Mobile Connect, Web authentication or Fingerprint: Password-free authentication methods are in vogue, and once again the password is declared superfluous.
As early as 2004, Bill Gates said the technology was outdated, and the swanson of the password has become even louder with recent developments. So far, however, it stoically defends its rank as the most popular guardian of dates.
While alternatives are still in development or even fully available, they are almost always more technically demanding or require much more time and effort to set up safely. In the last few years, there have been many new solutions in the field of biometric authentications . The relatively cool, relatively recent technology has become mainstream, thanks mainly to newer smart phone models, where Apple, Microsoft or Samsung are using fingerprint and facial recognition as identification.
Undoubtedly, biometrics have many security benefits – but the proven password will not disappear so quickly. And there are good reasons for that.
In most cases, secure multifactor authentication does not work without a password
Modern services should support multifactor authentication for sensitive applications that combine at least two of the three commonly used authentication methods. They can be differentiated in
- Something you know
- Something you have and
- Something you are
Under Method 1, the most popular today, things like passwords and personal identification numbers are dropped.
The second method involves hardware such as USB sticks, time-based tokens for generating one-time passwords, etc. This method often includes ownership factors that are implemented on a device such as a smartphone but can be replicated or copied (for example, a software-based one-time password generator).
Biometrics as a third factor is a unique feature of a person, such as iris, retina or fingerprint, but also the physiognomy of the face.
New standards such as the W3C Webauthn design make it easier to integrate external factors such as USB sticks or secure enclaves in smartphones. But when used in a one-factor authentication mode, they limit the entire security structure – making passwords an indispensable component of the security mix for the time being.
Security issues are also evidence of knowledge that needs to be protected
We all have set up or answered knowledge-based security questions, such as asking for the name of the pet or favorite artist. While research (at Google) has shown that such questions are not suitable for recovering or authenticating passwords, many services still use this approach to simplify the recovery of accounts – and some actually require security questions and answers be determined.
To avoid using answers that are easily accessible through your own social media profile, it is best to use incorrect or even randomly generated answers. However, these answers are conceptually very similar to the password credentials and should be protected in the same way.
You can not update biometric data
Biometric data is without a doubt a convenient alternative to passwords – but just like passwords, they too can be stolen. For example, fingerprints are left behind on everything we touch.
Last year , Japanese scientists warned that among other things, the new high-resolution cameras of smartphones can be a risk here. Because the researchers were able to copy fingerprints based on photos taken three meters from the subject.
Again, researchers at Michigan State University used an inkjet printer and special paper to turn high quality fingerprint scans into fake 3D fingerprints that deceived smartphones – all with devices costing less than $ 500. So a harmless, finger-shaped peace sign becomes a potential security hole.
And biometrics are just as unsafe as passwords for hackers. In 2014, hackers working for the Chinese government gained access to the computer systems of the United States Office of Personnel Management (OPM) , the United States Personnel Administration, and stole sensitive personal information from government employees and contractors, including fingerprints of 5.6 million people. And unlike passwords, there is no reset for fingerprints and other biometric features.
Manipulating facial recognition has also become a lot easier in the days of Instagram and Co. A futuristic approach is the use of flexible biometric data such as “passthoughts”. You think of a particular thing or moment, and a sensor records the resulting brainwaves.
While such a complex system certainly has a raison d’être in highly sensitive areas, it seems oversized for access to a private e-mail account in the medium term.
Biometric data is bound to devices
Our lifestyle is mobile and connected, and we’re accessing our accounts from more and more devices. Passwords remain consistent regardless of device and location, while biometric data is currently – and probably for the foreseeable future – usable only through appropriate devices such as cameras or fingerprint sensors.
For example, while the latest iPhone has the most advanced facial imaging sensors and allows users to unlock their device with their faces alone, the technology still requires a password to set up the data in the phone’s internal memory. Password entry is a must every time the phone reboots – or when biometrics authentication does not work for some reason.
That’s why new identification methods like Mobile Connect do not end up without a password. Moreover, in most modern biometric applications, capturing is system-inherently local and can reveal only sensitive data of that particular device. Fortunately, there is no common database that uses biometrics for centralized authentication. And that eliminates the biometric procedure completely as an alternative to the backup password or the PIN.
Biometric coverage is not always neutral
The collection of biometric data is by no means as neutral as one assumes. For example, MIT researchers found that facial recognition systems are essentially tailored to white men. Around 35 percent of the dark-skinned women were assigned the wrong gender in an attempt. Even Asian systems recognize Asian faces much better than European ones.
By contrast, passwords are naturally neutral. And unlike facial recognition, you have control over them. In addition, not every person is able to use all the biometric features – there are a variety of circumstances that can make eye-based biometrics or fingerprint capture impossible. Ultimately, only a few biometric measurements – such as DNA sequences – really universal.
Data can not be encrypted using biometrics
While biometrics can act as an effective gatekeeper for sensitive data, the technology is limited: it can grant or deny access, but can not be easily used for other security measures such as encryption. Because to truly secure data, they must be encrypted – and passwords are sometimes the only guardians of secrets.
Last but not least, passwords are so far the only method that is ubiquitously available and works in any context, on any device and at any location, and is completely unbiased when it comes to the subject. Since password-based authentication is very easy to implement from a developer’s perspective, it is likely to last a little longer.
In fact, passwords or PINs will continue to play a role in the future, be it for multi-factor scenarios or as emergency authentication methods. When using a password, the user has full control over their security – even better, of course, is to use a professional password manager that provides an extra level of security.