Remembering passwords has become a necessary annoyance in the Digital Age. We resort to using birth dates, pets’ and children’s names, and easily-remembered numeric sequences like ‘1234’ or ‘666’ (if you have a Satanic bent). The more creative among us will combine the aforementioned strategies into passwords that would take even the most determined hacker eons to crack such as ‘s&sie1015k*m.’Okay, I joke, but you get the point. We’re only human, and frankly, who is disciplined enough to use a unique, 28-character password for each and every account they access? It is the recommended best practice for password management, so it's no wonder that supposedly stronger and more convenient authentication technologies like biometrics have gained a lot of attention in recent years. But is it the cure for all that ails us when it comes to using passwords as an authentication token?There’s no denying that passwords have a multitude of weaknesses. Taking one of the Ethical Hacking and Penetration courses
on Cybary.it will give you an appreciation for how easily passwords can be hacked using dictionary and brute force attacks. Things are even easier when large scale data breaches occur. The recent Yahoo! email data breach is a case in point, though no passwords were apparently stolen, password hints and identifying data were making the scope potentially worse. The ability to authenticate users by “something they are” such as fingerprints or iris scan sound appealing on the surface, but when you examine the inherent weaknesses associated with biometrics authentication, it’s enough to send many folks running back to the tired old password.As with passwords, biometric data can be stolen. And once that happens, well, you’re kind of stuck. You can’t exactly change your fingerprints. Such a data breach occurred in June 2015 at the U.S. Office of Personnel Management (OPM) where four million records were stolen, many of which contained fingerprint data. Thwarting biometric authentication systems has been achieved using some rather low-tech methods. Fingerprint scanners have been fooled using lifted prints from Play Doh and even Gummy Bears! And just like in the movies, modified glasses have tricked iris scanners. It's not too difficult to realize that when used alone, biometric authentication is fairly weak and vulnerable.The situation for the weakness of biometrics is compounded by storing biometric data on servers. Things get worse this data is stored along with passwords. There is also the tricky issue of where to set the threshold for determining a match when processing biometric data. Set the bar too high and the False Rejection Rate (FRR) becomes unacceptable. Conversely, set it too low, and the opposite situation exists. The False Acceptance Rate (FAR) increases. And despite what we’ve been taught from an early age, not all fingerprints are unique – at least when dealing with the signal-to-noise ratio of digital scans combined with a sufficiently large database. Collisions are inevitable in such a large data set.Perhaps the most worrisome issue with biometrics, and one that has nothing to do with its suitability as an authentication factor, is the potential for abuse. Providing fingerprints and iris scans – at least for authentication purposes – are done on a voluntary basis. That’s unless you’re being booked down at the police station on a criminal charge. Modern camera technology can obtain iris scans from up to ten meters away without a subject’s knowledge. Advancements in DNA research may reach the point where subjects in a national database could be criminally profiled simply based on what is determined in the future to be a genetic tendency towards criminal behavior. Big Brother indeed!So, where do we go from here when it comes to improving authentication methods – the previous foray into a dystopian nightmare world notwithstanding? Many IT security experts are strongly advocating for multi-factor authentication (MFA). Despite predictions that passwords will all but disappear by 2020, combining strong passwords with one of more additional authentication factors such as a biometrics appears to be the direction we're headed. Also, storing biometric data locally, rather than centrally on a server might be a good idea to protect it from compromise. Be prepared to hear the drumbeat for MFA grow louder in the coming years with biometrics most likely being one of the factors.