Why Biometrics Aren’t the Answer

Happy World Password Day.  I have been following the progress that NIST is making in formulating new standards for user authentication.  Something I found surprising was that NIST is not recommending using biometrics as a form of authentication.  The two main reasons are that biometrics, such as fingerprints, iris scans, and voice recognition, are not a secret.  For instance, you leave your fingerprints behind everywhere you touch something.  The second reason is that biometrics can not be replaced in the event that it is successfully breached or replicated.  You can’t just go out and buy a new finger or eye.

So when Naked Security reported about a successful attempt to create a fingerprint “master key” that could be used to unlock an iPhone, it drove the point home again.  Part of the reason this worked is that the fingerprint sensor only records a partial print, and that makes it easier to create a universal design that matches many different partial prints well enough to unlock up to 60% of the phones that were tested.

As far a s NIST is concerned, biometrics should only be used in a two-factor or multi-factor authentication environment.  They are not secure by themselves.  So for those of you who are using the fingerprint lock you may want to couple it with a second factor like a password or PIN.

Our current password recommendations:

  • Passwords should be longer than 12 characters.
  • Use a password manager such as Last Pass
    • LastPass makes it easy to have long passwords that are unique to each site, because yo only need to remember the LastPass master password.
    • Use LastPass’ random password generator to create unique passwords.
  • Use two-factor authentication whenever it is offered


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Owner of the WyzCo Group Inc. In addition to consulting on security products and services, Bob also conducts security audits, compliance audits, vulnerability assessments and penetration tests. Bob also teaches Cybersecurity Awareness Training classes. Bob works as an instruction for CompTIA’s non-profit IT-Ready Program in the Twin Cities. IT-Ready is a tuition free 8-week program designed to teach students of all ages the fundamentals of IT support to prepare them for an entry level position in Information Technology Support. Graduates of the classes take the exams to become CompTIA A+ certified. Bob is a frequent speaker at conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. Bob has been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.