Friday, February 15, 2013

Coopetition: Biometrics and Passwords

Startup Prepares Alternative to Online, Mobile Banking Passwords (American Banker)
As banks struggle to move past passwords, a Silicon Valley startup is taking a stab at a fingerprint and facial recognition standard backed by some heavy hitters — PayPal and Lenovo among them.
Despite hopeful initiatives, demise of passwords years away (CSO)
Security pros have been saying for years that password protection is not enough. And this week, two groups -- one private, one public -- announced initiatives to create more secure ways to authenticate identities online.

Several security experts, who would love to see passwords retired, said they will be watching those initiatives with interest, but don't expect mainstream change for at least the next several years.
Passwords are the ID management security method everyone loves to hate. So why are they still everywhere? Why is their number growing without signs of slowing?

In their A Research Agenda Acknowledging the Persistence of PasswordsCormac Herley and Paul C. van Oorschot tell us why.
Passwords, though unloved, deserve some words of praise. They have brought us this far: they are the means by which two billion Internet users access email, banking, social networking and other services. They are essentially free from the service provider viewpoint, and are readily understood by users. They allow instantaneous account setup. Revocation is as simple as changing the password. Those who forget their passwords can be emailed either reset links or the passwords themselves (this practice, though insecure, is common for low-value sites). All of this is automated and instantaneous. They allow access to one’s accounts from anywhere in the world assuming nothing more than a simple browser. Sophisticated users can protect themselves from many of the threats.
The part about them being essentially free requires qualification (which the authors offer), but that's a pretty impressive list.

So it's good thing for us in the biometrics business that biometrics don't need to supplant the password altogether. For the moment biometrics can't compete on cost to root passwords out everywhere. But I'd like to discuss two (there are more) instances where biometrics can and should be used to limit the risks organizations expose themselves to by over-reliance upon passwords.

Databases of customer information should be biometrically protected. 
From an organizational point of view, for many many service providers, allowing customers and users to protect their individual accounts with passwords, exposes the organization as a whole to minimal risk. Some relatively predictable number of users who use passwords will choose poor passwords, some will become victims of phishing scams. If the costs of sorting these cases out are less than the costs associated with burdening all users with more onerous security protocols, then the password is the appropriate solution. But at some point, all databases of user/customer information should be protected with biometric access control methods because, while having occasional users pick weak passwords or get tricked into giving them away is one thing, hackers making off with the entire database of user/password information is something else altogether. Requiring biometric verification of all human database Administrator logins would go a long way to lowering the biggest risk of passwords: their wholesale theft. In many ways the Admin level is the perfect point to introduce these more rigorous security protocols. There aren't (or shouldn't be) too many Admins, so the inconvenience falls on as few individuals as possible. Admins are tech savvy, so they should be able to adapt to the new security environment quickly. They should have an understanding of why the extra step is worth the effort. It's their responsibility to keep the keys of the kingdom. Perhaps most compelling, they're the ones on the hot seat when the CEO is out apologizing to all and sundry following a data breach.

Biometrics can also be used to overcome some of the limitations of passwords in more mundane password use models.
Biometrics can facilitate the use of more complex passwords that change more frequently and hence are more secure. [See the laptop fingerprint sensor (i.e. biometrics to control a password management application).]

In higher value authentications, biometrics can also be used as a way to return the password to the simplicity of the PIN. For example: a fingerprint scan associated with a weak password such as a 4 digit PIN provides far stronger authentication than any password a human could be expected to type*. In other words, biometrics can be combined with rudimentary passwords to bring an end to the "password arms race" where the main coping strategy has been longer, more complex and more frequently changing passwords — i.e. the real reasons people tire of the humble workhorse of the ID game. So instead of replacing the password, biometrics might one day be used as a way to salvage what makes it great while minimizing the frustrations associated with over-reliance upon it.




















*This type of model also has virtues regarding the irrevocablility of biometric identifiers, a discussion of which is beyond the scope of this post.