Biometric authentication replacing passwords: Does authentication get better or worse?

(Author's note: For the sake of this article, we will consider only finger-printing as a biometric authentication solution.)

In today's world the use of passwords is the default mechanism of authentication. From our desktop to e-mails, from chat programs to online banking, we need passwords to authenticate ourselves to the system. In short, they are a part of our day-to-day life. Although password usage is the most commonly used authentication scheme, it also has a lot of problems associated with it in terms of security. Let's take a look at those problems and then compare it with biometric authentication and see if that's any better.

Password authentication

1. Password selection: Since the password comes out of a human mind, one issue that arises is when people select weaker passwords. Weak passwords are easily predictable or can be easily broken with the use of technology.
2. Input mechanism: With tools like keylogger and attacks like phishing, a password can be stolen while it is being input into the system.
3. Transmission channel: After the password is input and transmitted to the server, it goes through the Internet, which is not secure. Anyone can retrieve the passwords using sniffing tools, unless that transmission channel or the password being sent is encrypted.
4. Password storage: If people get unauthorized access to the database that contains passwords, then those passwords are vulnerable. Outside attackers can get unauthorized access to the database that stores passwords through a SQL injection attack.
5. Social engineering: Attackers can get people to reveal their passwords by pretending to be someone else.

Biometric authentication

1. Password selection: There is no password in biometrics. We have only our fingerprint. That means I have only one password for everything. Weak passwords are eliminated. Problem solved! Now ask yourself, what if someone stole your fingerprint. Can you change your fingerprint like you can change your password if it is stolen?

Authentication  articles Banking on multifactor authentication The insecurity of two-factor authentication The risks of failing to authenticate

2. Input mechanism: This problem remains the same. Currently, there are tools that log your keystrokes secretly and send them to the attacker. Tomorrow there will be tools that steal your fingerprint while you are scanning and send it secretly to the attacker.
3. Transmission channel: This problem also remains. Unless the transmission channel is secure or your fingerprints are encrypted, they are also prone to sniffing attacks and can be stolen.
4. Fingerprint storage: This faces the same problem as that of passwords. If malicious people can access the data storage that stores fingerprints, they can steal fingerprints as well.
5. Social Engineering: This problem might go away, as people won't give anyone their fingerprints via e-mail or the telephone. But if an attacker were to contact them in person, he could get their fingerprints.

Most importantly, what would scare you more: if your password were stolen or your fingerprints? Remember, fingerprints can be misused in more then one way.

As you can see, biometric authentication gives us more questions than answers. With Bill Gates suggesting that they want to do away with passwords, it would be interesting to see what kind of approach Microsoft takes. Even with all the issues surrounding passwords, I don't think they are going away anytime soon.

-------------------------------
About the author: Anurag Agarwal, CISSP, works for a leading software solutions provider where he addresses different aspects of application security. You may e-mail him at anurag.agarwal@yahoo.com.