© 2021 CyberNews - Latest tech news,
product reviews, and analyses.

If you purchase via links on our site, we may receive affiliate commissions.

The Achilles’ heel of biometrics: is it safe to ditch passwords?

3

Some say that the password is an outdated concept and therefore recommend using biometric authentication. But the latter comes with its own flaws.

The death of the password has been announced many times before. But currently, it’s not possible to ditch passwords and rely solely on biometric identification. CyberNews asked prominent cybersecurity experts which is worse: sharing your passwords or your fingerprints?

Is the password an outdated concept?

The password is dead, and the future is biometric. At least, this is what experts from global technology provider iProov are saying. Their recent research showed that 50% of young consumers share their login details, and 49% of Brits and 50% of Americans have used others’ passwords.

“Far too often, people are recycling and sharing passwords, which leaves them exposed and vulnerable. As a result, they have become hard to remember and manage, which leads to user frustration and lost revenue for businesses,” iProov CEO Andrew Bud told CyberNews.

Because of complex login processes, online purchases are frequently abandoned, and citizens and customers are denied access to services.

Can all of our passwords be replaced by some kind of biometric solution? “Quite simply, yes,” Andrew Bud said.

Not only do most security breaches involve passwords, they are difficult to use and create a frictional experience. Due to the volume of services requiring different passwords and their complexity, users cannot remember them easily. This leads to a high abandonment rate and increased reset costs, substantially impacting businesses,

Andrew Bud said.

Passwordless authentication enables a user to access an account or an online service without the need for knowledge-based authentication, which is prone to vulnerability.

“Not only do most security breaches involve passwords, they are difficult to use and create a frictional experience. Due to the volume of services requiring different passwords and their complexity, users cannot remember them easily. This leads to a high abandonment rate and increased reset costs, substantially impacting businesses,” he said, arguing that replacing passwords with biometric authentication increases security.

According to him, good biometric authentication solutions should not be collecting personally identifiable information.  

“At iProov, we have a privacy firewall to protect users’ personal information. Our customers hold the user data, not us. For authentication, a user’s biometric is sent with an anonymized pseudonym to iProov through the privacy firewall. After authentication is complete, the results with the pseudonym are sent back to the customer. At that point, the customer can decrypt the pseudonym if required. A biometric without accompanying personal information is useless to hackers. The user’s identity is therefore always protected,” he explained.

Frustration with complicated passwords. Shutterstock (fizkes)

Biometric authentication requires… a password

David Balaban, computer security researcher with over 17 years of experience in malware analysis and antivirus software, told CyberNews that,  from a security point of view, passwords are not that different from biometric identification.

According to him, many think that biometric authentication is inherently secure and much better than passwords, but the latter is considered part of it.

“When the end-user touches the biometric reader or scans the iris, the biometric identifier performs a true/false request to determine if the person is allowed access. From there, the biometric ID extracts any password stored by the end-user for that system and sends it to the specified site or application. The password is still in use, the end-user just doesn't see it,” David Balaban told CyberNews.

Needless to say, biometric authentication is more convenient for the end-user, but David Balaban argues that it’s no safer than a password, and is definitely not the same as encryption.

Today, there is no solution to this problem, so there are no technologies that use biometrics as the only or primary method of authentication,

David Balaban said.

“Biometric authentication does nothing to protect users' passwords, but it helps them create strong combinations or prevents an outsider from logging into their account with stolen code or biometrics,” he told us.

The truth is that passwords can be changed or deleted, but we can’t do the same with our biometric data.

“Today, there is no solution to this problem, so there are no technologies that use biometrics as the only or primary method of authentication,” he said.

So, rather than looking towards biometric access control or a magical future technology that will eliminate the hassle of password management, David Balaban recommends organizations and consumers to use password management software and protect accounts with multi-factor authentication (MFA).

"In an ideal MFA solution, a unique strong password is used as the first authentication factor and a temporary one-time password (TOTP) device or software application as a secondary factor. In this system, biometric authentication is not considered a problem as biometric data requires a strong password," he said.

The Achilles’ heel of biometrics

Consumers are increasingly adopting biometric authentication. This is evident from the ubiquity of devices with biometric scanners and the growing list of apps that support biometric authentication, Mike Wilson, founder and CTO of Enzoic, told CyberNews.

A password, if not stolen, is very private, even if a person shares it with someone. Biometrics, on the other hand, is something very public - everyone can see your face, and you leave your fingerprints everywhere.

