Happy World Password Day. I have been following the progress that NIST is making in formulating new standards for user authentication. Something I found surprising was that NIST is not recommending using biometrics as a form of authentication. The two main reasons are that biometrics, such as fingerprints, iris scans, and voice recognition, are not a secret. For instance, you leave your fingerprints behind everywhere you touch something. The second reason is that biometrics can not be replaced in the event that it is successfully breached or replicated. You can’t just go out and buy a new finger or eye.
So when Naked Security reported about a successful attempt to create a fingerprint “master key” that could be used to unlock an iPhone, it drove the point home again. Part of the reason this worked is that the fingerprint sensor only records a partial print, and that makes it easier to create a universal design that matches many different partial prints well enough to unlock up to 60% of the phones that were tested.
As far a s NIST is concerned, biometrics should only be used in a two-factor or multi-factor authentication environment. They are not secure by themselves. So for those of you who are using the fingerprint lock you may want to couple it with a second factor like a password or PIN.
Our current password recommendations:
- Passwords should be longer than 12 characters.
- Use a password manager such as Last Pass
- LastPass makes it easy to have long passwords that are unique to each site, because yo only need to remember the LastPass master password.
- Use LastPass’ random password generator to create unique passwords.
- Use two-factor authentication whenever it is offered
MAY
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com