Isn't it less secure to use something you are for authentication?

Question

I have to think of this everyday when I close the doors of the shop I work in:

A year ago we used to close the shop and arm the alarm using a key fob. This means the worst case scenario was that I get robbed.

A few months ago my boss decided that we need a password to set the alarm. This means thugs will kidnap me and beat me till I tell them my password.

Yesterday he was thinking about investing in locking with a fingerprint sensor. Great, this means I'll lose my fingers if I ever get kidnapped.

How can we make our system more secure than using only single-factor authentication?

Answer 1

Whether something is "more" or "less" secure depends on a lot of things including the perspective of the person designing the mechanism.

In this example from the perspective of your boss, using fingerprint scans could be more secure for two reasons. One the percentage of thieves who will cut peoples appendages off is likely lower than the percentage who would steal something from your pocket. Two, with a fingerprint system if there is a risk of insider collaboration with thieves a fingerprint scanner means that it can be proven (assuming they haven't had that finger removed) which employee was present at the time of the theft.

None of that means that this is better from your perspective of course in fact as you say, losing an appendage is way worse than being pick-pocketed or beaten up for a password.

Also in all this I'm assuming that there's no way to bypass the fingerprint sensor. If I was you, you could point out to your boss that most fingerprint sensors are bypassable by people lifting prints from things like a glass in a bar and once you've lost control of the print, these systems can be worse than useless (e.g. if a criminal has all 10 prints, they can always get access past the system and there's nothing you can do to change your prints)

Answer 2

Sometimes we forget what counts: The system is protecting things, you and your coworkers are a people. When kidnapped, just cooperate and try to keep harm to persons as low as possible; it's just not worth it.

With this corrected attitude, it doesn't matter what security system you pick, because it will only work with the thieves, not with the robbers.

Answer 3

Crime is said to be mostly opportunistic (by design researchers among others) so I'd assume getting hold of someone's fingers to be a rather harder opportunity to fulfill than getting hold of a key ring. In practice in all three scenarii there are limited options for attackers:

1. Steal your auth factor
2. Bypass the factor and force one's way in
3. Piggyback you when you open/close the shop

In practice #3 is said to be the most common attack on jewellery stores (French news reports in 2014, have no link). Note that 1 and 2 only are affected by the auth factor in use.

Stealing auth factors

With key rings, an attacker needs to either discreetly or forcefully take the keys from you and then act before you can report to the police, which is trivial but... If attacking forcefully, attack #3 is just as convenient and would probably be preferred, since the attacker needs to move fast and ideally prevent you from reporting, which is best done on site.

With a password, an attacker would probably need to observe you typing, so #3 would be easier. I discard phishing because the auth occurs offline. An alternative would be to break into your IT system and steal the password, but someone who can do that is far beyond the assumed opportunistic criminal.

With fingerprints, same as key ring, except that the discreet theft of credentials works a bit differently. Might be easy to steal a glass from you in a bar, or might be easy to steal your keys you've left on your garden table. In any case, the discreet theft is not entirely trivial.

As for the rest I would personally feel more worried about accountability if my fingerprints were stolen and I were designated as the culprit of a theft, and would argue for a combination of factors rather than just one. But fingerprint readers are not less secure than passwords or keys in that context.

Bypass factors

Here it might be easier for an attacker to bypass a keylock based on their own criminal experience, albeit some keyrings nowadays can be truly complex. Attackers are likely to break through the window rather than the door, and alarms + CCTV would be the appropriate protection rather than just the auth mechanism at the door.

Piggyback

It should be fairly clear by now that the easiest way for someone to break in is to wait for you to unlock the door and assault you at that time, forcing you to close back behind. This works within the opportunistic assumption, requires little prior preparation, expertise or equipment.

In conclusion, be cautious when opening/closing the store rather than paranoid about what authentication method is in use.

Answer 4

Most businesses require employees to cooperate with thieves to the best of their abilities, along with insurance to replace anything lost during a fire, theft, or natural disaster. It is hugely more expensive to repair the bad press and pay your workers compensation (or worse, pay when your spouse sues them after you die)! It's just not worth it!

