The Achilles’ heel of biometrics: is it safe to ditch passwords?
Some say that the password is an outdated concept and therefore recommend using biometric authentication. But the latter comes with its own flaws.
The death of the password has been announced many times before. But currently, it’s not possible to ditch passwords and rely solely on biometric identification. CyberNews asked prominent cybersecurity experts which is worse: sharing your passwords or your fingerprints?
Is the password an outdated concept?
The password is dead, and the future is biometric. At least, this is what experts from global technology provider iProov are saying. Their recent research showed that 50% of young consumers share their login details, and 49% of Brits and 50% of Americans have used others’ passwords.
“Far too often, people are recycling and sharing passwords, which leaves them exposed and vulnerable. As a result, they have become hard to remember and manage, which leads to user frustration and lost revenue for businesses,” iProov CEO Andrew Bud told CyberNews.
Because of complex login processes, online purchases are frequently abandoned, and citizens and customers are denied access to services.
Can all of our passwords be replaced by some kind of biometric solution? “Quite simply, yes,” Andrew Bud said.
Not only do most security breaches involve passwords, they are difficult to use and create a frictional experience. Due to the volume of services requiring different passwords and their complexity, users cannot remember them easily. This leads to a high abandonment rate and increased reset costs, substantially impacting businesses,Andrew Bud said.
Passwordless authentication enables a user to access an account or an online service without the need for knowledge-based authentication, which is prone to vulnerability.
“Not only do most security breaches involve passwords, they are difficult to use and create a frictional experience. Due to the volume of services requiring different passwords and their complexity, users cannot remember them easily. This leads to a high abandonment rate and increased reset costs, substantially impacting businesses,” he said, arguing that replacing passwords with biometric authentication increases security.
According to him, good biometric authentication solutions should not be collecting personally identifiable information.
“At iProov, we have a privacy firewall to protect users’ personal information. Our customers hold the user data, not us. For authentication, a user’s biometric is sent with an anonymized pseudonym to iProov through the privacy firewall. After authentication is complete, the results with the pseudonym are sent back to the customer. At that point, the customer can decrypt the pseudonym if required. A biometric without accompanying personal information is useless to hackers. The user’s identity is therefore always protected,” he explained.
Biometric authentication requires… a password
David Balaban, computer security researcher with over 17 years of experience in malware analysis and antivirus software, told CyberNews that, from a security point of view, passwords are not that different from biometric identification.
According to him, many think that biometric authentication is inherently secure and much better than passwords, but the latter is considered part of it.
“When the end-user touches the biometric reader or scans the iris, the biometric identifier performs a true/false request to determine if the person is allowed access. From there, the biometric ID extracts any password stored by the end-user for that system and sends it to the specified site or application. The password is still in use, the end-user just doesn't see it,” David Balaban told CyberNews.
Needless to say, biometric authentication is more convenient for the end-user, but David Balaban argues that it’s no safer than a password, and is definitely not the same as encryption.
Today, there is no solution to this problem, so there are no technologies that use biometrics as the only or primary method of authentication,David Balaban said.
“Biometric authentication does nothing to protect users' passwords, but it helps them create strong combinations or prevents an outsider from logging into their account with stolen code or biometrics,” he told us.
The truth is that passwords can be changed or deleted, but we can’t do the same with our biometric data.
“Today, there is no solution to this problem, so there are no technologies that use biometrics as the only or primary method of authentication,” he said.
So, rather than looking towards biometric access control or a magical future technology that will eliminate the hassle of password management, David Balaban recommends organizations and consumers to use password management software and protect accounts with multi-factor authentication (MFA).
"In an ideal MFA solution, a unique strong password is used as the first authentication factor and a temporary one-time password (TOTP) device or software application as a secondary factor. In this system, biometric authentication is not considered a problem as biometric data requires a strong password," he said.
The Achilles’ heel of biometrics
Consumers are increasingly adopting biometric authentication. This is evident from the ubiquity of devices with biometric scanners and the growing list of apps that support biometric authentication, Mike Wilson, founder and CTO of Enzoic, told CyberNews.
A password, if not stolen, is very private, even if a person shares it with someone. Biometrics, on the other hand, is something very public - everyone can see your face, and you leave your fingerprints everywhere.
“This is the Achilles' heel of biometrics, and one of the things I think will hamper its ability to ever become the sole means of authentication. You can’t change your face, you can’t change your retina, and you can’t change your fingerprints,” he said.
While biometric scanners have gotten increasingly good using things like 3D facial recognition, infrared scanners, pulse oximetry, there’s nothing foolproof about these mechanisms, and they can be, and have been, spoofed.
“With a detailed enough representation of any of these biometric markers, it is theoretically possible to spoof them and, of course, they can’t really be changed once these representations are compromised,” Mike Wilson told CyberNews.
According to him, fingerprint data is stored by lots of governmental and non-governmental entities: “Given the ubiquity of data breaches, it’s well within the realm of likelihood that this data can and will be exposed for large numbers of people.”
At the moment, he said, it’s not possible to ditch passwords.
“The real sticking point comes with signing into websites via a browser, which is not widely available,” Mike Wilson said.
Nearly all consumer biometric authentication is essentially just a quick, convenient means of unlocking a local password store.
“When I sign in with my face or fingerprint to an app on my phone, for instance, all that’s really happening behind the scenes is I’m unlocking a local store in the phone’s operating system, which the device then passes to the app requesting authentication. The app can trust that the device has verified the user, and then can allow the user in using a previously cached set of credentials (essentially your username and password or token representing them). So under the hood, you’re still using passwords,” he said.
‘Password replay attacks'
“Biometric passwords are starting to evolve past physical identifiers such as fingerprints, iris, and facial recognition as behavioral biometrics begins to come into the picture. This form of customized authentication is an analysis of the user’s behavior to determine their identity, making it a more secure option but extremely reliant on accuracy”, Alex Heid, chief R&D officer at SecurityScorecard, told CyberNews.
How vulnerable are biometric sign-in solutions? How can they be exploited?
“It’s important to be aware of how biometric data is being stored and who it's to be shared with or sold to. The proliferation of biometric recognition as authentication, combined with consumer apps, eventually lead the way to a future exploit method whereby hackers can hypothetically conduct 'password replay attacks' using biometric data, as opposed to using compromised credentials like the present day,” he explained.
Although on underground marketplaces, the demand for this type of data is not yet big enough, there is a high demand in the marketing analytics world for this type of information for ad profiling, Alex Heid explains.
In any case, ditching passwords is only technically possible.
“The mass adoption of biometrics as a complete replacement for passwords could leave users open to the hypothetical replay attack using biometric data,” he said.
Don Waugh, CFO and Co-CEO at Applied Recognition, disagrees with the statement that hackers can hypothetically conduct ‘biometric data replay attacks’. Face signatures are mathematical values that represent faces, and they look like this.
“These Face Signatures can’t be cracked, reverse engineered or found on dark web tables like hashed passwords can be found. Furthermore an identical or close to identical value means we have detected a man in the middle replay attack,” he told CyberNews.