The use of biometric information for security is on the rise, as every week a new article proclaims that the biometric revolution is just around the corner. Is it time to bid farewell to conventional passwords?
Fingerprint sensors are already a standard feature on many new phones and laptops, and a mixture of ambitious start-ups and industry giants working hard to progress new types of biometric authentication. It may soon be commonplace to use the acoustics of your skull, your gait, or even the sub-surface structures of the veins and capillaries found underneath your fingerprint as a unique and verifiable marker of identity.
But how much of this is hype? Can biometry ever displace our reliance on passwords?
Passwords aren’t perfect, and there are many justifiable motivations to replace them. Indeed, their inadequacy as a form is nowhere more evident than in the many systems that have been designed to prop them up. From 2-factor authentication to password managers that generate high-entropy strings of random characters, many attempts have been made to address the guessable passwords and routine breaches that plague users of password-authenticated systems. Invariably, though, they end up being too inconvenient and unwieldy for mainstream adoption.
Enter biometrics. Your fingerprint, for example, is a unique, verifiable password that you carry everywhere with you – and authentication is as convenient as pushing a button.
One of the biggest concerns with password-authenticated systems is the “weak” password. Passwords like “password”, “qwerty” and “123456” have held the top ranking for many years, and there doesn’t seem to be any sign of that changing. A fingerprint, on the other hand, contains a level of unique complexity that easily dwarfs the strongest passwords. Brute forcing a fingerprint is akin to trying to generate a high-resolution image of your finger purely by testing random combinations of pixels. Simply put, brute forcing a biometric identifier is likely to be intractable unless there is a flaw in the algorithm that digitizes these identifiers.
Before we can begin to evaluate the difficulties that surround biometry, however, it is important to understand exactly what is being attempted. We need to make a distinction between biometric data used for verification as opposed to biometric data used simply for identification.
Systems of identification only attempt to draw a link between some digital data and the biometric features that it represents. A solid biometric identification system, then, answers the question “who generated this biometric data?” It does not answer any questions about the trustworthiness of the person holding the data; only the integrity of the data itself can be assured. This type of biometry dates to 1891, with the collection of criminals’ fingerprints by Juan Vucetich.
In contrast, a biometric verification system asks, “who is this person?” Although the mechanism is fundamentally the same – reading biometric data and comparing it with a specific record on file – the purpose is different. In this case, the ability to present the system with a valid set of biometric data (in a valid way) is considered sufficient to prove the identity of the person presenting the data.
Consequently, in order to replace the password, the biometric system in question would need to be used for verification, not just identification. However, there is another distinction to be made. Current systems of biometric verification, such as the fingerprint sensor on your smartphone, are disjunctive. This is to say that the fingerprint sensor is provided as a matter of convenience, as a “shortcut” to unlocking your phone – but the password is still present as a fallback, as below:
Password OR Fingerprint = Authentication
The alternative system would either be conjunctive with a password, or it would omit the password entirely:
Password AND Fingerprint = Authentication
There are other possible systems; for example, you could use a password, a fingerprint, and a number of other biometric and non-biometric tokens – a certain number of which are required to guarantee authentication. However, this kind of setup is more commonly used for securing the physical perimeter of a building than for digitally authenticating a user.
Unfortunately, disjunctive systems such as the ones used in smartphones and laptops do not improve security – in fact, they actively worsen it. It stands to reason that each discrete means of authentication added to a system will weaken its security. If each token can be used independently of the others to gain access, then every means of authentication adds another system to be exploited and another token to be stolen or forged.
As long as a disjunctive system is employed, biometric authentication will remain a gimmick – a matter of convenience that actually hinders security when it is present. It is not until biometrics are strong enough to be used on their own that they will be an eligible replacement for the password.
There are a number of issues preventing biometrics from becoming truly dominant. The most familiar is simple reliability; even with modern fingerprint scanners, there is an element of fuzziness involved. A password is a simple string of alphanumeric characters – if you possess the password (i.e. you know it), you should always be able to use it to gain access.
Your fingerprint, on the other hand, is a physical object, and whether or not you can use it to gain access is entirely dependent on the quality of the sensor. While the quality of these sensors is improving all the time, the prospect of being locked out of your phone by a broken sensor or by poor recognition is recognisable to anyone who uses a fingerprint sensor on their phone or laptop.
This brings us to the next challenge. After all, sensors can break – but so can keyboards. Likewise, a device that expects some biometric data that you are not able to provide is not so different from a lost or forgotten password. But unlike passwords, biometric data cannot simply be “reset” with an email. Sticking with fingerprints as an example, would you accept a system that only allowed you to have 10 passwords in your entire life?
