Happy World Password Day. I have been following the progress that NIST is making in formulating new standards for user authentication. Something I found surprising was that NIST is not recommending using biometrics as a form of authentication. The two main reasons are that biometrics, such as fingerprints, iris scans, and voice recognition, are not a secret. For instance, you leave your fingerprints behind everywhere you touch something. The second reason is that biometrics can not be replaced in the event that it is successfully breached or replicated. You can’t just go out and buy a new finger or eye.
So when Naked Security reported about a successful attempt to create a fingerprint “master key” that could be used to unlock an iPhone, it drove the point home again. Part of the reason this worked is that the fingerprint sensor only records a partial print, and that makes it easier to create a universal design that matches many different partial prints well enough to unlock up to 60% of the phones that were tested.
As far a s NIST is concerned, biometrics should only be used in a two-factor or multi-factor authentication environment. They are not secure by themselves. So for those of you who are using the fingerprint lock you may want to couple it with a second factor like a password or PIN.
Our current password recommendations:
- Passwords should be longer than 12 characters.
- Use a password manager such as Last Pass
- LastPass makes it easy to have long passwords that are unique to each site, because yo only need to remember the LastPass master password.
- Use LastPass’ random password generator to create unique passwords.
- Use two-factor authentication whenever it is offered