Biometric authentication replacing passwords: Does authentication get better or worse?

(Author's note: For the sake of this article, we will consider only finger-printing as a biometric authentication solution.)

In today's world the use

Requires Free Membership to View

of passwords is the default mechanism of authentication. From our desktop to e-mails, from chat programs to online banking, we need passwords to authenticate ourselves to the system. In short, they are a part of our day-to-day life. Although password usage is the most commonly used authentication scheme, it also has a lot of problems associated with it in terms of security. Let's take a look at those problems and then compare it with biometric authentication and see if that's any better.

Password authentication

  1. Password selection: Since the password comes out of a human mind, one issue that arises is when people select weaker passwords. Weak passwords are easily predictable or can be easily broken with the use of technology.
  2. Input mechanism: With tools like keylogger and attacks like phishing, a password can be stolen while it is being input into the system.
  3. Transmission channel: After the password is input and transmitted to the server, it goes through the Internet, which is not secure. Anyone can retrieve the passwords using sniffing tools, unless that transmission channel or the password being sent is encrypted.
  4. Password storage: If people get unauthorized access to the database that contains passwords, then those passwords are vulnerable. Outside attackers can get unauthorized access to the database that stores passwords through a SQL injection attack.
  5. Social engineering: Attackers can get people to reveal their passwords by pretending to be someone else.

Biometric authentication

  1. Password selection: There is no password in biometrics. We have only our fingerprint. That means I have only one password for everything. Weak passwords are eliminated. Problem solved! Now ask yourself, what if someone stole your fingerprint. Can you change your fingerprint like you can change your password if it is stolen?
  2. Authentication  articles

    Banking on multifactor authentication

    The insecurity of two-factor authentication

    The risks of failing to authenticate

  3. Input mechanism: This problem remains the same. Currently, there are tools that log your keystrokes secretly and send them to the attacker. Tomorrow there will be tools that steal your fingerprint while you are scanning and send it secretly to the attacker.
  4. Transmission channel: This problem also remains. Unless the transmission channel is secure or your fingerprints are encrypted, they are also prone to sniffing attacks and can be stolen.
  5. Fingerprint storage: This faces the same problem as that of passwords. If malicious people can access the data storage that stores fingerprints, they can steal fingerprints as well.
  6. Social Engineering: This problem might go away, as people won't give anyone their fingerprints via e-mail or the telephone. But if an attacker were to contact them in person, he could get their fingerprints.

Most importantly, what would scare you more: if your password were stolen or your fingerprints? Remember, fingerprints can be misused in more then one way.

As you can see, biometric authentication gives us more questions than answers. With Bill Gates suggesting that they want to do away with passwords, it would be interesting to see what kind of approach Microsoft takes. Even with all the issues surrounding passwords, I don't think they are going away anytime soon.

About the author: Anurag Agarwal, CISSP, works for a leading software solutions provider where he addresses different aspects of application security. You may e-mail him at anurag.agarwal@yahoo.com.


This was first published in April 2006

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.