“This is the Achilles' heel of biometrics, and one of the things I think will hamper its ability to ever become the sole means of authentication. You can’t change your face, you can’t change your retina, and you can’t change your fingerprints,” he said.

While biometric scanners have gotten increasingly good using things like 3D facial recognition, infrared scanners, pulse oximetry, there’s nothing foolproof about these mechanisms, and they can be, and have been, spoofed. 

“With a detailed enough representation of any of these biometric markers, it is theoretically possible to spoof them and, of course, they can’t really be changed once these representations are compromised,” Mike Wilson told CyberNews.

According to him, fingerprint data is stored by lots of governmental and non-governmental entities: “Given the ubiquity of data breaches, it’s well within the realm of likelihood that this data can and will be exposed for large numbers of people.”

At the moment, he said, it’s not possible to ditch passwords.

“The real sticking point comes with signing into websites via a browser, which is not widely available,” Mike Wilson said.

Nearly all consumer biometric authentication is essentially just a quick, convenient means of unlocking a local password store. 

“When I sign in with my face or fingerprint to an app on my phone, for instance, all that’s really happening behind the scenes is I’m unlocking a local store in the phone’s operating system, which the device then passes to the app requesting authentication. The app can trust that the device has verified the user, and then can allow the user in using a previously cached set of credentials (essentially your username and password or token representing them). So under the hood, you’re still using passwords,” he said.

Voice recognition technology. Shutterstock (Zapp2Photo)

‘Password replay attacks' 

“Biometric passwords are starting to evolve past physical identifiers such as fingerprints, iris, and facial recognition as behavioral biometrics begins to come into the picture. This form of customized authentication is an analysis of the user’s behavior to determine their identity, making it a more secure option but extremely reliant on accuracy”, Alex Heid, chief R&D officer at SecurityScorecard, told CyberNews.

How vulnerable are biometric sign-in solutions? How can they be exploited?

“It’s important to be aware of how biometric data is being stored and who it's to be shared with or sold to. The proliferation of biometric recognition as authentication, combined with consumer apps, eventually lead the way to a future exploit method whereby hackers can hypothetically conduct 'password replay attacks' using biometric data, as opposed to using compromised credentials like the present day,” he explained.

Although on underground marketplaces, the demand for this type of data is not yet big enough, there is a high demand in the marketing analytics world for this type of information for ad profiling, Alex Heid explains.

In any case, ditching passwords is only technically possible.

“The mass adoption of biometrics as a complete replacement for passwords could leave users open to the hypothetical replay attack using biometric data,” he said.

Don Waugh, CFO and Co-CEO at Applied Recognition, disagrees with the statement that hackers can hypothetically conduct ‘biometric data replay attacks’. Face signatures are mathematical values that represent faces, and they look like this.

10F2450B369B545E8F77DD55E19D0D8FFE5C32AE6730C47914C4727264FA91B0F

2F7F3F98C240AC6085B55F28CC7D5ADA9195BD66522C156A68F54B37C18604CD

8865CD21D2CB7CFDD298678FC80E9FE9A87719B030A23E50A73C69524840AC4C

7ADE2F9470D26702B6383A8F175D5A169A4DE895080D4BD5D0D14E996C07

“These Face Signatures can’t be cracked, reverse engineered or found on dark web tables like hashed passwords can be found. Furthermore an identical or close to identical value means we have detected a man in the middle replay attack,” he told CyberNews.

Comments
Bill
Bill
prefix 6 months ago
I can unlock my twins iPhone just by looking at it and I’m a little fatter so it has a way to go.
don waugh
don waugh
prefix 1 year ago
I would like to bring your attention to two fundamental falsehoods in your article.

1. Biometric data cannot be changed or deleted.
That fact of the matter is a person’s face is everywhere and can be easily stolen witness ClearviewAI. However face biometrics for identity authentication requires a person’s live face. Unless you can control a person’s device and remotely control the person you cannot steal their “live” face to spoof the person to authenticate.

2. Hackers can hypothetically conduct ‘biometric data replay attacks’

This is equally false . The fact of the matter is that if we ever saw the same to or nearly the same face signature we actually know we have a replay attack.

I can provide more details so you can set the record straight.

Don
J.W. Wexford
J.W. Wexford
prefix 1 year ago
Really, being more responsible with one’s data is the answer, whatever form that takes, a password manager app, coming up with a system for passwords, or just not using e-commerce sites that force you to create a login to buy whatever they sell. See, Big Data hungry the world is today. Data is the new gold. I wish people looked at their data that way, then this would be a moot point.
Leave a Reply

Your email address will not be published. Required fields are marked