Why do we even use passwords / passphrases next to biometrics?

Question

In the last couple of days there were a lot of talking about passwords and passphrases, not only here, but on several blogs and forums I follow (especially after XKCD #936 saw the light of this world). I heard quite a few pros and cos of both of them and this got me thinking.

Why do we use password and passphrase at all instead of biometrics? I know biometrics are not the holy grail of authentication and/or identification, but (And the most popular password is... from ZDNET) at least I can be pretty sure that majority of users won't have the very same and easy to guess biometrics. Also I can't forget my finger or iris (while I can forget password / passphrase). With the era of cloud coming, the major strength of passphrases (length) might easly be ephemeral.

Like I said, I know biometrics are not perfect, but if we know that passwords / passphrases are the Achilles' heel of almost every system, why are biometrics underused? According to Tylerl (Biometric authentication in the real world from this site, second answer), biometrics is used even less than it used to be. I mean, even if fingerprints are easily forged, it's still better than having many users with password 123456 or qwertz, at least from my point of view (feel free to prove me wrong).

So, in short, what are the biggest problems / obstacles which are stalling widespread adoption of biometrics?

EDIT

I won't comment each reply, but put my thoughts here. Also I would like to clarify some things.

Problem of normalization

I don't know how is it in USA, but in UK law states that you need at least 5 (or 7, I'm not sure) referent points used in matching. This means that even if you don't have perfect scan, system can still do matching against vector (which is representing fingerprint) stored in DB. System will just use different referent points. If you are using face as biometric characteristic EBGM can recognized person even if face is shifted by ~45°.

Problem of not-changeable (characteristics)

Well, you can actually change characteristics - it's called cancelable biometric. It's working similar as salting. The beauty of cancelable biometric is that you can apply transformation daily is needed (reseting password every day could result in a lot of complains).

---

Anyway, I feel like the most of you are only thinking about fingerprint and face recognition, while in fact there are much more characteristics which system can use for authentication. In bracket I'll mark the chances of fraudery - H for high, M for medium and L for low.

• iris (L)
• termogram (L)
• DNA (L)
• smell (L - ask dogs if you don't believe me :] )
• retina (L)
• veins [hand] (L)
• ear (M)
• walk (M)
• fingerprint (M)
• face (M)
• signature (H)
• palm (M)
• voice (H)
• typing (M)

Ok, let say biometric hardware is expensive and for simple password you have everything you need - your keyboard. Well, why there aren't systems who are using dynamic of typing to harden the password. Unfortunately, I can't link any papers as they are written in Croatian (and to be honest, I'm not sure do I even have them on this disk), however few years ago two students tested authentication based on dynamic of typing. They made simple dummy application with logon screen. They uploaded application on one forum and post the master password. At the end of this test there were 2000 unique tries to log with correct password into the application. All failed. I know this scenario is almost impossible on the webpages, but locally, this biometric characteristic without need of any additional hardware could turn 123456 password into fairly strong one.

P.S. Don't get me wrong, I'm not biometric fanboy, just would like to point out some things. There are pretty nice explanations like - cost, type 2 error, user experience,...

Answer 1

Passwords and biometrics have distinct characteristics.

Passwords are secret data. Data is abstract: it flows quite freely across networks. Cryptography defines many algorithms which can use secret data to realize various security properties such as confidentiality and authentication. The shortcomings of passwords are due to the fact that they are meant to be memorized by human beings (otherwise we would just call them "keys") and this severely limits their entropy.

Biometrics are measures of the body (in a wide sense) of a human user. Being measures, they are a bit fuzzy: you cannot take a retinal scan and convert it into a sequence of bits, such that you would get the exact same sequence of bits every time. Also, biometrics are not necessarily confidential: e.g. you show your face to the wide World every time you step out of your home, and many face recognition systems can be fooled by holding a printed photo of the user's face.

Biometrics are good at linking the physical body of a user to the computer world, and may be used for authentication on the basis that altering the physical body is hard (although many surgeons make a living out of it). However, this makes sense only locally.

There is a good illustration in a James Bond movie (one with Pierce Brosnan; I don't remember which exactly): at some point, James is faced with a closed door with a fingerprint reader. James is also equipped with a nifty smartphone which includes a scanner; so he scans the reader, to get a copy of the fingerprint of the last person who used it, and then he just puts his phone screen in front of the reader; and lo! the door opens. This is a James Bond movie so it is not utterly realistic, but the main idea is right: a fingerprint reader is good only insofar as "something" makes sure that it really reads a genuine finger attached to its formal owner.

Good fingerprint readers verify the authenticity of the finger through various means, such as measuring temperature and blood pressure (to make sure that the finger is attached to a mammal who is also alive and not too stressed out); another option being to equip the reader with an armed guard, who checks the whole is-a-human thing (the guard may even double as an extra face recognition device). All of this is necessarily local: there must be an inherently immune to attacks system on the premises.

Now try to imagine how you could do fingerprint authentication remotely. The attacker has his own machine and the reader under his hand. The server must now believe that when it receives a pretty fingerprint scan, it really comes from a real reader, which has scanned the finger just now: the attacker could dispense with the reader altogether and just send a synthetic scan obtained from a fingerprint he collected on the target's dustbin the week before. To resist that, there must be a tamper-resistant reader, which also embeds a cryptographic key so that the reader can prove to the server that:

• it is a real reader;
• the scan it sent was performed at the current date;
• whatever data will come along with the scan is bound to it (e.g. the whole communication is through TLS and the reader has verified the server certificate).

If you want to use the typing pattern, the problem is even more apparent: the measuring software must run on the attacker's machine and, as such, cannot be really trustworthy. It becomes a problem of defeating reverse engineering. It might deter some low-tech attackers, but it is hard to know how much security it would bring you. Security which cannot be quantified is almost as bad as no security at all (it can even be worse if it gives a false sense of security).

Local contexts where there is an available honest systems are thus the contexts where biometrics work well as authentication devices. But local contexts are also those where passwords are fine: if there is an honest verifying system, then that system can enforce strict delays; smartcards with PINs are of that kind: the card locks out after three wrong PINs in a row. This allows the safe use of passwords with low entropy (a 4-digit PIN has about 13 bits of entropy...).

---

Summary: biometrics can bring good user authentication only in situations where passwords already provide adequate security. So there is little economic incentive to deploy biometric devices, especially in a Web context, since this would require expensive devices (nothing purely software; it needs tamper-resistant hardware).

Biometrics are still good at other things, e.g. making the users aware of some heavy security going on. People who have to get their retina scanned to enter a building are more likely to be a bit less careless with, e.g., leaving open windows.

Answer 2

Abstracted across a network, most biometrics implementations can still be boiled down to the category of "something you know". For a discussion of how that happens with "something you have," take a look at How is "something you have" typically defined for "two-factor" authentication?.

Biometrics suffers from a problem where once a credential is compromised, you can't change it. There are also some rather amusing compromises against fingerprint systems. Biometrics are great in certain areas, but logging into my bank account with a generic device and no password is not one of them.

Finally, because there is no uniform standard, there's a cost issue that's hard to surmount. Not only are devices not already an integral part of the computer like a keyboard is, but they different models need different systems to interface with them.

Answer 3

There are significant problems with all of these as a primary identifier.

For example:

• Fingerprints/Palm - What happens if I fall off my bike and scuff my hand across the ground? My fingerprints are ruined for some time - possibly permanently.
• DNA - have you seen how easy it is to pick up blood or other material containing DNA?
• Typing - this has some success, but the responses depend on tiredness, emotional state, differing keyboards etc

They are all susceptible to both false positives and negatives - you can get that crossover point down to a low level, but you can't eradicate it entirely.

When compromised, you cannot change the identifier - this problem rules it out entirely!

Another issue with some of the biometrics generally considered more resistant to attack (for example the retina pattern) is that users really dislike the invasive nature of the scan. While many end users now accept a fingerprint scanner (despite fingerprints being proven not to be unique) having a retina scanner is seen as intrusive and even scary.

So the current process - use ID, password, token etc as initial identifiers (all replaceable if needed - things you know or have ) and a biometric as an additional preventative measure do mitigate the risk of the previous mechanisms being stolen and used by an attacker (something you probably are) seems to be the optimum in terms of:

• support
• resilience
• layered security

Answer 4

One issue with rolling out biometrics everywhere is registration. Should I have to turn up to Facebook's office in Palo Alto with my government-issued ID so that they can fingerprint me before I can log in to their website, versus typing "correcthorsebatterystaple" into my browser? How long would that take for 650M+ users? How many staff? How expensive is it to train the staff? How many errors would they make? Can you accept that many errors? Would users feel comfortable with the idea of Facebook owning their fingerprint details?

Answer 5

Put simply: cost. In this instance cost takes two forms, resource cost and monetary cost. Chances are great that if you have a computer or system of any type (desktop, server, mainframe, distributed, cloud, etc.) it has a built-in authentication mechanism: passwords. The time and money that it takes to bolt-on or integrate biometrics for average uses is too great. Only the most secure environments or data require anything greater than a password.

The most common use cases I see for biometrics are physical security and system log-ins (think Active Directory). Biometrics have a decent adoption rate in physical security because some sort of device is already required for security, a lock or a guard or a laser. Opting for better security and manageability in biometrics is a tangible decision. Regarding system log-ins, what we have already accomplishes the business task of allowing access to a system. The Security Guys are left to deal with all of the repercussions.

Answer 6

Systems can fail, so you need a defense in depth approach. Bio-metric security systems rely upon fuzzing matching. They can suffer from whats called a type-II error, which means an attacker is successfully authenticated.

Also Mythbusters has hacked it. (and they aren't the only ones.)

