No more passwords? The problem with biometrics
By Keith Rozario October 21, 2015
- Using a different password for each service is safest, but it’s hard to do
- Careful jumping onto biometric bandwagon however; it’s a bumpy ride
PASSWORDS have always been a problem.
For a password to be adequately secure, you need a certain amount of randomness (or entropy in geek) associated with the password to ensure it can’t be easily guessed.
The password monkey is less secure than the password k3ithI$one$3xydev1l, but the latter is inherently harder to remember (although still very true).
In today’s world, you should use a different password for each service. Your JobStreet credentials should be different from your online banking credentials. This way, if someone hacks into JobStreet or LowYat and compromises their passwords, your banking credentials remain secure.
What people often do is re-use one password across all their services, which means that a compromise on one service is as good as a full-blown compromise across your entire online identity – a hack on that nutrition forum you visited could cause you to lose your life savings.
Therein lies the trade-off: An easier-to-remember password is also easier to guess, hence easier to hack (Google ‘the fappening’ if you need more convincing), while a hard-to-guess password is harder to remember, and near impossible to execute if you need remember a different password for each of your online services.
Which suggests that the problem isn’t passwords per se, but rather our human inability to remember long, un-guessable passwords.
Computers have long out-stripped us in this arena, and trying to overcome that is pretty much unthinkable at this point.
But what is the solution then? Well, in general we have two partial solutions.
The first is to use a password manager, like LastPass, which stores a unique password for each of your online services, while requiring you to remember only one.
Basically, it securely stores your password in a ‘vault’ that is encrypted by a secure key known only to you. When you use LastPass, you download the encrypted vault from the LastPass servers, and then decrypt it with your (hopefully) hard-to-guess secret key.
This way you can have unique, hard-to-guess passwords for all your services.
But there’s a catch: LastPass itself then becomes a high-value target for attackers.
Thankfully LastPass is pretty secure and provides the option for two-factor authentication (2FA).
Now, LastPass just happens to be the password manager I use, but most other password managers would do just fine.
The one strongest piece of security advice I could give you is to use a password manager. It will reduce a lot of your headaches.
Biometrics and permanence
The second option is to use a biometric authentication. Your thumbprint or retina scan is unique only to you, and is quite hard to guess. So obviously that’s a good place to start.
But there is a problem with biometrics that makes me shudder at the thought of ever using it as an authentication mechanism: It’s PERMANENT.
Passwords and credit cards are mostly temporary. A new credit card, with a new number, can be issued to you in days, a password can be reset in minutes … but a thumbprint is forever.
You’re vulnerable when your credit card gets stolen, but that vulnerability disappears the moment you cancel the card.
If your biometric data is stolen, the vulnerability continues in perpetuity because your thumbprint and retina scan are yours for perpetuity. If the bank loses your thumbprint data, it can’t issue you a new thumb … and that’s a problem.
This isn’t a theoretical scenario either. The US Office of Personal Management (OPM) was hacked in June, and hackers carted away the biometric information of more than 1.1 million US military personnel.
And as technology moves more and more into biometrics, that stolen data only grows in value.
Many in the Obama Administration think that the Chinese Government was responsible for the hack, which is a double-edged sword for the victims.
After all, having a government steal your data is probably better than having a Russian crime syndicate steal it, but then again, these are US Government employees, some of whom may have had a bright career ahead of them – cut down because a foreign government now has their data.
If your fingerprints are known to the Chinese Government, you’re not going to be one authorising nuclear launches in the foreseeable future. In fact, in an ironic twist, CIA (Central Intelligence Agency) operatives in Beijing were recalled, precisely because their names were not on the list of victims, singling them out in what was supposed to be a covert operation.
Hence these CIA operatives, who were not part of the OPM breach, were sort of secondary victims of a primary crime.
One-way functions to the rescue
There are some ways to limit the damage associated with biometrics while still enjoying the benefits and ease they provide.
One of them is to use one-way functions on the digital data. A one-way function is a mathematical function that goes only one way, sort of like a pressure valve that lets water flow in one direction but not the other.
In primary school arithmetic, we’re used to seeing two-way functions that can be easily reversed: Addition one way, Subtraction in the other; or Multiplication one way, and Division the other. In each of these cases the effort is almost equal in either direction.
But consider a square function, one where a number is multiplied by itself. So the square of 5 is 25, and conversely the square root of 25 is 5.
Now, if I asked you to calculate with just a pen and paper the square of 9,876,293,232,980, it may take you some time, but it’s possible. If instead, I asked you to calculate the square root of 97,541,168,023,806,540,559,680,400 with just a pen and paper, you might as well not even start.
The effort required to get a square root of a number is far harder than to square a number. One-way functions are the extreme of these, where once the function is completed, there is absolutely no way to go back.
But what do one-way functions have to do with biometrics?
Well if instead of storing your fingerprint, I stored the resulting one-way function of the digital output of your scanned fingerprint (remember, ‘digital’ means digits, hence numbers), it means that I can authenticate your fingerprint without ever needing to store your biometric information (which is the proper way of storing passwords as well).
This reduces the effect of a hack, as the hackers can’t get your fingerprint from the hacked data.
To keep the analogy, instead of storing you actual password 9,876,293,232,980, I would store the square of it, knowing that even if the attacker knew the square they wouldn’t be able to square root the number to get the password (it’s a poor analogy, but one that works).
The problem with this approach is that it can’t do approximations, and you couldn’t determine if a partial fingerprint was taken because the fingerprint has to be treated as a whole.
One-way functions are also pretty unique, and even a small change in the input results in a drastically different output, which means a slight alteration in your fingerprint, because you burnt your finger while cooking some chicken curry, will force you to re-authenticate yourself – something you could get away with if you were just comparing a scanned fingerprint to a stored fingerprint and allowed for a certain threshold of variability.
Finally, we have the central versus decentralised hosting. If your biometric information were stored only on your phone, it could still be a problem, but it would be a smaller problem than a central server that hosted 1.1 million fingerprints inside.
A phone with just one thumbprint also presents a less desirable target to criminals, hence reducing the likelihood of an attack.
The reason I bring one-way functions and central storage up, is because I think that if anyone wants to store your biometric data, they need to be upfront about how they store that data, and then the user has to make a conscious decision about whether to proceed or not.
Most regular users are probably not aware of the dangers of using biometrics, and could wind up losing more than they bargained for.
Knowing if a service that uses biometric authentication stores hashes (rather than scans) and knowing where that data is stored is something everybody needs to be aware of, and if my layman reading of Malaysia’s Personal Data Protection Act (PDF) is correct, it is actually a legal right you have.
So if a bank wants to get you to jump onto the biometric validation bandwagon, my advice is to first ask them how they store the data and where, before you make a decision about what you want to do.
Without that information, I’d wait out this biometric sensation, and hope for other alternative forms of authentication that won’t be so permanent.
Because if the Office of Personnel Management for the world’s most powerful nation can be hacked, I’m sure a bank in Malaysia could be as well.
Keith Rozario blogs at keithRozario.com covering technology and security issues from a Malaysian perspective. He also tweets from @keithrozario. This article first appeared on his blog and is reprinted here with his kind permission.
Hong Leong Connect ups digital banking ante with biometrics
MasterCard out to end use of passwords in e-payments
Data security and the biometric single sign-on advantage
Singapore strengthens SingPass security
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.