1) Biometrics are increasingly being used for security identification but have limitations related to the quality of analog data capture, digital processing, and potential to recreate biometric data from public images.
2) While biometrics can be more convenient than passwords, passwords stored securely with randomization and brute force protections are often more secure than biometrics.
3) The best approach is a risk-based multi-factor authentication combining biometrics, passwords, and other identifiers depending on the specific threat profile and balancing convenience with security.
2. 2
‘Passwords were dead to begin with. There is no doubt
whatever about that … This must be distinctly
understood, or nothing wonderful can come of the story I
am going to relate.’
(slight re-phrase of Dickens, “A Christmas Carol”)
3. 3
Who are you? Who am I?
What are the three factors we commonly reference?
39. 39
What you know
What you are What you have
Where you are
Your history
What you can do
I, for one, welcome our biometric overlords…
Risk based authentication with multi-factors can be good
40. 40
… with some caveats:
1) Store templates in a (very) secure location
2) Use as one of multiple factors
3) Don’t confuse identification with intent
4) Validate vendor assertions/promises
5) A random password with domain brute-force
protections will usually be better
(or; threat profile, threat profile, threat profile)