Passwords vs. biometrics

It has been a brutal season for data breaches, from the wholesale theft of customer records numbering in the billions to the exposure of naughty celebrity pictures. More significant to agencies is the case that cost US Investigations Services (USIS) a contract to perform government background checks.

It was bad enough when USIS gained attention as the contractor that vetted NSA leaker Edward Snowden and Washington Navy Yard shooter Aaron Alexis. But in the wake of an IT breach that might have exposed the files of thousands of Homeland Security employees, the Office of Personnel Management in September said “enough,” and dropped the company.

The growing pressure by hackers against high value targets and the volumes of personal and other sensitive information being stolen highlights one of the basic questions of cybersecurity: How do you keep the bad guys out?

Identity management and access control are the front lines of security. The ability to accurately identify users and control what they do within your systems is what separates insiders from outsiders. It has been apparent for some time that the traditional tool for this task – the password – is inadequate for the job, and biometrics is emerging as an alternative.

Which is better? The answer is that neither is adequate for strong, practical security on its own. Each has strengths and weaknesses, and real security requires some combination of these or other technologies.

The password by itself actually is a pretty good tool. It is simple to use, easy to implement and can be reasonably strong. The problem is one of scale. For a user juggling passwords for multiple accounts and for administrators juggling many users, the system quickly becomes unwieldy, and strong security begins to break down. In addition, the steady growth in computing power erodes password security by making dictionary and brute force attacks more practical.

Biometrics – the use of physical traits such as fingerprints, irises, faces or voices to identify persons – is more complex, but is becoming more practical. It offers the promise of better security based on the premise that there is only one you.

Yet it has its drawbacks. All forms of biometrics operate on the “close enough” principle. Whereas a password must be exact to be accepted, matching a biometric trait requires a judgment about whether there is a proper match. This leaves room for mistakes, either as false positives or false negatives. The algorithms making the decision can be tuned depending on the level of security required. But higher security comes at a cost in the form of increased time or computing power to determine a match and by increasing the possibility that a legitimate biometric will be rejected. And although there is only one you, biometric systems can be susceptible to spoofing. A stolen digital template of a biometric trait could be inserted into the authentication process to authenticate the wrong user.

There are other ID management technologies, of course, such as digital certificates, a form of electronic ID vouched for by a trusted party. These can be powerful, but also challenging to manage on a large scale.

The bottom line is, no matter how much these technologies improve, no single tool is likely to be good enough for really practical strong authentication, and it is unlikely that a new and perfect technology will come along any time soon. None of these technologies is a complete failure, either. By combining strengths to offset weaknesses, these common tools can be integrated into multifactor authentication that provides security that is stronger than the sum of its parts.

Government already has a tool that can enable multi-factor authentication, the Personal Identity Verification Card and its military counterpart, the Common Access Card. Taking full advantage of these for access control could go a long way toward improving federal cybersecurity.