Deb Shinder is the resident MVP at Sunbelt Software. One of her posts caught my eye and I felt the urge to post about it: Passwords: A Thing of the Past? In it she advocates to use biometrics as a replacement for passwords. Here are my (not so positive - as you may have guessed) thoughts on it:
- The big problem (aside from false positives and false negatives) of biometrics is that they can't be changed. As soon as somebody gets your fingerprint, you really don't have any solution for it (you can't
- She also fails to mention in the article that biometrics doesn't give you any additional security unless the endpoint security is assured. Otherwise said: nothing in biometrics prevents an attacker to use a replay attack (because it's not your fingerprint / retina scan which is sent through the network, it's a set of bits generated from them which can be capture - most conveniently at the endpoints - and replayed easily). Compare this with a well-implemented token system where the generated data is specific to the time and the sum transmitted (in case of a bank transaction for example), so capturing and replaying it would be useless.
In conclusion: biometrics is nothing more than a hyped version of the
remember my password feature found in all the current browsers. It provides virtually no added protection over passwords and is purely a convenience enabler. (I must mention that there is one situation where it has added value over password: when protecting against the threat of someone watching you as you type your password)