females." Consequently, Browne argues that the conception of an objective biometric technology is difficult if such systems are subjectively designed, and are vulnerable to cause errors as described in the study above. The stark expansion of biometric technologies in both the public and private sector magnifies this concern. The increasing commodification of biometrics by the private sector adds to this danger of loss of human value. Indeed, corporations value the biometric characteristics more than the individuals value them. Browne goes on to suggest that modern society should incorporate a "biometric consciousness" that "entails informed public debate around these technologies and their application, and accountability by the state and the private sector, where the ownership of and access to one's own body data and other intellectual property that is generated from one's body data must be understood as a right."
One advantage of passwords over biometrics is that they can be re-issued. If a token or a password is lost or stolen, it can be cancelled and replaced by a newer version. This is not naturally available in biometrics. If someone's face is compromised from a database, they cannot cancel or reissue it. If the electronic biometric identifier is stolen, it is nearly impossible to change a biometric feature. This renders the person's biometric feature questionable for future use in authentication, such as the case with the hacking of security-clearance-related background information from the Office of Personnel Management (OPM) in the United States.
Companies - and particularly banks - are adopting this technology. NatWest, a major UK bank, has publicly acknowledged the ability of behavioural biometrics to stop fraudulent funds transfer attempts in real time, but this is the exception. Biometrics have not succeeded in serving as a sole replacement to the password.
Windows Hello for Business replaces passwords with strong two-factor authentication on devices. This authentication consists of a type of user credential that is tied to a device and uses a biometric or PIN.
In Windows 10 and later, Windows Hello replaces passwords. When an identity provider supports keys, the Windows Hello provisioning process creates a cryptographic key pair bound to the Trusted Platform Module (TPM), if a device has a TPM 2.0, or in software. Access to these keys and obtaining a signature to validate user possession of the private key is enabled only by the PIN or biometric gesture. The two-step verification that takes place during Windows Hello enrollment creates a trusted relationship between the identity provider and the user when the public portion of the public/private key pair is sent to an identity provider and associated with a user account. When a user enters the gesture on the device, the identity provider knows that it's a verified identity, because of the combination of Windows Hello keys and gestures. It then provides an authentication token that allows Windows to access resources and services. 041b061a72