So long as the biometrics is backed up by a fallback password, irrespective of which are more accurate than the others, its security is lower than that of a password-only authentication. Then, we have to wonder why and how the biometrics has been touted as a security-enhancing tool for so long, with so many security professionals being silent about the fact. It appears that we may have got some clues to this conundrum.

1. Clues to Unravelling Conundrums
- Biometrics deployed ‘in parallel’ as against ‘in series’
In my earlier writing “Truth does not matter in infosec?” I wrote as follows:
--------
So long as the biometrics is backed up by a fallback password, irrespective of
which are more accurate than the others, its security is lower than that of a
password-onlyauthentication
Then, we have to wonder why and how the biometrics has been touted as a
security-enhancing tool for so long, with so many security professionals being
silent aboutthe fact.
---------
It appears that we may have got some clues to this conundrum. We had a chance
to look at a document produced by NIAP (National Information Assurance
Partnership),in which ‘hybrid biometrics authentication’ wasdiscussed.
The biometrics advocates got a NIAP committee to positively evaluate the hybrid
(two-factor) deployment of biometrics and passwords by just talking about the 'in
series' deployments. Then, the concept that the hybrid biometrics
authentications provide good security was solidly established with authority.
There may have been some more similar cases.
On the other hand, a number of biometrics vendors put on the market the
biometrics products, which are deployed 'in parallel', without referring¸
knowingly or unknowingly, to the difference between the 'in parallel'
deployments and the 'in series' deployments. I would not like to suspect that
there were choreographers for it. I assume that it might well have happened due
to lack of good communication and misunderstanding among the people
concerned.

2. The outcome was a number of misguided security professionals and tech media
spreading the misguiding information in a gigantic scale. We are now
witnessing such a worrying situation that a number of financial institutions are
adopting the 'in parallel' hybrid biometrics for the applications for which they say
they require the level of security higher than the password. It is defeating the
purpose.
Well, I am not happy with this uncomfortable hypothesis. I would appreciate it
if someone could let me know the presence of different materials that might lead
us to different observations.
I would also welcome any information on whether the publicized FAR and FRR
are empirical or theoretical and how they are measured, monitored or calculated.
<Remarks>
‘in series’ deployment = both to pass, And/Conjunction
‘in parallel’ deployment = either to pass, Or/Disjunction
< Related Article >
P3 Truth does not matter in infosec?
P4 iPhone X Face ID - What FAR means when it does not come with the corresponding
FRR?
P5 Mitigation of Password Predicament
P6 Democracy would be dead where the password is killed
P7 Mix up “Unique” with “Secret” and confuse “Identification” with “Authentication”

3. Truth does not matter in infosec?
Tech media seem busy arguing which biometrics is better than the others. But it is all
nonsense from security’s point of view. Instead we should ask why security-lowering
measures have been touted as security-enhancing solutions.
Because of its inherent characteristics, biometrics depends on a fallback means in case of false
rejection. In physical security, it could be handled by personnel in charge other than the user.
In cybersecurity, however, it needs to be handled by the user themselves, in most cases by way
of a password that the user themselves needs to feed.
So long as the biometrics is backed up by a fallback password, irrespective of which are more
accurate than the others, its security is lower than that of a password-only authentication as
illustrated in this video. https://youtu.be/wuhB5vxKYlg
Then, we have to wonder why and how the biometrics has been touted as a security-enhancing
tool for so long, with so many security professionals being silent about the fact.
There could be various explanations – from agnotology, neuroscience, psychology, sociology,
behavioral economics and so on. This phenomenon will perhaps be found to have provided an
excitingly rich material for a number of scientists and researchers in those fields.
Summary of the video
> >

