What do you think this is?

Just thoughts of a restless mind...

Biometrics vs Passwords

Biometrics is supposed to be the ultimate solution for access control. It is also supposed to be the best replacement for passwords, not only from the security perspective, but also from the user-friendliness perspective. People don't have to cope with the strange (and inefficient) password rules that security used to push down their throats. So all is wonderful, and we should all be using biometrics now, right?

Wrong. There is a problem that is (and is not) there yet. The problem is that biometrics can not completely replace passwords.

  • To replace passwords, you should move to a single sign on model from a biometrics enabled device (i.e., a device in physical form) to propagate your identity to all remote services
  • You still need a fallback solution for when biometrics fail you.

There are solutions been developed as I write these lines, for the first one. Not very efficient, as is usually the case with immature and ground breaking technologies, and with many limitations and environment lock-ins; but still we may expect that to progress.

The fallback solution is a technological riddle. Surprisingly (or not), you can accept biometrics that always work, or biometrics that sometimes work. From the security perspective though, biometrics that work most of the times are a problem.

Password memorization

The problem with biometrics that work most of the times, is that when they don't work, you have to type your password to log in. The ways people remember passwords are two :

  • Conscious memory (i.e. I just remember it)
  • Muscle memory (i.e. I remember the movements to type it)

The interesting thing with muscle memory is that it requires some repetition to be built, and some repetition to be maintained. What that means, is that if I don't type a password I will forget it. And if I only have to type it once in a while, my muscle memory is useless. So for biometrics solutions that sometimes work it's fine, because I will still be typing my password, but for biometrics solutions that most of the times work, I won't have the repetitions and frequency needed to build the muscle memory.

Which brings me back to conscious memory. But if I have to remember my password, it cannot be too complex. Either it is simple and I remember (hence probably insecure), or it is a secure combination that requires some effort to remember. Which leads to either people writing it down (again, insecure), or people sharing passwords with other services (yet once again, insecure), where muscle memory can be built.

Finally, I can actually use a strong secure password, but I will forget it if I cannot rely on my muscle or conscious memory, and I will have frequent resets. Which, as we all know, will eventually lead me to using passwords that I can remember, one way or another.

If you follow the logic above, you will see that biometrics that work "most of the time" do not promote security. I prefer biometrics that work "sometimes", or biometrics that work "all the time", but those that work "most of the time" I would rather avoid.

Care to share your thoughts?