Excuse me, are those my fingerprints?

I recently read an article on passwords and what people were working on to replace them. As I have thought more and more about passwords, realizing both their vulnerabilities and yes even their advantages I am still hesitant to embrace the new techniques being worked on. If you don’t already realize it there is one key element to security that has to exist in order for it to be widely accepted; it has to be easy. It makes security experts cringe whenever you even hint at it but it is unfortunately true. When I give presentations on security the one thing I always mention is that the words ‘convenience’ and ‘security’ are never said in the same breath, and while it is true today that good security is neither easy or convenient I still hope that one day we will stumble upon it. Until then it seems researchers and experts are fixated on biometric solutions.

Let me start by saying I am not a biometrics expert as a matter of fact I probably have the same experience as most of you when it comes to biometrics, my iPhone fingerprint scanner. In the article I was reading they mentioned two factor authentication, which I still believe is a good solution, and of course they talked about fingerprints and iris recognition (biometric solutions).

My issue with these types of authentication techniques is a rather large one; what if they are stolen? As an example the data breach that occurred at the Office of Personnel Management (OPM) and affected at a minimum 18 million people, was more than just some personal information being compromised. Without getting too detailed, part of the breach included Standard Form 86 information, which includes fingerprints. Think about that for a minute. If you were a part of this breach a biometric feature of yours is now in the hands of bad people.

Another solution mentioned that I had not heard about until reading the article was your heartbeat. According to the article we all have a unique heartbeat, “It’s based on the size and shape of your heart and the orientation of your valves, your physiology. It doesn’t change unless you have a major cardiac event like a heart attack” they stated. It’s the last sentence that struck me. So if I am using this technique and I have a heart attack how do I access my data afterwards? It made me want to dig a little deeper so I contacted a friend of mine who also happens to be a well-respected cardiologist. I asked him if it was really that simple. I assumed that as we change, like aging, that our heart, which is a muscle, changes as well. The good Doctor told me that our heart beats change from simple things like how much sodium we take in, if we are dehydrated, and of course if we are under some type of stress. He went on to explain that “people have arrhythmia every day, as well as PACs, PVCs, flutter, SVT, etc.” Doesn’t sound like a fool proof solution to me.

While I agree we need to move on from passwords, I am not sure that biometrics is the answer. When a password is compromised we simply choose another password, when our biometrics are compromised, whether it be from a heart attack or a data breach, it is not a simple fix. The people working on these techniques need to make sure they take this into account when working on the next generation of security solutions.