Why Biometrics Aren’t the Answer

Happy World Password Day.  I have been following the progress that NIST is making in formulating new standards for user authentication.  Something I found surprising was that NIST is not recommending using biometrics as a form of authentication.  The two main reasons are that biometrics, such as fingerprints, iris scans, and voice recognition, are not a secret.  For instance, you leave your fingerprints behind everywhere you touch something.  The second reason is that biometrics can not be replaced in the event that it is successfully breached or replicated.  You can’t just go out and buy a new finger or eye.

So when Naked Security reported about a successful attempt to create a fingerprint “master key” that could be used to unlock an iPhone, it drove the point home again.  Part of the reason this worked is that the fingerprint sensor only records a partial print, and that makes it easier to create a universal design that matches many different partial prints well enough to unlock up to 60% of the phones that were tested.

As far a s NIST is concerned, biometrics should only be used in a two-factor or multi-factor authentication environment.  They are not secure by themselves.  So for those of you who are using the fingerprint lock you may want to couple it with a second factor like a password or PIN.

Our current password recommendations:

  • Passwords should be longer than 12 characters.
  • Use a password manager such as Last Pass
    • LastPass makes it easy to have long passwords that are unique to each site, because yo only need to remember the LastPass master password.
    • Use LastPass’ random password generator to create unique passwords.
  • Use two-factor authentication whenever it is offered


About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.