“Logins are becoming more secure thanks to selfies, fingerprints and other biometric sensing.” This is what many people apparently believe or are led to believe. Let us analyze how certain we can be.
Blind Spot in Our Mind & Eye-Opening Experience
Let us imagine that we are watching two models of smart phones – Model A with Pincode and Model B with Pincode and Fingerprint Scan. Which of the two models do you think is securer?
- When you hear that Model A is protected by Pincode while Model B is protected by both Pincode and Fingerprints
- When you hear that Model A can be unlocked by Pincode while Model B can be unlocked by both Pincode and Fingerprints
- When you hear that Model A can be attacked only by Pincode while Model B can be attacked by both Pincode and Fingerprints
Is your observation the same for all the 3 situations?
Now let us imagine that there are two houses – (1) with one entrance and (2) with two entrances placed in parallel. Which house is safer against burglars?
Every one of us will agree that the answer is plainly
(1). Nobody would dare to allege that
(2) is safer because it is protected by two entrances.
Similarly, the login by a Pincode/password alone is securer than the login by a biometric sensor backed up by a fallback Pincode/password.
Both of the two or Either of the two?
Biometric products could help for better cyber security ONLY WHEN it is operated together with a password by AND/Conjunction (we need to go through both of the biometrics and the password), NOT WHEN operated with a password by OR /Disjunction (we need only to go through either of the two) as in the cases of the abovementioned house with two entrances and most of the biometric products on the market.
Biometrics and passwords operated together by OR/Disjunction only increase the convenience by bringing down the security. Mixing up the case of OR/Disjunction with that of AND/Conjunction, we would be trapped in a false sense of security (We wrongly feel safer when we are actually less safe)( *).
Two factor authentication or “below-one” factor authentication?
Biometric products operated together with a fallback password, which can be compared to a house with two entrances placed in parallel (not in tandem), may be defined as a “below-one” factor authentication because they offer the level of security lower than a password-only one factor authentication.
There is nothing wrong in saying that a house with two entrances is more convenient than a house with one entrance. But alleging “A house with two entrances is safer against burglars than a house with one entrance” would be just silly.
Similarly, there is nothing wrong with a biometric product operated with a fallback password when the product is offered as a tool for increasing convenience. However, it would not be just silly but unethical and antisocial to make, sell and recommend those products as a tool for increasing security and spread a false sense of improved security.
This misconception is sadly supported and spread d by a number of big businesses, leading financial institutions and government agencies as well as not a few security professionals and globally known media. They are misled and in turn misleading, with the chains of vicious cycles growing exponentially.
This is not an issue of the relative comparison between “good” and “better”, but the absolute judgment of “harmful” against “harmless”. Something must be done before such critical sectors as medicine, defense and law enforcement get contaminated in a horrible way.
More about “OR/Disjunction”
Biometric sensors and monitors, whether static, behavioral or electromagnetic, can theoretically be operated together with passwords in two ways, (1) by AND/Conjunction or (2) by OR/Disjunction. The cases of (1) are hardly known in the real world because the falsely rejected users would have to give up the access altogether even when they are able to feed their passwords.
Most of the biometric products are operated by (2) so that the falsely rejected users can unlock the devices by registered passwords. This means that the overall vulnerability of the product is the sum of the vulnerability of biometrics (x) and that of a password (y). With (x) and (y) being between 0 and 1, the sum (x + y – xy) is necessarily larger than the vulnerability of a password (y), i.e., the devices with biometric sensors and fallback passwords are less secure than the devices protected by a password-only authentication.
Incidentally some people argue that the presence of a backdoor would not make a problem if it is stronger than the front door. Let us think of a very weak fallback password (Y1) and a very strong fallback password (Y2). We will then get to (x + y1- xy1) > (y1) and (x + y2 – xy2) > (y2), which means that we are safer when we use only the weak password than when we use the biometrics with the weak fallback password, and that we are also safer when we use only the strong password than when we use the biometrics with the strong fallback password.
