Thinking out loud : Biometrics and security.

Using fingerprints, retina scans, facial recognition and other ways of reading parts of our bodies as passwords for logging into services is not the best way to secure our online lives.

I really think we are doing this very wrong.

I agree that biometrics has a place in security because it provides a large blob of unique data that can be used in authentication but I think we could find a better place to use it.

fingerprintI like to look at the implementation in the case where it fails. Think about it. When a password is compromised (it is a matter of when, not if) what is the first thing you do?
You change it.

Can you change your fingerprints? Your face? Your retina? Of course not.

What is the part of the old username/password authentication that almost never changes? Your ID. Be it a username, email address or account number this unique identifier rarely changes but we need to be able to change our password and 2 factor authentication always changes.

We really should stop using email addresses as a part of the authentication process anyway as discussed by John McAfee in as it is not secure and prone to phishing. We are not only telling the scammers how we are identified but where to reach us to send bogus requests for password updates.

Why not use our rich source of biometrics to identify us as account holders and avoid using email addresses as a way to tell us apart? Even using a biometrics data blob to act as a private encryption key would be possible.
We can use passwords and 2 factor authentication instead for the other parts of the authentication process.

multifactor authentication diagramWe have been using this technology for a while now so it should be no problem to change the way we use it to ensure that our security is more robust and we can look forward to a time where insecure email is eventually phased out as an authentication step.

There are some really clever people working on authentication that will not only make things more secure but make this better security easy to use which is the key part of seeing a particular security technology gain popularity over others. I hope that if they use biometrics that we see if implement it as an identifier, not a password.

Oh, and when I hear people complain about having to use account names, passwords and 2 factor authentication devices I like to remind them that 20 years ago we seldom worried about locking our cars and houses but today we lock and arm alarms without even thinking about it. It is a question of adopting it as a part of our culture as we become more security aware.