How can we eliminate passwords given the problems with biometric authentication?

Question

I've read articles suggesting that passwords will eventually go the way of the dinosaur only to be replaced by biometrics, PINs, and other methods of authentication. This piece claims that Microsoft, Google, and Apple are decreasing password dependency because passwords are expensive (to change) and present a high security risk. On the other hand, Dr. Mike Pound at Computerphile claims that we will always need passwords (I think this is the correct video).

But as this wonderful Security StackExchange thread notes, biometrics are not perfect. Granted, the criticisms are roughly six years old, but still stand. Moreover, and perhaps I have a fundamental misunderstanding of how biometric data is stored, but what if this information is breached? Changing a password may be tedious and expensive, but at least it can be changed. I'm uncertain how biometric authentication addresses this problem--as I cannot change my face, iris, fingerprint, and etc.--or if it needs to address this problem at all.

Are those who argue that we can eliminate passwords prematurely popping champagne bottles or are their projections correct?

Answer 1

First of all, let's keep in mind that vendors of biometric solutions have a vested interest in badmouthing passwords to promote their own products and services. There is money at stake. They have something to sell to you, but that doesn't mean you will be better off after purchasing their stuff. So one should not take those claims from vendors at face value.

Moreover, and perhaps I have a fundamental misunderstanding of how biometric data is stored, but what if this information is breached? Changing a password may be tedious and expensive, but at least it can be changed. I'm uncertain how biometric authentication address this problem--as I cannot change my face, iris, fingerprint, and etc.--or if it needs to address this problem at all.

This is precisely the biggest problem with biometric. The compromised 'tokens' cannot be revoked. Breaches have already happened on a large scale. A devastating occurrence that will have consequences for many years to come is the OPM data breach.

Faces cannot be protected. They literally are public knowledge. Lots of people have their face on the Internet nowadays. Fingerprints can be seized off a glass. These are not secrets.

On top of that the collection of biometric data is a formidable enabler for the mass surveillance of individuals. Even the most democratic governments cannot be trusted. Technology also changes the nature of government and social interactions - not always in a good way.

We have to consider the trade-offs: what do you have to gain vs what could you possibly lose. Is the convenience worth the risk ? Not everyone is convinced.

So it is not just a technical issue but a societal issue that has enormous implications. Hint: China is the benchmark.

The false or negative positives rate is also a problem. Some people cannot be enrolled because of their physical characteristics. A password is unambiguous. You either know it or you don't. Biometrics = calculation of probability.

Relying on biometrics alone is not wise for critical applications. Hence the emergence of multi-factor authentication.

As an example 3-factor authentication would be:

• something you have: for example a smart card
• something you are: this is where biometrics comes into play
• something you know: for example a password

It would be objective to say that biometrics are gaining momentum in some markets/applications, without eliminating passwords altogether. It does not have to be a zero-sum game.

Answer 2

but at least it can be changed

They change frequently - depending on how much you've eaten/drunk. Ambient lighting has a big impact. Age. Variations in the devices performing the measurement. Biometrics work by the measured attributes being sufficiently close to some baseline record to be considered a match by the software. "Close enough" doesn't work for encryption keys - only for authentication. Its an even worse problem for 2FA tokens - that just proves you own a secret with sharing the secret. The secret needs to be available in plain text at both ends of the authentication process.

Passwords have problems. 2FA tokens have problems. Biometrics have problems. Short of DNA sequencing (not viable) the most viable approach to strong security is to combine different methods.

Answer 3

I don't quite get where the idea of changing a password being expensive comes from, having worked in/on password storage and website logins changing a password isn't very expensive, not more so than opening a new web tab, and receiving an email.

PIN's are essentially weaker passwords (at least as my definition of what a "PIN" is).

Biometrics have one problem; if they get breached you can't really willingly quickly change them. Furthermore as soon as someone has access to you (like when you are arrested) they can take your biometrics and get access to all your accounts.

