Gerald Beuchelt, CISO at LogMeIn: Why biometrics cannot be considered a true replacement for text-based passwords.
May 21, 2019
Gerald Beuchelt, CISO at LogMeIn, explores the practical reasons as to why biometrics cannot be considered a true replacement for text-based passwords.
Apple caused a stir when it introduced technology in its newest iPhone that would allow users to unlock their phones, use Apple Pay or access certain apps using only their face.
Along with using a fingerprint to access devices like smartphones, facial recognition is another important step toward the advancement of biometric authentication into the mainstream. Other leading companies such as Microsoft and Samsung are also championing similar technologies as a sensible way to bring convenience to accessing devices and apps for users and add another layer to the authentication process.
For years, proponents of biometrics have heralded it as a replacement for passwords. This may partly be due to the fact that it’s a new entrant in authentication at a time in which cyber threats are increasingly sophisticated and highly targeted, with weak or stolen passwords consistently being the primary source of breaches.
While biometrics can provide a practical combination of security and convenience in certain scenarios, there are a few challenges that need to be solved before they can be considered true replacements for passwords:
Let’s take the iPhone, for example. A person could unlock their iPhone dozens of times a day via facial recognition or fingerprint identification, but the device still requires a passcode at setup and will ask for that code every time the phone is rebooted. In order to secure data, it must be encrypted, which requires an encryption key.
Biometrics is effective as a gatekeeper to grant or deny access to data, but it can’t be used to encrypt the data. So, while the newest iPhone has sophisticated face-mapping sensors, it still requires the user to set up a passcode because it is needed to encrypt the data on the device’s internal storage.
With data breaches taking place in clockwork fashion, in the event a person’s digital fingerprint or iris scan were stolen, biometric access presents the possibility that an identity could be stolen and never fully recovered.
Unlike passwords, one cannot reset or change biometric identifiers to restrict or change access. As facial recognition technology becomes more widespread, it’s been demonstrated that hackers can crack or find ways around it, making passwords and passcodes still critical to how we access information and hardware.
One of the reasons passwords are so pervasive in our lives is that we never know when we may need to access data, from where or using which device. Most professionals have at least one mobile phone, a computer for work and a separate one for private use, and also access apps on smart TVs, tablets, streaming sticks and other devices. They may need to jump on a hotel’s business centre desktop or use a friend’s device to access an app.
Using a password to login to an online account works everywhere -- on any device. Biometrics cannot do the same as they are tied to specific devices and app instances on those devices. This is why apps that people frequently access from multiple devices, like GrubHub or Netflix, always require passwords to set up. Imagine not being able to access Netflix, your email or a car-service app simply because a different device is being used?
4. Biometrics may present serious obstacles with bias
As with any new technology, concerns have cropped up in regard to the inherent bias of biometrics. For example, in banking, some are questioning whether some ethnicities may be disenfranchised due to facial recognition flaws. And various U.S. civil liberties groups have voiced their concerns about how biometrics could be applied unfairly or incorrectly in surveillance and criminal cases.
If these concerns slow or, in certain cases, halt adoption, password use remains the most feasible option for identity and access management.
Cyber threats are growing and evolving at a rate that exceeds security operations teams’ ability to keep pace with them. According to ISACA’s State of Cybersecurity 2018 Report, 50% of over 2,300 security and IT professionals are experiencing more cyberattacks this year. Cybercriminals are making a living stealing information from personal and business accounts via phishing, malware, and social engineering attacks, among other threats.
A more complex threat landscape means increased use of multifactor authentication using both biometrics and passwords or PINs. In the highest-security environments such as hospitals, government offices and, financial institutions, it’s likely that individuals will be mandated to authenticate their identity multiple times per day and with multiple factors.
There is a lot of work going into solve these challenges. The new WebAuthn standard, for example, promises truly biometrics-based authentication for accessing websites from your browser, but it still cannot connect your identities across devices.
For example, Fujitsu and BioSec have been working on encryption using biometric data. LastPass, BioKey, NoPassword, and others are also researching technologies that would let users manage and protect their credentials without the need of a master password.
Because passwords are susceptible to the flaws of human behaviour and our natural preference for patterns, they’re often the weakest link in the security chain: weak or stolen credentials have been the most frequent entry points for breaches for years.
Still, for most organisations a well-implemented enterprise password management solution should be foundational in the security stack.
For business and IT leaders, the ability to help securely control, store and manage employees’ passwords can mitigate unnecessary risks due to poor password hygiene or the threat of malicious and non-malicious insiders. So much of our lives exist in a digital space, and overall security can be invariably strengthened in how the humble -- and still highly necessary -- password is used.