The Illinois report said that hackers broke into a software company’s database and retrieved user names and passwords of control systems that run water plant computer equipment. Using that data, they were able to hack into the plant in Illinois, Weiss said.Stuxnet was used to attack the centrifuges used by Iran to enrich Uranium and it was most certainly far more than a Username/Password job. This attack, however, (if confirmed as an attack) is "Stuxnet-like" in that the attackers caused physical damage to machinery using only ones-and-zeros and the internet.
This is a big deal. Biometrics can help.
In networked biometric identity management solutions, the biometric sensor hardware is a part of the security. In a Username/Password regime, the hardware used, the keyboard, offers no additional security. A hacker gains access to the network using a keyboard to fill in the proper fields and she's in. If she steals a biometric or unencrypted biometric template (a long character string), she can't just type it in even if she finds the place in the programming that handles the template. In some ways the template is like a password that must come through the proper sensor.
In our water plant example, requiring biometric authentication to authorize turning the pump off and on would have dramatically increased the difficulty of the hack.
But even in a world saturated with biometric ID management applications, Username/Password verification will still be around. For one thing, people aren't the only things that claim an identity before accessing IT systems — computers do it, too, and they don't have biometrics. It's also a cheap, well-understood, flexible technology that supports certain access control models that biometrics does not.
The challenge that system-designers now face is to identify where using Username/Password is too dangerous, and where biometrics can be used to reduce risk to an acceptable level. This requires identifying everything currently authenticated with a Username/Password and a determining which of these things are more efficiently protected using biometric authentication, then implementing the change. This is far easier said than done.
Requiring biometrics for access to stored usernames and passwords would be a good start, though.
