Random musings on whatever subject strikes my fancy, published every other day.

Biometrics Are NOT Passwords, Dammit!

Today in Stupid Extensions of Biometric Authentication: this item from Sophos.  Brainprints will apparently be the new fingerprints.

Here is what the press (and from the looks of it, half the security industry) seems unable or unwilling to get: you cannot change your biometrics.  You cannot ever change your fingerprints.  Nor can you ever change your iris, your retina, your “brainprint,” or any of the other too-clever-by-half schemes researchers may yet dream up for biometric authentication.

In fact, the whole idea of two-factor authentication has traditionally been based on “Something you know, something you have, something you are… pick two.”  We need to drop the last, and go with “Something you know and something you have” – period.

Fingerprints are already easier to steal than a password ever was.  Digital photography is probably good enough by now that iris patterns are equally easy, and retinal scans from afar cannot be that far behind.  What was that twinkle?  Oops, too late.  Once the “brainprint” technology is usable, its targets will be equally pilferable.

Just because it looked cool in 1970’s SciFi does not mean it’s truly going to be valuable in this century.


Warrant Canaries


We Are Secure Website Developers


  1. Andrei

    I understand why you would be upset about the security industry working the market, but consider this: my laptop needs to be secured from kids, friends or work colleagues who would possibly change my wallpaper or *gasp* change the number of virtual desktops. They are not devious spies. People who don’t want to make their browser history open to…say their partner will be fine with a fingerprint scanner that works reasonably well. It’s like a nice garden fence, not a very good security measure but not useless either: a signal of privacy, people tend to respect even those tiny little boundaries, a fingerprint is a whole different league. The huge plus is that it entails no effort for the users and passwords are just horrible. Sure, it is a problem to oversell a technology (or fence), but if you got your wish and biometrics went away completely I would be raging for days, because physical access to my machine is not a threat that is remotely comparable to identity theft online. Someone messing with my bank account or google plus page would be …bad. But super-sneaky agents will not break into my flat and log in using a digital photograph of my retina. All of this technology needs to be good enough to foil the husbands and wives who want to snoop around or possibly set up a cat wallpaper.

    • David Frier

      But an eleven-character password is good enough for all those threats, so I am missing your issue.

      Or, perhaps, you can tell me what you will accomplish with the 17 seconds you will save daily swiping a fingerprint instead of typing a password 6 times? 🙂

Powered by WordPress & Theme by Anders Norén