Biometrics no password replacement
Emmanuel Schalit says biometrics have issues that are often overlooked in the discussion about improved authentication
Hackers from the Chaos Computer Club have just managed to reproduce fingerprints of the German defence minister from high-resolution public photos and they know how to use them on consumer phones' biometric sensors. Let's step back and think about what this means for online authentication.
There are traditionally three classes of authentication factor: knowledge of a piece of information (passwords, PINs, or secret questions); ownership of a physical device (tokens, cards); and an inherited physical characteristic (iris signature or fingerprints).
Enterprise or government systems that store highly sensitive information often use a combination of multiple factors of authentication that combines two or three factors among these three classes. For convenience, most consumer websites rely on single-factor authentication based on login details and passwords.
Biometrics' main advantage is that they can solve both identification (assessing your identity) and authentication (confirming your right to access something). On paper, biometrics are a great way to prevent identity theft and various kinds of fraud.
One can steal my credit card number or my passwords but not my fingerprints – or at least that was the theory until now. Last week's news shows that things are not that simple.
Biometric authentication can be hacked, as can any other form of authentication. Unlike passwords, biometric data that has been stolen cannot be changed: you cannot replace your stolen fingerprints with a new set.
Even worse, if all your accounts were protected by the same stolen biometrics information, they would all become vulnerable at once. Biometrics authentication has other major limitations: it cannot be shared and it cannot be made anonymous. Sharing login data or using it anonymously is something increasing numbers of internet users do.
Biometric methods make sense as an additional authentication factor but, as we are starting to see, they also have issues that make them an unlikely successor to passwords.
Passwords can be stolen, but if you use one unique password per website, the damage does not spread to other sites, as opposed to unique biometric data which is by definition the same everywhere.
Passwords can be shared, which is a necessity within groups of people such as families and work teams. Think about the Netflix account at home or the corporate Twitter account in a company. You cannot share your fingers or your eyes with someone else.
They preserve a kind of anonymity, a key attribute of the internet. Think about Twitter without anonymity.
Of course, a human can no longer perform all the tasks related to safe password management: random generation, encrypted storage, memorisation, or regular changing of passwords. We just have too many accounts and too many devices for that.
That's why more internet users are relying on specific IT tools to solve this problem.
Some see passwords as a temporary system that will be replaced by a more sophisticated authentication system soon. That may be true, but by the time we get there we will all have been hacked many times over.
Emmanuel Schalit is chief executive of Dashlane