Decreasing dependency. Many companies are decreasing dependency on passwords and have started using two factor authentication. This comes in many forms but may be anything from having to confirm changes with an email link, entering a code sent to you by text, or having a special app that you have to use to confirm your decision. Two factor authentication is not perfect and has several flaws, and is annoying and tedious, but is also rather effective.

Biometrics storage. This is the sketchy part. whereas passwords can be stored in super secure ways biometrics can't really, as you need to compare a profile with the input, which means that that profile can be stolen. Biometrics are also rather vulnerable as they are constantly visible on you. (finger prints, iris, DNA, speech, facial recognition) This makes it easy to steal/copy them, which is a lot more difficult with passwords, if they are managed properly.

To sum it up passwords are pretty good, if used properly (which most people don't) and can be greatly improved using two factor authentication (or more factors as @Anonymous pointed out).

Answer 4

TLDR:
To sum up, your question was "what if this information is breached?"
The answer is "the grown ups in the biometrics space assume it is by default."
An intrinsic part of their security model is the additional checks each time authentication happens to distinguish real people from replays and replicas. inasmuch as replays and replicas are not accepted, the secrecy of the actual face, fingerprint, etc isn't a part of the security model.

---

For background, I worked for 3 years as a developer in the research team of a biometrics startup. The industry definitely has its fair share of crackpots and mavericks and I got to hear all sorts of unlikely claims and philosophically dubious standards of measuring their effectiveness. As I mentioned in a comment, if your biometric security system relies the face (or fingerprint or whatever) being secret, you're one of the quacks. Likewise if you're dismissing biometrics because they're not kept secret, you're wasting your time arguing with quacks.

However, there are grown ups involved too. The major players do know what they're doing, and are suitably dismissive of the quacks. By major players, I'm talking major companies like Apple and government agencies like NIST. But on top of that, most everyone uses biometrics, they just don't use state-of-the-art tech for it.

Here's how it works. You want to start a new job, and before anything else happens you're asked for some sort of government ID with a photo. Why the photo? Because they want to check that you (the human) match the id (the photo). Keep this distinction in mind: even though most face recognition systems can match two photos of faces, biometrics is specifically about matching a human. HR or IT security or whoever it is has to check two things: You look like the photo, and you're a human.

Likewise, every non-quack biometric authentication system has to check these two things. There will be a matcher and there will be a presentation attack detection system (PADS). The matcher confirms that you look like the stored photo (or stored mathematical representation in whatever sense) and the PADS is responsible for checking that you're not just a photograph. For example the iPhone FaceID uses an infrared dot projector and directly measures the 3d structure of your face, as well as using the camera to check you look like you. Other PADS systems measure other properties: perhaps motion, temperature, heartbeat, electrical capacitance, or some combination. The goal is to identify things properties that humans have by default but are hard, expensive work to forge.

If you use, say, a banking app that uses FaceID, it doesn't forward your face to the bank for checking. That would be fairly pointless. All the bank could verify is that someone has a picture of your face. In fact, Apple won't actually let the bank send that data; they won't let the biometric data leave the phone! Instead the phone verifies the person, and then sends a suitable message to the bank to the effect of "I, Josiah's phone, confirm that I have just seen a person and the person looks like Josiah." (Probably with an additional "And I'm signing this message with my private key." for good measure).

In terms of performance, matcher software have made incredible progress in the last few years. For example, during my time in the industry, the state of the art in face matchers got about a thousand times better (as measured on NIST's FRVT competition). They're far better than that HR official who checked your passport and set you up with your company account in the first place. In fact, they're into the level of performance where they could successfully distinguish many people from every other human being on the planet. That's really impressive for identification, but it's still not the antidote to malicious spoofing.

