Thoughts on Biometric Passwords

Wolfgang Schauble, Germany’s interior minister and adamant supporter of biometric authentication, seems to be waiting for the day when biometric technology will be available on a large scale and passwords will be a thing of the past.

The RegisterBut recently Chaos Computer Club, Europe’s largest hacker group caused a fuss when a recent issue of Die Datenschleudere printed Schauble’s own fingerprint.

The stir brought about the issue – how is reusing my fingerprint everywhere, different or safer from reusing the same password everywhere? Should it really be a diffused authentication method? And most importantly, how safe is it really?

The Register reported Karsten Nohl, who engineered the hack, as saying “It’s basically like leaving the password to your computer everywhere you go without you being able to control it anymore.”

Comparing Passwords & Fingerprints

We all know by now that reusing the same password is practically like handing over your identity to someone and giving them the entry way to sensitive information. And we all know that making strong, unique passwords for every single site you visit – and remembering them – is something of a nightmare. Even formulas and tricks fall short of solving the problem. That’s where password managers come in handy.

Passwords Fingerprints

If someone captures your password, they can use it to login everywhere you can. Arrow If someone captures your fingerprint, they can use it everywhere you can.

Bots scan the web looking for unprotected passwords to capture. Arrow Scanners can be placed in common objects (public doorways, countertops at the cashier) looking for unprotected fingerprints to capture.

If stolen, you must change the password on all sites, hopefully before any damage is done. Arrow If stolen, you can’t change your fingerprints.

Fingerprints are Everywhere

We know more or less how to protect ourselves when it comes to modern ‘identity scams’ – be careful about giving out personal information, protect your mail, be smart about passwords and PINs and so on. But how exactly would we protect ourselves from biometric identity theft?

Schauble’s fingerprint was said to be captured off a water glass he used last summer while participating in a public discussion at a University in Berlin.

Do future preventative measures include wearing gloves at all times in public to leave no trace of fingerprints? Will we eventually have to avoid looking straight into public mirrors for fear of exposing our irises to a hidden scanner?

It may seem a bit extreme but then again…

History Repeats Itself

According to a Marines memo, on July 21, 2003, the FBI and Federal Trade Commission first reported the existence of a new form of identity theft known as “phishing”. In 2007, just 4 years later, Gartner reported ‘The overall cost to consumers of online fraud [approached] $3 billion, compared with $2 billion in losses reported [in 2006], while more than three million consumers [were] victimized. This upward trend is expected to continue as phishing expeditions get more sophisticated and security upgrades play catch-up.’

Will this upward trend prove true for biometric phishing as well? And do the potential consequences really outweigh the potential benefits? Think about it – every child in the US is finger and footprinted at birth. Every foreign visitor to the US is fingerprinted and photographed. In fact, The Department of Homeland Security ‘plans to replace the current two-fingerprint scanners with new 10‑fingerprint scanners at all U.S. ports of entry over the next year.’

It doesn’t stop at government involvement – some companies are indexing the worlds DNA.

Right from the get go, your “authentic passwords” are stored. And these will be a bit more difficult to regenerate should they get stolen.

Technorati Tags: , , , , , , , , , ,

Thanks to Louise for contributing this article.

Advertisements

6 responses to “Thoughts on Biometric Passwords

  1. sorry to post this here but i already wrote support and did not get a good response.

    The 1 Click Auto-login could be even better. It would be great if when you clicked a link in your password manger that it would auto login when that page starts.

    maybe you could use greasemonkey to replace the passpack it button.

    i flipping love your guys tool! keep up the great work.

    if you did this one thing i would make your site my homepage.

    regards,

    paul

  2. A centralized login process would increase security (though some users prefer anonimity).

    E.g. login to secure.com. There you have a list of sites that can access part of your information (your bank has access to your SSN, forum X has access to your mail address and nothing more, …). Clicking on any site would bring up its homepage with you already logged in (by a certificate or another method).

    Anonymity could be achieved like this: when you create a new account on a forum you generate from secure.com a random link that will allow the forum to access your mail address.

  3. @Paul
    Yes, well rather than create a greasemonkey script, we’ll probably go straight for the plugin/toolbar. We’ll still leave the current bookmarklet because it’s useful when on a PC that isn’t yours since it doesn’t require installation.

    Thanks for the love [smile]

    @Vaida
    Sounds a lot like OpenID (or am I misinterpreting your comment?). You’re right though: not much room for anonymity in a federated identity platform, especially if it were to get tied to offline identifying personal information like biometric data.

    Cheers!

  4. Pingback: Biometric Passwords… Again « PassPack Blog

  5. Thor M.K.H

    It’s certainly interesting to see how the times have changed. In the earlier days of fingerprints and security it was considered a difficult task to “get” someones fingerprint, thus people thought of it as a very safe way.
    Now however, it’s just so different. It’s a lot easier to just scan your finger each time you want to login, but just as having the same password everywhere – easy isn’t always safe.

    Anyway, Paul’s suggestion is plausible and sounds nice. Though, there are times when it’s good to NOT login when you first arrive at the website.

  6. @Thor
    Yes, I completely agree – on both points. :)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s