What happens if you lose a finger, or your print becomes damaged? For systems that employ skull acoustics or heartbeat signatures, is there any guarantee that these metrics will remain constant over years, or will a cracked skull or a pacemaker render your biometrics invalid? These may seem like fringe cases, but they must be considered for a technology that is intended to undergo widespread adoption.
There are some possible workarounds. A selection of different biometrics for various accounts (using a finger for Gmail and a retinal scan for your phone, for instance) would prevent lockout from “reset” functionality in the event you lose a single biometric identifier, but this is hardly a scalable solution.
Another challenge proponents of biometric authentication must overcome is that physical biometric data is inherently public information. Ideally, a password exists only as a thought. As long as your device, the remote server, and the infrastructure between them are not compromised, you can be fairly confident that your password is known to no one but you. Conversely, there is no such thing as a private fingerprint, as demonstrated by Jan Kessler in 2014, who was able to use close-range photos of German defence minister Ursula von der Leyen to reconstruct her fingerprint. Fingerprints cannot be revoked, and neither can retinas or the shape of your skull.
There are some measures that have been suggested to mitigate these risks. A well-designed biometric system would not store actual biometric data in their database – thereby removing the risk that a high-profile hack would leak the private biometric information of thousands of users. Instead, an algorithm could be employed that would convert biometric data into a one-way hash stored on the system, in much the same way that passwords are stored in a hashed form. The process of authentication would only require the device to generate a hash from the fingerprint entered and compare that against the hash stored on file. This also adds the possibility of some measure of revocability – if a database is compromised, you could potentially generate new keys from the same biometric data.
Even if the data stored is a representation of the biometric information rather than the fingerprint or the retinal scan itself, the fact remains that any attacker who obtains a print or a high-resolution photograph has obtained access to your password. If biometrics are to replace passwords, we can no longer rely on the crutch of the “trusted device” – that requiring both biometric data and the physical device it is associated with is “good enough”.
In order for biometric systems to replace passwords, they would need to be used in public, untrusted devices such as ATM machines and self-service tills. The “trusted device” model is still based on the idea of biometrics as identification, but verification is what is called for in this case. Creating synthetic objects to fool sensors from a victim’s biometric data has been shown to be possible and even easy in some cases – requiring as little as some dental mould, or a piece of tape and some gelatine. And if, for example, Gmail were to adopt biometric verification, would they allow 3rd-party scanners to be used?
If the biometric sensor is effectively a desktop peripheral, it makes it much easier for reverse engineers to figure out how to generate and send arbitrary biometrics over the wire. This, in turn, makes it easier to “spoof” a fingerprint.
More elaborate forms of biometry such as subsurface scanning or gait recognition aim to circumvent some of these problems simply by increasing the sophistication of the systems to an acceptable level of risk – effectively, by selecting signifiers which are obscure and difficult to fake. However, these measures often steeply increase the cost and reduce the scalability of biometric verification, and they do not address the problem of irrevocable credentials. And when it comes down to it, these systems are a case of security through obscurity; as the use of biometrics scales up, their efficacy will decrease.
Finally, there’s one last point to consider: so far we’ve discussed the feasibility of biometric authentication when all goes well; in a vacuum. We all know that passwords should be salted and hashed – but even large companies like Adobe have been caught storing passwords encrypted with reversible ciphers, or even plain text. By the same token, even if a fingerprint sensor is designed to capture fingerprints ephemerally and then convert them into an irreversible hash, the fact that remains that a fingerprint sensor is not so different from a camera.
Just as Whatsapp’s encryption can be subverted by compromising the phone, any attacker or malware that can hijack this camera can make a copy of the user’s actual biometric information as it is read by the sensor. And, as we have established, the impact of this information being leaked is far greater than that of a breached password.
Is the field of biometrics and the advancements being made exciting and revolutionary? Absolutely. As they become more sophisticated, it’s likely that these solutions will continue to improve the field of biometric identification and surveillance, in particular. That said, is biometrics poised to replace the common password in the immediate feature? It’s possible, but unlikely. Biometrics has a number of hurdles to overcome before it can be reliably used where passwords are applied today.
There are options – such as distorting biometric data in a non-reversible, reproducible way that can be revoked and altered in the case of a data breach - but how feasible this is has yet to be tested thoroughly.
The hype that surrounds biometry tends to paint it as a magic bullet that will sweep away the myriad problems that afflict password-authenticated systems. But until these obstacles are resolved satisfactorily, biometrics will remain a high-tech feature that can offer convenience to users – but can only provide security that is just “good enough”.