PAD systems also continue to improve. This is more of a mixed bag because their performance depends so much on what hardware they're using, and Apple's fancy IR projector will be better camera only systems that rely on, say, asking the person to blink. Generally, PAD systems are still the weakest link, but a strong PAD system still moves a typical attack overhead from "Pull up their facebook profile picture and take a snapshot" to "Gather a team of experts and set them a multi-week 3d fabrication project." On top of that, of course, you need access to the validation system: if we're assuming a setup like "You log in by doing FaceID on your phone" then you need their phone. Now that's perhaps still faster/cheaper than breaking the password of the sort of person who spends time on security.stackexchange, but it's a whole lot slower/less scalable than just trying "qwerty" as the password for each of the employees in the company you want to break.

To sum up, your question was "what if this information is breached?" The answer is "the grown ups in the biometrics space assume it is by default."

That's what the PADS is for. It doesn't have to be high tech PADS. In some settings, a human monitoring the camera stations, watching for charletans holding a printout to the camera, is a reasonable PADS. If you don't have a PADS; if just knowing what someone looks like means you can impersonate them; then you don't have a biometric authentication system. You just have a moronic password system where everyone's password is tatooed onto their forehead. But if you do have a good PADS, you have a system that can offer a good level of security at an excellent level of convenience even for the sorts of person who asks why they can't leave the password field blank.

---

I would be remiss if I did not clarify that biometrics is not solely an authentication technology, and other uses do not always require a PADS. When the police match fingerprints from a crime scene against a database, they don't check that the prints are attached to a human. When a Casino uses face recognition to look for known card counters, they take for granted that no-one is trying to impersonate a counter. For these sorts of things, it entirely comes down to matcher performance. It is strictly for authentication that the PADS is key.

Answer 5

I'm surprised no one is mentioning WebAuthN. It uses public key exchange to sign a challenge with a private key and eliminate passwords all together. The new WebAuthN standard combines something you have (private keys on a device) with something you are (your fingerprint) and has the capability to include something you know (PIN/password). On the server, only the public key and the key ID are stored, so an attacker has nothing to gain by compromising the site's database and collecting everyone's public keys. Biometric data are only used locally to unlock the private keys on the authentication device. They are never sent to the server.

I'm a web application penetration tester by day and I can tell you that eliminating password spraying, brute force, and all those style attacks against a system makes my job much harder. I would have to get malware on your machine and somehow trick it into signing a WebAuthN challenge to login as your user. Or hop on a plane, fly to your house, steal your key, pull a fingerprint off of the wine glass you used last night...you get the idea. This is much less likely than me sitting at home and spraying a password re-use attack from a recent breach.

It does have some drawbacks; most significantly a "lost device" scenario. But from a security perspective, it really raises the bar.

Answer 6

Passwords are not bad per se, they are only bad because users are stupid and lazy, and because people who are responsible for security policies are often even more stupid than users. As a result, you end up with policies such as users being forced to change the password every week, some particular length, and including at least so and so many digits and special chars, and the last 100 passwords are saved. Whatever, you know.

So guess what you will get from such an obnoxious policy. That's right, you'll get loveyou01 through loveyou99, which is much less secure than a well-chosen unguessable password that can as well stay valid for many months (possibly years).

There remains the problem of having to remember a lot of unmemorizably long and complicated passwords, of course. But this problem has been solved, it's called password manager.

Now, biometry, on the other hand side, is not without troubles, either. The three major problems with biometric identification are that

1. biometric data does not change
2. biometric data changes
3. biometric data cannot be withheld

The fact that biometric data changes, all the time, requires the authentication procedure to be somewhat fuzzy and "intelligent". Now, artificial intelligence is a very significant oxymoron. Computers aren't intelligent, no matter what marketing tells you. They can do some fuzzy matching at best.

What's good enough, your twin sibling's face? A photo of yours? A rubber replicate of your fingerprint? What about manufacturing patterns in your cheap Chinese screen protector (the famous Galaxy S10 story...)?

The problem is that the identification hardware/software must account for variable, changing input (fingers are held at different angles, ridges are deeper or less deep depending on how much you drank and depending on how hard you press, you get scratches on your finger, and scratches heal with time, your face looks different when you lose weight, etc etc).

