Disclaimer

The content of this blog is my personal opinion only. Although I am an employee - currently of Nvidia, in the past of other companies such as Iagination Technologies, MIPS, Intellectual Ventures, Intel, AMD, Motorola, and Gould - I reveal this only so that the reader may account for any possible bias I may have towards my employer's products. The statements I make here in no way represent my employer's position, nor am I authorized to speak on behalf of my employer. In fact, this posting may not even represent my personal opinion, since occasionally I play devil's advocate.

See http://docs.google.com/View?id=dcxddbtr_23cg5thdfj for photo credits.

Thursday, June 07, 2012

Biometrics are the smallest and least important part of replacing paswords

Marketplace Tech Report for Thursday, June 7, 2012 | Marketplace.org


Just heard the item about the LinkedIn security failure, passwords, and the researcher working on password typing rhythm.

Had to write because I am sick and tired of biometrics folks like the password typing rhythm guy saying they could solve password problems - when there is a fundamental limitation that means that they only solve the least important part of the problem, and that not very well.

First, terminology: "biometrics" means anything that measures something about you Like your password typing rhythm, your fingerprint, your retina scan.

The problem: anything like biometrics can be recorded and replayed by a bad guy.  If exact replay is detected, the bad guys are smart enough to vary it.

What this means: biometrics, such as password typing rhythm, is only useful if the device that is being used is PHYSCALLY SECURE as well as clear of viruses, and if it uses encryptionto talk to whatever remote server like Google you are trying to authenticate to.

For example: probably a bank can trust a fingerprint reader, or a password typing rhythm system, if the readers are kept at the bank.

But the bank should NOT trust password typing rhythm or fingerprints that are read from a remote device that is not physically secure.  E.g. say that I go to an internet cafe in Mexico to use the web while on vacation: the fingerprints or password typing rhythm read there should NOT be trusted, because some bad guy may own the computer that is reading them.

Stuff you own is intermediate: your desktop and laptop PCs, and your cell phone, are not completely physically secure.  Not as secure as at a bank.  But more secure than an internet cafe in Mexico. Plus, they may have malware, such as a keyboard logger, recording your password typing rhythm and giving it to the bad guys.

(By the way, my own most recent expertise is in preventing such malware.)

Here's the bottom line:

* Remote servers cannot trust biometrics like password typing rhythm.

** not unless they can trust you to have a physically secure device, and secure communications.

* If you give your biometrics to multiple sites - like the 528 sites one of the folks you interviewed has passwords on - then chances are that one of them will have a security breach, and the bad guys will know your biometrucs.


Is it hopeless?  No!


The way forward is what Google is already starting to do: working with your cell phone as well as your PC to authenticate securely.

E.g. now, when I log into Gmail on my PC, Google texts my cell phone as a cross check.

Now,if I lose both my cell phone and my laptop PC together, the bad guy might have both.  But this is just a step.

One of the next steps will be for the biometrics, e.g. the fingerprint, to be read on your cellphone.  And for your cell phone to reply to Google saying "Yes, I have read Andy's fingerprint".  And for the cellphone to automatically contact my PC, saying the same.

Worried about losing your cell phone?  Make the device that reads the biometric into something you wear, like a bracelet or amulet on a necklace or ring.  I call this a "security amulet". You might regularly rub it, e.g. to read your fingerprint.  (We might even imagine surgically implanting it.)

Actually, when we do this, we don't really need to have the cell phone send the biometric back to Google, or any of the other 528 web sites. Perhaps your security amulet will read a fingerprint, while mine is listening to the "core rhythm" of my heartbeat.  And perhaps once a day it may check my  password typing rhythm.

We still need to worry abut losing the biometric device / cell phone / security amulet - although it is harder to lose something like your wedding ring, it is possible.  There's no panacea here, except to note that we can make devices that are tamper resistant - if they are lost or stolen, and a bad guy is trying to break in and steal your security data, it can (1) erase itself if it detects a clumsy attempt to break in, and (2) make it hard to break in in an undetectable way  E.g. giving you, say, 48 hours to realize that you have lost your security amulet / wedding ring.

The biometrics is only a small part of this.  Its the least important part, actually:  more important are the security protocols between your cellphone / security amulet, and all of the servers you want to use securely.

Google's texting of a code to your cellphoneis just a start.  But its happening. Slowly, but it's happening.

So, PLEASE stop interviewing biometrics folks as if they can solve security problems. Biometrics is only the smallest and least important part of the problem.

No comments: