Chaos Computer Club hackers just managed last week to reproduce the German defense minister's fingerprint from public high-definition photos. Knowing that they had previously shown that they know how to use these reconstructed fingerprints on the sensors of consumer mobile phones... Let's take a step back and analyze what this means for the future of online authentication.
Traditionally, there are three types of factors that can be used to authenticate an individual: what he knows (password, pin code, secret question...), what he possesses (tokens, cards...), what he is (iris signature, fingerprint...).
Highly sensitive IT systems of governments or large enterprises often use strong, multi-factor authentication processes that require the implementation of two or three of the three types mentioned above. Consumer websites, on the other hand, use simple authentication systems based on a user ID and password known only to the user. For practical reasons, consumers are not prepared to use multi-factor systems on the dozens of websites they use regularly.
What are the advantages and disadvantages of biometrics for online consumer authentication?
The strength of biometrics is that it solves both the problem of identification (determining an individual's identity) and authentication (confirming his or her right to access a content or service). On paper it is a good tool to prevent identity theft and many frauds. You can steal my credit card or my passwords but you can't steal my fingerprint... That's what we thought until now. The fingerprint reconstruction performed by hackers last week shatters that belief.
Now we know that biometric authentication can be hacked like any other form of authentication. And then a big disadvantage appears: unlike passwords, biometric data cannot be changed in case of hacking, if your fingerprints are stolen, you cannot replace them with new ones. And if all your accounts are protected by the same biometric information, they may all become vulnerable at the same time. There are other limitations to the use of biometric data: it cannot be shared and it cannot be made anonymous. However, the sharing and anonymous use of identifiers is becoming more and more common on the web .
Biometrics is relevant to add an additional authentication factor in multi-factor authentication, but it is unlikely to succeed the password as the standard for all sites, contrary to what we are led to believe.
Why not enjoy unlimited reading of UP'? Subscribe from €1.90 per week.
Used correctly (a strong and unique password for each website), passwords have real advantages:
- A password can be stolen, but if you use a unique password for each site, the integrity of your other accesses is not compromised in case of theft. It's different with biometric data, which is by definition the same everywhere.
- A password can be shared, which is necessary both at home and at work. Netflix accounts at home or corporate Twitter accounts, for example, are usually accessible via a single account with shared credentials.
- The password preserves anonymity, which is very important for Internet users. What would Twitter be without the ability to create anonymous accounts?
Given our increasing use of the Internet, our brains can no longer perform all the tasks necessary to properly manage passwords on their own: random generation, storage in encrypted form, memorization, changing passwords. We have too many accounts and too many devices for that. This is why more and more Internet users are relying on a password manager to make sure they follow the basic rules of proper password use.
Some see passwords as a temporary system that will be replaced very quickly by a highly sophisticated authentication system. This may be true one day, but in the meantime, the password remains the standard, and a standard is not so easy to replace. As a proof, we still use the azerty format keyboard, not because the order of these letters is necessary today (it was only the case on typewriters with ribbon), but because it has become a standard, and no innovation has managed to supplant it, in terms of ease of use as well as in terms of deployment. We'd better make sure we use our passwords properly rather than believe in a hypothetical miracle solution!
Emmanuel SchalitCEO of Dashlane