Banks, insurers, and payment networks are embracing biometrics such as Face ID, Touch ID, and iris and voice recognition. Consumers welcome these passwordless experiences eagerly because they’re far more convenient than entering passwords at the point of login or payment. But do these features alone improve security?
From a user perspective, device biometrics remove the burden of having to manage multiple passwords every time we authenticate. University of Oxford research reveals the average consumer is linked to about
Still, the dominant form of account creation and access management is the username and password scheme, created around 1961, where such data on all users is centrally stored at the service provider. Users duplicate credentials across multiple services, meaning accounts at financial institutions are connected to obtainable personal emails, guessable business emails, and passwords that aren’t unique.
What’s more, credentials from unrelated breach after breach ensure the enormous supply of credentials is out in the wild, and always current. In 2017 alone,
Device biometrics are layered atop these older systems, unlocking devices and working with a keystore. They remove the password from the user interface, but they do not re-architect how users create and manage accounts.
All of this means the credential reuse attack threat is still real, and that device biometrics don’t meaningfully address the two percent rate of success that hackers enjoy from these attacks. They are a step in the right direction, as they reduce the quantity of risky password inputs and give a preview into a world entirely without passwords.
An example of how security is out of the control of the most diligent security team is how the less risky domain of social platforms is co-mingled with the higher risk one of banking.
If a user’s Yahoo! account was hacked, for instance, and he or she uses the same password for their bank, that bank account is now at risk of being hacked, even if the bank itself did not fall victim. The two share an unfortunate relationship in that they hold credential stores that they have modest similarities. Between
Credential stuffing attacks against a web application (or phishing against a user) will find that common string. This translates into account takeover, payment fraud, prepaid cashout scams and — worse, in a bank employee example — a large-scale incident. In our example if it were just Yahoo!, the net result might be inconvenience from password resets and harm to reputation, although it’s never too late to mention that Yahoo! took a $350 million haircut to its Verizon acquisition price tied to the former’s data breach history. The bank will suffer an average $2,000 loss per account takeover.
Payment and banking apps are deploying passwordless experiences for convenience and some degree of improved security ahead of a goal to eliminate passwords from the authentication process altogether. We should not, however, conflate passwordless experiences with system architecture where there is no password in use.
It might come as a surprise to learn that biometrics as most consumers are using them is still linked to an outdated, insecure authentication regime whose time is past due. Device biometrics can be leveraged for passwordless authentication whose end state is no password. Let’s ensure we are talking about the same thing, as a false sense of what is passwordless is a false sense of security.