We could consider the comparison between (x + y2 – xy2) and (y1) but it could lead us nowhere. Whoever can manage a strong password Y2 together with biometrics must be able to manage Y2 on its own. Then, again, we are safer when we use only the strong password Y2. Moreover, rarely used/recalled passwords tend to be very weak, i.e., what we actually get would be (x + y1 – xy1) >>> (y2).
As such it is not possible to count a case that the biometrics used together with a fallback password is stronger than a password used on its own.
By the way, it would be fruitless to spend time for comparing the strength of biometrics used on its own with that of passwords used on its own. There are no objective data on the vulnerability of biometric products (not just false acceptance rate when false rejection is sufficiently low but also the risk of forgery of body features and the risk of use when the user is unconscious) and that of the passwords (not only that the entropy may be as low as 10 bits or as high as 100 bits but also that it can be stolen and leaked.)
Backdoor to Smartphone
It appears that something crucial is overlooked in the heated debates about the backdoor on smartphones, which is the focus point of the recent events with Apple and the FBI that have drawn a lot of attention worldwide.
I would like to point out that there already exists a backdoor on many of the latest smartphones, namely, a fingerprint scanner or a set of camera and software for capturing faces, irises and other body features which are easily collected from the unyielding, sleeping, unconscious and dead people.
In Conclusion
As stated above, the authentication by biometrics in cyber space comes with poorer security than Pincode/password-only authentication in most cases. A false sense of security is often worse than the lack of security. I would like to put forward the suggestions.
- The vendors of those smart devices, who are conscious of privacy and security of consumers, could tell the consumers not to turn on the biometric functions.
- Consumers, who are concerned about their privacy and security, could refrain from activating the biometric backdoors.
- The deployment of biometric solutions could instead be recommended where consumers can accept “below-one” factor authentication in return for better convenience as the case may be.
Appendix: Statistics on Rampant False Sense of Security
Quoted below is the outcome of a brief survey on the perception of identity verification.
Two university researchers in Japan carried out a brief survey in November 2014 about how the security of (1) PKI, (2) fingerprint scan and (3) onetime password are perceived by 49 university students in science and technology sectors. Below is the result. (In the brackets are the numbers of students who are learning information security.)
(1.) Do you know PKI? Yes:34 (31), No:15 (0)
(To those who answered Yes) Do you think that a PKI-loaded IC card provides higher security than a password? Yes:12 (12), No:1 (1), No change:4 (4), Do not know:12 (9), Depends:4 (4), No Answer:1 (1)
(2) Do you know of the fingerprint scanners loaded on smart devices? Yes:44 (28), No:5 (3)
(To those who answered Yes) Do you think that a fingerprint scan provides higher security than a password? Yes:16 (11), No:7 (5), No change:4 (2), Do not know:12 (8), Depends:5 (2)
(3) Do you know OTP (onetime password)? Yes:39 (30), No:10 (1)
(To those who answered Yes) Do you think that a onetime password provides higher security than a remembered password? Yes:17 (5), No:1 (1), No change:3 (2), Do not know:10 (8), Depends:7 (6), No Answer:1 (1)
The answers we expected were either “Do not know” or “Depends” for all the 3 questions, preferably followed by “because there are no objective data that enable us to directly compare the security of PKI/OTP/Finger-Scan operated on its own and that of the password operated on its own. And, PKI/OTP/Finger-Scan operated with a password by AND/Conjunction (we need to go through both the former and the latter) is securer than the same password alone, but PKI/OTP/Finger-Scan operated together with a password by OR/Disjunction (we need only to go through either the former or the latter) is less secure than the same password alone.”
That many students gave (Yes) to (1) and (3) is somehow understandable because PKI and OTP are generally operated with a password by AND/Conjunction. But it is very worrying that so many students learning information security (11 out of 28) gave (Yes) to (2). For Apple’s Touch ID and most other finger-scanners on the market are operated together with a backup/fallback password by OR/Disjunction in case of the false rejection.
This survey is not large enough to extract a decisive conclusion, but we could well imagine that this chilling false sense of security is even more rampant among the people who have not learnt or are not learning information security as a major subject. I am very interested to know how things are like in other countries. Readers’ feedback would be very much appreciated.
[su_box title=”About Hitoshi Kokumai” style=”noise” box_color=”#336588″][short_info id=’67979′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.