4. iPhone X Face ID
What FAR means when it does not come with the corresponding FRR?
Answer: It means nothing.
According to some tech media¸the FAR (false acceptance rate) of iPhone X Face ID is said to be
one millionth, which might be viewed as considerably better than the reported one 50,000th of
Touch ID.
It is not the case, however. The fact is that which is better or worse can by no means be decided
when the corresponding FRR (false rejection rates) of Face ID and Touch ID, which are in the
trade-off relation with FAR, are not known. This crucial observation is seldom reported by
major tech media. It is really sad to see the misguided tech media spreading the misguiding
information in a huge scale.
The only meaningful fact that we can logically get confirmed by the trade-off between FAR and
FRR is that the biometrics deployed with a password as a fallback means against false
rejection would only provide the level of security lower than that of a password-only
authentication.
Face ID, which brings down security as such, could be recommended only for those who want
better convenience, as in the case of Touch ID. If recommended for better security, it would
only get criminals and tyrants delighted.
Security professionals are expected to speak up.
30-second video - https://youtu.be/7UAgtPtmUbk

5. Mitigation of Password Predicament
This article talks about the old and new NIST password guidelines.
https://www.theverge.com/2017/8/7/16107966/password-tips-bill-burr-regrets-advice-nits-cyber
security
It is nice to see repealed the odd recommendations like the complicated hard-to-recall
passwords which would result in reusing the same password across many accounts and the
regular password change which would result in using the easiest-to-guess passwords. It is
not nice, however, to see ‘passphrase’ and ‘password manager’ being touted so naively. Caveats
should come with these recommendations.
Passphrase: It could be longer and yet easier to remember but it does not necessarily mean a
higher entropy despite the troubles of tiresome typing. It is generally made of known words
that are just vulnerable to automated dictionary attacks.
The cartoon shown in this Verge article reads that a 44-bits entropy is hard to guess. It may
be extremely hard for humans to guess, but it would be so easy a prey for criminals who
possess the automated attack software with the intelligent dictionaries.
Password Manager: It remembers all my passwords when un-hacked and loses all my
passwords to criminals when hacked. It should be operated in a decentralized formation or
should be considered mainly for low-security accounts, not for the high-security business that
should desirably be protected by all different strong passwords unique to each account.
Then, what else can we do? Our proposition.is “Intuitive Passwords: Passwords to Succeed
Passwords”
http://virtual-strategy.com/2017/04/14/intuitive-passwords-passwords-to-succeed-passwords/

6. Democracy would be dead where the password is killed
Some security people are advocating that the password should be killed dead. I wonder if
they are aware of what they mean by what they say. A society where login without users’
volition is allowed would be the society where democracy is dead. It’s a tyrant’s utopia.
We know that biometrics, which relies on a fallback password, can by no means be an
alternative to the password, that the password is an indispensable factor for multi-factor
schemes and that the security of password managers and single-sign-on schemes needs to
hinge on the reliability of the password.
The password (memorized secret) is absolutely necessary. Don’t let it be killed. Don’t accept
any form of passwordless login.
<Reference>
Slide: Password Fatigue and Expanded Password System
http://www.slideshare.net/HitoshiKokumai/password-fatigue-and-expanded-password-system
Article (7-page): Intuitive Password – passwords succeeding passwords
https://www.slideshare.net/HitoshiKokumai/intuitive-passwords-passwords-succeeding-passw
ords

7. Mix up “Unique” with “Secret” and
we would confuse “Identification” with “Authentication”
Biometrics follows “unique” features of individuals’ bodies and behaviors. It means that it
could be well used when deployed for identification of individuals who may be conscious or
unconscious, alive or dead. Due respect could be paid to biometrics in this sphere.
Being “unique” is different from being “secret”, however. It would be a misuse of biometrics if
deployed for security of the identity authentication of individuals.
Confusing “Identification” with “Authentication”, we would be building a sandcastle in which
people are trapped in a nefarious false sense of security. However gigantic and grandiose it
may look, the sandcastle could melt away altogether when we have a heavy storm.
And, the storm will come. The question is not “if”, but just “how soon”.
< Videos >
Turn off biometrics where security matters (30 seconds)
https://youtu.be/7UAgtPtmUbk
Biometrics in Cyber Space - "below-one" factor authentication
https://youtu.be/wuhB5vxKYlg
Six Reasons to Believe Biometrics Don't Ruin Cyber Security
https://youtu.be/lODTiO2k8ws
Password-free Life - Utopia or Dystopia? (30 seconds)
https://youtu.be/UJDBZpX1a0U
Password Predicament and Expanded Password System
https://youtu.be/-KEE2VdDnY0