Passwordless = secretless ?
Lately I have been seeing more writing on how pernicious password are, than usual. Not all of which by vendors of passwordless solutions. These vendors’ product fall in the categories password-vaults, with or without browser plugins; or Single Sign-on solutions , with or without user federation. Sometimes coupled with biometrics-based authentication.
Why this recent rise in such writing should have happened, is not hard to figure. With home offices during the pandemic, users have had more experience with passwords in a corporate setting – and tech support have been correspondingly more strained by it.
That the use of passwords have problems need not be laboured. It does.
The only mercy on that front is that finally the virtue of frequently changing passwords have been seriously questioned. The more often something is changed, the more likely it is to be written down, or be derivative of past password or well-known information. This is obvious to anyone who has passwords, but apparently not to those writing policy on their management.
Complex and unique passwords rarely changed, are better than derivative passwords often changed.
What’s the alternative ? SSO – you login once and the session is essentially reused where ever needed; mitigates the problem, but can be a bear to setup. Federation: you login once and the ID itself is shifted around; Very secure but even more work to set up. Password vaults? Default in browser; weak security. Plugin with off-browser storage; Can be quite nice but still password protected. And neither of the above support off-browser logins.
Having set up plenty of SSO and federation solutions in my time, I am no stranger to what an ordeal such implementations can be. Password-vaults in browsers are a lot easier in this regard. Yet they still have passwords since the user’s accounts have them. If letting your browser store your password is not “on”, there are plugin solutions that do the same thing and store that password centrally (Okta is an example). Not all applications are browser-based of course. So you have stand alone password vaults that lets you store and retrieve at will. But those vaults have passwords themselves (which at least addresses the problem with browser’s default password vault – no protection). So the problem of passwords just shifted.
Enter biometrics. Not As Bad As It Used To Be, is the phrase that most commonly follows any mention of biometrics. Face scanning is no longer just for Bond villains. Regular people do it too. Finger print scanning is more reliable, as in actually allowing you access, but has been regularly fooled by photographs of fingers. Or actual fingers, as seen in any number of movies. Not that getting out the bolt cutter is needed. Getting hold of the fingerprints of a person is trivially easy. Face even more so. Assuming the scanner is not fooled by a mere picture held up in front of it, 3D printing will get the job done. 3D printing a face from a mere picture ? Ever heard of a stereoscope; Older than the cinematograph. Of course 3D printing a face from some sneakily obtained pictures is a serious commitment. And at the moment doable only for dedicated specialists. There will be an app for that within 5 years.
Ever notice that the cases appearing in the press over the last decade or so , where law enforcement officials had difficulties accessing a persons electronic devices. None of these devices were protected by biometrics. Ever wonder why?
Passwords are secrets. In the crypto literature they are not even called passwords but rather secrets. Something only you know. The provision of which proves you are you. Biometrics are by definition not secret. Obscure perhaps, but never secret. Law-enforcement loves biometrics. As well they should.
Fundamentally, replacing password with biometrics is like saying that you have no true secrets.
Let me flesh that last bit out a little. Secret is not a scalar quantity as they say in mathematics. There is more to it. A vector, as it were. Specifically: secret from whom is that extra dimension.
To say you have a secret it to say you have a secret from someone, possibly everyone. It is fundamentally a statement defining a group of persons: Those who have access to the secret. Only one person perhaps – you.
Password security is knowledge based and biometrics security is object based. And objects are not secret in the way knowledge can be. Access to those objects can not be controlled in the way access to knowledge can be. The group with access to the object is never of one.
Does this mean biometric authentication is a red herring. Or worse. No. Access control is a risk management implementation. There various authentication mechanisms are selected to match the level of identity assurance required. But to say that biometrics are always more secure than passwords it to overlook it’s intrinsic weakness: it isn’t secret.