The Problems with Biometrics for Authentication

The other day I came across a blog post by someone lamenting a common problem we all have these days–password management. The blog linked to an article extolling the virtues of using biometrics either as a complete substitute for passwords altogether, or as part of a two-factor authentication system.

It sounds like an awesome, appropriately futuristic idea–instead of having to remember some long password, I’ll just look into my webcam and use a retinal scan instead of a password to prove I am really who I say I am. In fact, this would be a disaster.

Consider how passwords work today. A system asks you to create a password and you dutifully tell it to use “password”. The system on the other end then creates a hash of that password. A cryptographic hash is a one-way function that transforms “password” into “7!aceldfg”. Because it is a one-way function even if I have the hash, I cannot easily determine that “7!aceldfg” is the has for “password.”

In reality, hashing is vulnerable to some attacks and so a smart website will salt the password hash. All this means is that when you type in “password” when creating an account, the website adds additional pseudo-random data to your password. So a website might convert “password” to “password12345” and then hash that. The website then stores both the hash and the salt value.

The benefit of doing this is that it increases the amount of work that an attacker is going to need to do if they compromise the website and gain access to the password file.

So imagine you create a username and password for your bank account, and the attackers gain access to the files containing the usernames and passwords of all the bank’s customers. Maybe the bank had very good security and they encrypted the password files in addition to hashing and salting the passwords.

You know what, though…just to be on the safe side the bank is going to ask you to change your password anyway. And you are once again reminded why you should never use the same password on multiple sites. Maybe you were reusing the same passwords and now you go and finally fix that so you’ve got different, secure passwords on all your accounts.

Great.

Now imagine the bank instead uses a retina or fingerprint scan. You swipe your finger or stare into a webcam, and data gets sent back to the bank which compares it to the hashed, salted version of the data it has on file for your eye or finger and then you get access to your account.

Until today when hackers managed to penetrate the bank’s security and access the user and authentication data. Now, your fingerprint or retinal scan data has been compromised. How do you propose to alter those?

As one biometrics news site sums it up,

Paradoxically, the greatest strength of biometrics is at the same time its greatest liability. It is the fact that an individual’s biometric data does not change over time: the pattern in your iris, retina or palm vein remain the same throughout your life. Unfortunately, this means that should a set of biometric data be compromised, it is compromised forever. The user only has a limited number of biometric features (one face, two hands, ten fingers, two eyes). For authentication systems based on physical tokens such as keys and badges, a compromised token can be easily canceled and the user can be assigned a new token. Similarly, user IDs and passwords can be changed as often as required. But if the biometric data are compromised, the user may quickly run out of biometric features to be used for authentication.