Slashdot Asks: Should Businesses Switch To Biometric Passwords? (hbr.org) 22
This question was inspired by a recent article in Harvard Business Review: It's become abundantly clear that passwords are an untenable way to secure our data online. And asking your customers to keep track of complicated log-in information is a terrible user experience... The threat to security when relying on passwords is one reason businesses are increasingly migrating to biometric systems. Identity verification through biometrics can ensure greater security for personal information, while also providing customers with a more seamless experience in the digital environment of smartphones, tablets, sensors, and other devices... the idea is to verify someone's identity with a high degree of assurance by tying it to multiple mechanisms at once, known as biometric modalities [which] when used in concert, can provide a significantly safer environment for the customer, and are much easier to use... [I]f an app simultaneously requires a thumbprint, a retina scan, and a vocal recognition signature, it would be close to impossible for a bad actor to replicate that in the seconds needed to open the app.
This got me curious -- are Slashdot's readers already seeing biometric verification systems in their own lives? Share your experiences in the comments, as well as your informed opinion. Do you think businesses should be switching to biometric passwords?
I can see a whole lot of privacy and "Big Brother" problems with biometric authentication...
No.
Biometry is not suitable for authentication. Essentially using biometry is like using a password you cannot change, but constantly tell anybody around you.
It's trivial to keep your passwords secure, it's much harder to keep your fingerprint or iris pattern secure. Both can even be read out remotely.
BTW, here's a nice overview video on the topic:
https://media.ccc.de/v/31c3_-_... [media.ccc.de]
Too much room for false positives/negatives. I mean look at your phone: You can put a fingerprint on it but it'll require a backup PIN in case that doesn't work. You don't gain any security if there has to be a backup password, it is just a convenience thing.
The right answer is a smart card (or other device with that chip in it like Yubikey). Here you go to token+PIN. It's two factor, thus much harder for an adversary to get around, and it allows for a much shorter, easier to remember password. Reason is th
1. Don't enforce needlessly strict / complicated security policies for websites that don't matter that much.
2. Don't make me reset my password when I've merely forgotten it - it just puts me into a never-ending loop of creating harder and harder to remember passwords that need to be constantly reset.
3. Provide easy to use 2 factor authentication that lets me use simpler passwords, or even delay the "authentication" to be when I pay for something and validate my billing
For remote use, there is not a lot of difference between biometrics and passwords, except that:
-- you can't change the biometrics if they are compromised
-- there is little scope for using different credentials for different sites
Can't see any advantages to them, and I really don't want to be authenticating to my bank with the same credentials I use for Slashdot.
Let's take a look at the characteristics of a username:
And let's take a look at the characteristics of a password:
