Cybersecurity Snapshots #6 - Will Biometric Authentication Soon Replace Password Authentication?
Cybersecurity Snapshots #6 -
Will Biometric Authentication Soon Replace Password Authentication?
World Password Day, held on May 7th, was created by Intel to help spread awareness of the critical need for the use of more robust passwords. Many individuals still do not follow suggestions given by experts regarding passwords.
Researchers from Ofcom conducted a poll of 1805 adults aged 16 and over and discovered that 55 percent of the participants used the same password for most websites. Over one quarter of the participants used easy-to-remember passwords, such as people's names or birthdays. In a new global survey, researchers polled 3,250 individuals across the United States, Singapore, Australia, Germany, Brazil, and the United Kingdom. They discovered that there is a heightened global awareness of good security practices, hacking incidents, and data breaches, yet consumer password behaviors remain mostly unchanged. Over 90 percent of the participants know that using the same password on multiple accounts is a security risk, yet 66 percent still use the same password, which is an increase of 8 percent from 2018. Half of participants reported that they had not changed their passwords in the last 12 months. While three quarters of the participants say they feel informed on password best practices, only half of them still try to memorize passwords, and one quarter write their passwords down somewhere. Most of the participants were concerned with having their passwords compromised, yet half of them never change their passwords if not required.
The number one reason why participants use the same password for multiple logins and create easy-to-remember passwords, even though they know it puts them more at risk for a breach, is because users are afraid of forgetting their login information. Since this is the case, users should consider password management software because it can remember hard-to-crack passwords, and can help generate complex passwords. Researchers at Fico discovered that currently only 23 percent of respondents use an encrypted password manager, which many consider best practice. Another reason why participants use easy-to-remember passwords, and use the same one for multiple accounts, is that many want to be in control of their passwords.
In the global survey, researchers also found that respondents are much more comfortable with biometric authentication, which uses face or fingerprint to login to devices or accounts. Sixty-five percent of the participants said they trust facial and fingerprint recognition more than traditional text passwords. Many individuals and organizations believe it is time to ditch using word passwords and rely on biometric authentication entirely. Biometric authentication can provide some useful benefits, including simplicity and convenience to the user, which is why it has grown in popularity. It can also provide higher authenticity because fingerprints and faces are hard to replicate. The use of biometric authentication also helps deter shoulder surfing, which is when an adversary tries to hack an individual's account by watching the target enter PIN codes or passwords.
Biometric authentication also has some negative aspects. Biometric data is irreplaceable, which means that if it is compromised during a breach, it cannot be reset. Worded passwords can always be reset if a breach is discovered. Biometric authentication methods usually rely on partial information to authenticate one's identity, which can allow for false positives. In 2018 researchers from New York University were able to train AI neural networks to crack fingerprint authentication at a success rate of 20 percent. They relied on the fact that most fingerprint scanners only scan a portion of the finger. Face ID on iPhones counters false authentication by adding a "liveliness" detection system. The Face ID was able to do pretty well against the 3D-printed head hack, which beat several Android devices; however, the researchers eventually managed to have Face ID conduct a false positive.
It will continue to be essential for individuals to use strong and complex passwords to help prevent individuals or organizations from being breached. Biometric authentication is being used more and more but still has challenges. It is unlikely that biometric authentication will take over the use of text passwords anytime soon, even though many users feel more comfortable using it. Companies who store biometric data need to strategize on a secure way to store the data more securely to make sure it will never be compromised. Companies also will need to figure out how to make biometric authentication more secure so that methods such as facial recognition and fingerprints do not perform false positives. Some researchers have turned to the development of changeable biometrics to overcome the security risk of static fingerprints, irises, and face shapes. Berkely researchers came up with a futuristic system called "passthoughts". The technique combines three factors a thought, a user's brain patterns, and an EEG sensor for measuring brainwaves. To authenticate a passthought, the user would think of their secret key while wearing the sensor. The thought itself is never transmitted and is just a mathematical representation of the electric signals the user's brain makes while thinking of the secret key. If someone were able to figure out precisely what a user was thinking, then they would not be able to impersonate the user's passthought, because every person thinks the same thought differently. If the passthoughts of a user were ever compromised, then the user could always change their passthought.