If you think the attackers will torture you to get you to release the password, don't let them: just tell them the password when they ask! If you think that the attackers will try to cut off your fingers, just use your fingers to unlock the scanner while they're still on your hands. Don't set off the fire alarm or anything stupid like that, or try to lower your hands sneakily to press the silent alarm. If you have the opportunity, do so, but don't take stupid risks to protect a few thousand dollars of insured merchandise!

This reality has important consequences for the resulting security policies: Employees must be able to cooperate to the best of their abilities, but to keep the insurance rates low, should be unable to get large amounts of cash. This is the reason for policies like half-hour time-delayed safes, which an employee can unlock with a key, password, and/or fingerprint, but will not un-latch for half an hour. It's also the reason for delivery drivers to keep less than a certain amount of cash with them - they'll surrender everything they have if you threaten them, but it's just not worth it.

Perhaps you could set up the alarm to always arm at closing time, and always arm at opening time, unless programmed differently 24 hours in advance? Consider the scenario: You are on your way out, and are closing the door, when you see an attacker. They say "Key in your code/use your key/scan your fingerprint to disarm the alarm!" and you say "It's time keyed, as you can see on this sign posted right here; I can't disarm it until 7:00 AM tomorrow. It's 9:28 PM, so it arms in 2 minutes, would you like me to help you carry anything you can grab in the next two minutes? No guarantees we can get back out in time, and I can't unlock the safe containing the security camera NAS without waiting for a half-hour time delay, though...I do have $50 in my wallet, which you can have. My boss will reimburse me tomorrow morning."

Answer 5

The 'security' of biometric authentication is different to regular on a couple of major points.

Firstly, it is much more convenient than regular authentication methods. If 'who you are' is your password, you can never really lose it. A keyfob or pin code can be easily lost, stolen or forgotten, but your iris pattern or facial geometry are very difficult to separate from you (barring major accidents or extreme malicious intent).

Secondly, it offers a greater guarantee of non-repudiation. Say the security system were to open a safe containing money. If the money were stolen, and were protected by just a keyfob, it would be easy to assert that someone had stolen the authentication method from you from you rather than you stole the money yourself. A passcode gives slightly more protection, but could still be easily shown that the passcode had been stolen and used without your knowledge. If the authentication is your fingerprint, and you still have all of your fingers intact, it is quite difficult to prove that you didn't in fact steal the money yourself.

This second point is the cause of a real issue in authentication. If your personal authentication method is in fact stolen, how would one prove that you didn't steal the money? More to the point, if the authentication method is duplicated, how do you change your 'password'?

In terms of the security, it is arguably the exact same security using a fingerprint as a keyfob. Both would need a single item to be stolen to gain access. Same with a passcode. In terms of effort a robber would have to go to to gain access, a passcode would require the most effort (torture you to get the passcode), whereas a keyfob or fingerprint would require the exact same effort (steal something). Although the stealing of a fingerprint would be much more grisly (stealing your finger as opposed to stealing an item on your person), it's the same effort an attacker would need, therefore the same security.

Biometrics are generally best suited to continued authentication as opposed to initial authentication. Some item of data other than yourself is used to initially state who you are, then yourself is used to maintain access. This has been used in laptops with facial recognition software on the webcam. You use a password to initially log in, then the webcam looks at your face as you sit in front of it. When you get up, it detects that the biometric authentication is no longer in place, and locks the computer.

The situation you have described is still single-factor authentication, albeit using biometric authentication rather than 'standard' authentication. If using a single-factor authentication only, a passcode is a better option. If using multi-factor authentication, a keyfob and a passcode or a passcode and biometrics are better options.

What also needs to be looked at in your situation is the cost - both human and monetary. Any business should have insurance against robbery. Would you prefer that your store be robbed and your staff have a keyfob stolen, or that your staff have their finger/eye stolen? Also, is it really worth the money to fit fingerprint scanners when a passcode is just as secure as a password?

So, in answer to your question, on their own biometrics are arguably less secure than passcode authentication, more dangerous (to the owner of the biometric signature) if an attacker really, really wants to gain access, but slightly better at proving someone has accessed something if they say they haven't - until those biometrics actually get stolen, then they are better at proving you have accessed something when in fact you haven't.

Answer 6

Ask boss to get a system with a keypad and also a duress code that silently alarms. Maybe your existing system supports this.