Answer 7

The many technical problems with biometrics are well canvassed above. Biometrics as a class still faces deep skepticism, and rightly so. Security professionals are conservative and cautious, and they find the following issues problematic:

• Very few of the technologies on the list above are commercially mature. I myself don't know why DNA, gait and smell are even listed in any serious discussion.
• Many biometric products and techniques are barely out of the R&D lab. Cancellable biometrics are still a hot research topic; liveness detection is more theoretical than practical. In security, it is important that candidate solutions are mature, thoroughly shaken down in the real world, and certified. This takes a decade or more.
• All biometric testing is conducted under "Zero Effort Imposter" conditions, where only accidental matches are consiered. There are no standardised testing protocols for evaluating deliberate fraud, which is astonishing when you think about it, for we are talking about security solutions that are used to resist crime. As the FBI says: "For all biometric technologies, error rates are highly dependent upon the population and application environment. The technologies do not have known error rates outside of a controlled test environment" (see http://www.biometriccoe.gov/SABER/index.htm).
• Finally the industry does itself no favours in the way it presents its specifications. In particular, error rates are often presented in a dishonest way, with best case False Match and False Reject rates quoted side-by-side. But the sensitivity-specificity tradeoff means that as False Matches go up, False Rejects go down. Vendors often keep their Detection Error Tradeoff curves secret. I've tried to obtain the DET curves from a particular vascular biometric vendor for five months and have only been stonewalled.

Answer 8

Biometrics (something you are) + password/passphrase (something you know) = 2 factor authentication. That's why they're used together.

The other reason biometrics isn't used more widely is 1) biometric systems are expensive to implement and 2) biometric systems need a very, very low false positive rate. You wouldn't want the system to allow access to someone who had a similar fingerprint/iris/whatever so you'd need many points of reference in the system (fingerprint/iris map) to allow for that kind of accuracy. The caveat to requiring all those points of reference is that the system would need a very reliable way to read your body part each time that is very repeatable and that isn't possible with the biometric readers we have today. You don't swipe your finger the exact same way in a fingerprint reader every time and you don't position your head in an eyeball reader the exact same way every time, but the system would need to demand that level of precision to get all the data points it needs to verify you every time you need access. This leads to a lot of re-swiping/re-scanning which is very frustrating to the user and may lock them out depending on the system.

Answer 9

If your body is your password, and your account is compromised in some way, there's no way to change your password.

Answer 10

Got to remember that many biometrics are not universally available. Some professions (hair-dressing, bricklaying...) routinely render fingerprints unreadable. And that's ignoring congenital defects which render fingers unavailable, or accidents which remove them... A proportion of the population cannot use retinal scanners, either mechanically (reaction to the scanner) or because their retinas are unreadable (medical condition). So the ideal biometric solution would involve multiple methods, not all of which are needed at any one time. The words "huge" and "cost" spring to mind at this point. Multiple simultaneous methods, however, would get around some of the issues of non-uniqueness (as with DNA, for example)...

Answer 11

The biggest problem is implementation. Imagine, for a moment, that Facebook decided passwords were too insecure and determined to go with biometric identification instead. How would they do it? The hardware just isn't there; it's not standard, it's not ubiquitous, it's not well-understood.

Bad example? Ok, then what would be a good example? Your bank? Same problem. Even at high-security terminals such as ATMs, they rely on passwords (4-digit passwords to boot!) primarily because of the inertia in the system which has led people to expect that ATMs use a 4-digit pin, while ATM hardware around the world has no input capability other than the number pad.

Think for a moment about the IPv6 transition: The situation is urgent, the transition is inevitable, the technology is ubiquitous and widely-supported, the cost is minimal. And yet, we're over a decade into the transition, and yet just about right where we're we started at approximately 0% adoption.

Now, consider such a transition to biometrics, where it it's neither urgent nor inevitable, the technology is poorly supported and understood, and the cost is high. Just how long would such a transition take? I dare say such a time will never come.

Answer 12

While many valid points are already discussed, no one yet came up with thoughts with regard to the Fifth Amendment (in US Law) and self-incrimination. There is similar law in other countries as well.

The consensus is, that having a password will put you in advance against law enforcement, because is something that is protected by the amendment, where the biometrics are not.

E.g. you can be forced to give a fingerprint, that subsequently is the used by law enforcement to unlock, say, your phone. However, you can not be forced to tell your/a password.

Among many other posts, there is an article from the TIME Magazine (Why the Constitution Can Protect Passwords But Not Fingerprint Scans), that points it out quite clearly.

Answer 13

It is generally possible to completely avoid situations where it may be necessary to change an authentication credential. On almost any decently-designed system, a password may be replaced if compromise is suspected. By contrast, if an adversary has managed to make a glass duplicate of someone's eyeball, replacing that person's eye is apt to be a much tougher proposition.

Answer 14

Bio-metric identification would seem to hold great promise in many applications. For instance at home diagnosis or having a remote checkup by a medical professional; Allowing students to engage in Computer Based Training, with the instructor's role being that of a 'facilitator' and also providing an environment in which students could progress at their individual pace. Not to mention security clearance when flying from point A to point B. If it's a matter of imperfect technology, then the technology will evolve as long as there is a demand for the product.