Warning: Creating default object from empty value in /nfs/c09/h03/mnt/132495/domains/blog.nfrontsecurity.com/html/wp-content/themes/headlines/functions/admin-hooks.php on line 160

Why Biometrics Will Not Replace Passwords

Biometric authentication has a lot of appeal; the idea of not having to remember passwords or PIN numbers and not having to use a physical key fob or smart token sounds great. However, everyone seems to overlook a major problem with biometrics.

Suppose you have a network system with a large user base. Your large network uses biometric authentication only. In the computer world everything is represented in bits and bytes, meaning your fingerprint or retina scan becomes a series of bits and bytes just like a password or a picture. Suppose due to phishing, malware, virus, etc. the biometric byte pattern is acquired by a hacker (or maybe just a teenage script-kiddie at Starbucks running something like Firesheep), now a hacker can submit the same byte pattern as if they are the real physical person and gain access to data. How do you stop this attack? Have everyone re-register with toe prints? The problem would warrant a change to the encoding algorithm used to encode the biometrics into bits and bytes.  Since the encoding algorithm changes everyone has to “enroll” their biometric info againsecurely. Such a change would be large undertaking and could not be done quickly, thus leaving the network susceptible to another attack .  Maybe PKI could make it easier but it would still require pretty major changes to the system.

Suppose it is decade into the future and all internet systems use biometrics for end user login.  Now imagine there is a security compromise with LinkedIn or another major vendor and all of the “biometric patterns” used for authentication has been acquired by an outside party- a hacker or group of hackers. How does LinkedIn handle this? They cannot tell you to change your fingerprint making the only choice is to change the encoding mechanism so the biometrics are encoded as a different pattern. Now everyone has to re-enroll- or maybe for a while run dual authentication systems and get a login like this:

hacked biometric login

Passwords can change instantly and biometrics cannot. In a perfect world with no security compromises biometrics would be great but in the real world passwords will be needed for a long time.


Twitter Digg Delicious Stumbleupon Technorati Facebook Email

About Gregg

I have over a decade of experience teaching Windows, Cisco and security technologies to IT professionals worldwide. I have taught classes in Hong Kong and created classes for the United Nations. Once upon a time I wrote a book on Windows Domain Architecture for McMillan and I penned a couple of articles for Windows IT Pro magazine. In a former life I worked with technologies ranging from ASIC circuit design, to robotics, to industrial controls and Allen Bradley PLCs. On the IT consulting side I have implemented technologies like Cisco VOIP, IDS, Unix CAD/CAM systems. I have designed windows domains, created highly optimized database servers and terminated fiber optics. Many years ago I wrote one of the first products to detect missing patches on Windows systems and eventually the code became St. Bernard's Update Expert.

Comments are closed.