I have started seeing a lot of posts recently about the end of the password, only for it to be replaced with cheap and disposable biometric hardware. But what about security, what does biometric hardware have to offer that passwords can’t provide, and what do passwords have that will always make them superior over biometrics?
Let me start with a little bit of history around the password. Chapter 1, in the year 220BC, Roman legions used watchwords to confirm they were who they said they were and didn’t get stabbed by some burly man in a skirt wielding 30 inches of solid iron. This was still used right into the height of the second world war (and potentially even further).
Modern passwords still perform exactly the same function, to identify an individual from another. Why are passwords still around? Because they are simple, easy, and effective. We use them for everything; our online banks, our social networks, our corporate accounts, our “random account that receives millions of junks a day” accounts… they all use them. So why should it bother us that they want to get rid of them? Why will biometrics become a bigger hindrance than the password?
But what is it about biometrics that developers are finding wonderful and seeing it as the replacement of the humble password? Why does it appeal so much that they’re starting to release biometric devices (including dongles and phones) to unlock our accounts. Apple have had it in their latest iPhone for a while, Paypal are using it, Samsung are developing, Google are developing, Microsoft are developing…
I still don’t see what all the fuss is about. I don’t want to have to touch some piece of plastic just for it to tell me that my fingerprint is wrong, or look in to an iris scanner and it suddenly decides that my eyes are the wrong shade of blue. Yeah, I hear you complaining too. Don’t worry about this though, biometric scanners have built in advanced ratio calculations. Using this as a really (and I mean seriously) dumbed down example, I’ll try and explain what I mean.
Out of every 10,000,000 people, allow for 0.005% invalid attempts.
What this means is that 500 people will be let through, even if their scan failed. However, it’s not that simple. It’s based upon a score, the score of how much of the biometric detail matches. So now, we have the following example.
Out of 10,000,000 people, allow for 0.005% invalid attempts that have a score of 70+/100.
Now what this means is that 500 people that were wrong have to have scored 70 or more out of a hundred to get through the system. Out of those 500 people, 20 people may have scored 71. Their biometric detail was wrong – but they still got through because it was 70% similar or greater.
Of course, this is a lot more complicated than I’ve described. Mathematicians and system architects have slaved for many years to come up with a ‘pitch-perfect’ algorithm for getting it right every time – but they have still been very unsuccessful. The technology isn’t error free (I know, neither are passwords, but it’s easy to forget those…) and the technology still can’t distinguish between actual fingers and photocopied paper cutouts (Mythbusters). Until they fix this problem, then passwords will always be more convenient.
One other massive problem with biometric data is that it cannot be changed (for identification purposes). You cannot change your fingerprints, or your irises, and you definitely can’t change your DNA. Alongside this problem, there lies the massive issue of data collection. Own their fingerprint and you’ve suddenly got the upper edge – you can sell it to hackers (so they can generate replicas in silicon), you can sell it to corporate companies for analytics, or you can even sell it to governments for their people-tracking databases!!
So what can you do to make your password secure enough to make it relatively difficult for an attacker to gain access to your account using it? Well, this simple list should make it easier:
- Never use a simple password - Many companies now have started making it harder for you to use simple passwords (such as “password” and “abc123″), and forcing you to use combinations of lowecase and uppercase letters, numbers, and symbols. It doesn’t necessarily have to be this complex (though I will post another blog post at a later date around this with actual data/results) but using a combination of 3 of the above with a minimum length of 8 characters, you should be safer than if you just use an easy to guess password.
- Never use the same password - Not only does this mean for the same website, but different websites. It is paramount that every single password you use is different (or at least different passwords for the services which matter (bank, email, social)). If you do use the same password and the attacker manages to get it, there’s a very good chance he’s going to try every other one of your accounts to try and compromise them.
- Change your password regularly – You should change your passwords at least twice a year (for not-very-important things), and every quarter (3 months) for very important things. This habit will make it a lot harder to guess your password, and don’t just add a “1″ to the end of it either – this just takes slightly longer to guess (but doesn’t change the strength). Choose a completely different password that’s easy to remember.
- Take indicators of compromise seriously – If a company tells you their password database has been compromised – change ALL of your passwords immediately (more-so if your passwords are the same across multiple websites. If your password has been stolen – it may have been stolen for as much as 10GBP for a list of 10,000 – something that’s extremely valuable to hackers/scammers. If you’re a victim of password theft, change your passwords immediately, and also change the email address tied to the account (there’s a chance they will attack that one next…)
- Use “2 Factor Authentication (2FA)” – Now that passwords are taking less time to crack (still a matter of years in some instances), additional layers of security are needed to enhance the way we protect our data. One way is to use technology like “Google Authenticator” or “Authy” to provide a constantly changing 6/8 digit number to the user to enter once they have entered their username or password. Facebook has similar technology built into their Facebook app (or alternatively they can text you a one-time password).
- Enable account alerts – This essentially means that if someone other than you logs into your account, you will be sent an automated SMS or email notifying you that this event has occurred. This won’t provide any form of protection other than you getting a notification that it has happened. It’s useful, but it’s not something you should go out of your way to set up.
So, to conclude… Biometrics might be super exciting and awesome – but the real fact is that they will always be vulnerable in the sense that they cannot be changed. Once you get old, you might get cataracts, or your fingers may become wrinkled and disfigured – suddenly you can’t access your accounts. Yes, you might forget your password, but at least you can request a new one. You can’t request a new finger…
If you enjoyed my blog, you can follow me (box on the right) and you get a lovely email when I post something new. Alternatively, you can just see me on Facebook/Twitter/Google+ and see what happens when I post something!