Thursday, March 25, 2021

Biometrics can't be trusted for remote access

There is a general misconception that biometrics are inherently more secure than password when used for remote authentication, this is because of the way, the industries are marketing fingerprinting and face recognition for authentication.
Biometrics that target general public, like what is integrated on smartphones and other devices, are meant to provide user with convenience not improving security. After all, security is a one thing and convenience is another thing.





That being said, with all the advances they get, biometric sensors are still not infallible, as you can check on the video that shows how it is possible to fool Face ID on IPHONE X with 3d printed mask. 
While faking or cloning the biometric characteristics is not an easy task, a strong password remains the most reliable medium for remote authentication, this is because some of attack vectors that target biometric authentication systems, are conducted through visually obtainable information, whereas attack vectors, that target password protected system, focus on retrieving secrets.


Biometrics are not reliable for remote access
Biometrics are only reliable when used on site and under supervision, a typical use case is controlling access to restricted areas, like office space and labs, where security agents have eyes on the access points, and the visual identities of staff members are known in advance.

Convenience may come at the cost of security
Banks and other online services have introduced fingerprinting, to authenticate their clients remotely. However, there is always considerations to provide convenience to user, this is why there is less attention to risks with low probabilities, like a case of forcing a victim to unlock an app or a device with her fingerprints or her face ID. Just think for a moment, you might forget your password under pressure or show some resistance in a hope to get help before revealing your password, but your fingerprints are just right there, and are not going to fade out .. unless you are a terminator !

Takeaway

Biometric authentication comes with more risks for remote access, when compared with local access. The desired reliability doesn't deal only with the cutting edge technology of the sensors, but deals also, with environment that hosts that technology.
A strong password is a very secret piece of information, however, a biometric characteristic can't be qualified as strong or weak since it doesn't change.




Posts