The other problem is, of course, that biometric data doesn't change. Someone steals my fingerprint data. Now what am I going to do? Cut off my finger and wait for my body to grow a new one? That might be worth trying, but I'm somewhat sceptical whether it's a practical approach. Let's hope this doesn't happen several times, what will I do the 11th time my prints are compromised?

The last problem is that I can take your fingerprints while you're passed out drunk (or otherwise unconscious) without you having to do anything. I can do it when you're dead, even (though some detectors require blood circulation). Or, I can just take your fingerprints off a surface that you've touched when you aren't even present.

Passwords are somewhat better in that respect. You can tie me to a chair and beat me until I reveal a password, that's right (known as rubber hose attack, or wrench attack). If I am some very important person protecting some very important secret, and you force me to reveal the password, I might give you a "distress" password which does an emergency lockdown and calls in the seals, whatever, and you cannot tell unless you actually try (in which case, if it's indeed the distress password, it's too late).

Passwords sure aren't perfect, but at least there still remains some control on my side. Also, you can't extract the password from me when I'm unconscious or dead. Or from a glass that I held while drinking.

Answer 7

Changing a password may be tedious and expensive, but at least it can be changed. I'm uncertain how biometric authentication addresses this problem--as I cannot change my face, iris, fingerprint, and etc.--or if it needs to address this problem at all.

I suppose people who want to sell software will proclaim the benefits of software, and likewise for hardware manufacturers. Each has benefits and drawbacks. An effective combination of the strengths of each seems the best solution.

My Samsung phone has a password manager that is easy to setup.

It uses a combination of facial, iris, and fingerprint recognition to unlock its password manager, and supply a different password to each website (without disclosing your biometrics).

You can use long and complicated passwords which are different for every website; accessed using encrypted biometric keys, stored in a Trust Zone, that never leave your phone.

It is possible to change which finger you scan and update your facial data for more accurate processing. Your phone has other tricks up it's sleeve, for example, it can be remotely tracked and locked through Samsung's website. While that may be a different security and privacy issue one must weigh who they will trust versus the convenience of use. You wouldn't want to access websites only by showing up in person with three pieces of identification.

There are fingerprint and password USB key fobs for laptop and desktop use, these can provide a similar level of additional security over and above your OS's password; though a key fob with facial recognition and GPS tracking could be fairly pricey.

Answer 8

Passwords do need to be eliminated, but all the ideas you've cited as replacements are wrong. Passwords are not expensive to change. But they are prone to weak choices, compromise via reuse, and (most importantly) social engineering into disclosure to the wrong party (this encompasses phishing and a lot more).

Biometrics are not secrets whatsoever, and are not "something you have" unless you have a locally trusted digitization device whose sensors can't be tampored with to feed in prerecorded data. In the absense of that, they're a "something you know" that happens to be something everybody knows, and thus completely unsuitable for authentication. There is a trend to use tamper-resistant hardware to unlock the actual (non-user-facing) key/token stored inside it in response to biometric measurements (fingerprint and facial unlock of phones, etc.) but these are all defeatable with laughably bad fakes.

PINs work in a somewhat similar way, as a mechanism to unlock the real key/token, but use the tamper-resistant device to throttle against brute-forcing, so that you can get away with much shorter/simpler "something you know" secrets. These are less trivial to defeat, but still not strong. There will essentially always be attacks to bypass throttling or to extract all the data, at which point it can be quickly brute-forced on another machine.

The right replacement for passwords is public key authentication, with the private key held in an isolated device (something you have) and protected by a passphrase (something you know). The only difference between this and PIN is the strength that the word "passphrase" is intended to convey: the derived symmetric key used to encrypt the private key is sufficiently strong that, even if device is stolen and all data extracted, it can't be brute forced. Users of such a system must know never to enter the passphrase anywhere but on the isolated device, and to revoke and regenerate keys if they suspect the passphrase has been disclosed.