Biometric Two-Factor Authentication

Biometric two-factor authentication based on physical attributes like voice, smell, fingerprints, heartbeats, facial recognition, hand geometry or retina scanning sound glamorous and fool-proof, but there are many flaws in today’s implementations.

SAASPASS believes that while biometrics are a convenient alternative to PIN entry, they are not suitable for use as a factor in two-factor authentication. Current biometrics should not be used specifically in client-server structures because, fundamentally, biometrics are not secret and they are permanent, irreplaceable and unlike traditional passwords are NOT revokable.

Once a biometric attribute is compromised, it is compromised for the life of the person.

Personal biometric information is especially dangerous within a client-server architecture. The sending of credentials over the Internet allows for the possibility of Man-in-the-Middle and Man-in-the-Mobile attacks that can lead to biometric data compromise. Once physical attributes are compromised, Replay Attacks can be mounted on an individual for the rest of their life.

Biometrics cannot be a shared secret as they are "static" identifiers. Thus biometric forgery is relatively easy and inexpensive. Biometric systems can be compromised through the lifting of fingerprints from coffee mugs, the creating of 3D images from publicly and readily available photos (hint: Facebook or LinkedIn), or by generating fake voice calls.

False positives and false negatives continue to bedevil biometric systems. False negatives exacerbate users, while false positives allow for account compromise. With biometrics, drawing the line is tough.

In their current state, biometrics are used well only when implemented to replace PINs for convenience and low-value transactions in a closed ecosystem like Apple's. Fingerprint access on the iPhone 5s is in essence a PIN replacement. Credentials are hashed and encrypted locally in the client in a secure element and not relayed over the Internet. The fingerprint can only be used for low-value purchases from the Apple iTunes store that are not fungible and portable to someone else's account.

Users should however avoid using biometrics in client-server architectures where credentials are sent over the wire (both LAN/WAN and the Internet).