Does using biometric data increase security as an access mechanism?

[0pp0]

Do you think that using biometric data to access applications and operating systems increases security compared to just password access? 

[Boomwebsearch]

 

 

Just now, 0pp0 said:

Do you think that using biometric data to access applications and operating systems increases security compared to just password access? 

 

 

Yes, I believe that biometric authentication increases security as an access mechanism in comparison to a password, although unless your biometric system or other authentication methods is completely secure, having more than one method to access an account is recommended (such as if the user forgets their password) although will go against the overall security of the account. Are you asking about two-factor authentication with password and biometrics, having both options, or having biometrics only?

 

 

[0pp0]

Just now, Boomwebsearch said:

 

 

 

 

Yes, I believe that biometric authentication increases security as an access mechanism in comparison to a password, although unless your biometric system or other authentication methods is completely secure, having more than one method to access an account is recommended (such as if the user forgets their password) although will go against the overall security of the account. Are you asking about two-factor authentication with password and biometrics, having both options, or having biometrics only?

 

 

The problem is: Does having password access and biometric authentication improve security compared to having only the password as a sign-in mechanism? 

In my opinion, no because password attacks remain valid and attacks against biometric systems are added

[Kilrah]

So you say either/or, not both needed to enter.

 

All depends on how people use them. Being able to use biometric in a pinch means you can set a more robust password, so...

[0pp0]

4 minutes ago, Kilrah said:

Sou you say either/or, not both needed to enter.

 

All depends on how people use them. Being able to use biometric in a pinch means you can set a more robust password, so...

If you set a stronger password than an access with biometric data then the biometric data in if it does not increase security.

A concrete example is in mobile applications, think of applications like PayPal or banking applications, if you skill access with fingerprints is equivalent to authenticating with the unlock code of the phone (I tested it on iOS) 

[SkyHound0202]

Biometric authentication, if implemented correctly, is comparably more secure than password-only. When combined with traditional username/password mechanism (Biometric as 2FA), will make a system more robust.

 

Then again, as long as there's an pathway, however hard you try to secure it, there's always a flaw somewhere. You can always brute force or social engineer a compromise a password, or extract someone's fingerprint from an object or just cut it off to spoof biometric authentication.

[0pp0]

7 minutes ago, SkyHound0202 said:

Biometric authentication, if implemented correctly, is comparably more secure than password-only. When combined with traditional username/password mechanism (Biometric as 2FA), will make a system more robust.

 

Then again, as long as there's an pathway, however hard you try to secure it, there's always a flaw somewhere. You can always brute force or social engineer a compromise a password, or extract someone's fingerprint from an object or just cut it off to spoof biometric authentication.

I agree that cascading them leads to a lot of security, but using them in parallel in my opinion diminishes it. Think in everyday use such as in Windows hello or in the unlocking of smartphones, biometric authentication is carried out in parallel. 

[Kilrah]

Biometric is convenient. A lot of people would put a weak or no password at all if it wasn't there becasue nobody wants to take 5 seconds to type a complex password dozens of times per day.

 

[0pp0]

4 minutes ago, Kilrah said:

Biometric is convenient. A lot of people would put a weak or no password at all if it wasn't there becasue nobody wants to take 5 seconds to type a complex password dozens of times per day.

 

It definitely makes access very quick, but if you use it in combination of a 4-digit pin from a security point of view it's useless

[WereCatf]

33 minutes ago, 0pp0 said:

Do you think that using biometric data to access applications and operating systems increases security compared to just password access? 

Depends on the quality of implementation. Facial-recognition for authentication, for example, is typically not implemented well enough and thus can be fooled with a printed picture or a video-clip shown on a mobile-phone or a tablet. Even facial-recognition that uses some sort of depth-perception to increase its security can often be fooled with minimal effort. Similarly, fingerprints are easy to lift off of items -- even from the device that someone's trying access! -- and used to gain access. It has even been shown that you can lift one's fingerprints from a sufficiently high-resolution picture!

 

The security of each system actually goes along the lines of: no security < bad password < typical biometric system < good password

[0pp0]

3 minutes ago, WereCatf said:

Depends on the quality of implementation. Facial-recognition for authentication, for example, is typically not implemented well enough and thus can be fooled with a printed picture or a video-clip shown on a mobile-phone or a tablet. Even facial-recognition that uses some sort of depth-perception to increase its security can often be fooled with minimal effort. Similarly, fingerprints are easy to lift off of items -- even from the device that someone's trying access! -- and used to gain access. It has even been shown that you can lift one's fingerprints from a sufficiently high-resolution picture!

 

The security of each system actually goes along the lines of: no security < bad password < typical biometric system < good password

I do not know if you can make a questionnaire within the blog, would you recommend using biometric systems for access to sensitive data such as current smartphone account and computers? 

[Boomwebsearch]

 

 

 

30 minutes ago, 0pp0 said:

The problem is: Does having password access and biometric authentication improve security compared to having only the password as a sign-in mechanism? 

In my opinion, no because password attacks remain valid and attacks against biometric systems are added

 

 

In two-factor authentication, you need both measures of sign-in to be correct in order to allow the user to gain access. Think of it this way, there are chances of your password getting compromised and there are chances of biometrics getting compromised, in two-factor authentication (using password and biometric), the chances would be multiplying the percent of chance that your password getting compromised by the chance of biometrics getting compromised (or vice versa). For example, if there is a 50 percent chance that your password will get compromised, and a 25 percent chance that your fingerprint will be compromised, using double-factor authentication with the password and fingerprint would mean that overall there would be a 12.5 percent chance that both systems will get compromised and unauthorized access will happen.

 

 

[WereCatf]

2 minutes ago, 0pp0 said:

I do not know if you can make a questionnaire within the blog, would you recommend using biometric systems for access to sensitive data such as current smartphone account and computers? 

For the Average Jane and Joe, the biggest security-risk is malware and phishing, not physical unauthorized access to their devices. This is to say, for those people, it's unlikely to matter much, if at all.

 

If, on the other hand, the person handles or has access to any sort of critical/valuable data or is in a position of power, I'd actually recommend using a strong password. Even better, if one uses two-factor authentication.

[0pp0]

11 minutes ago, Boomwebsearch said:

 

 

 

 

 

In two-factor authentication, you need both measures of sign-in to be correct in order to allow the user to gain access. Think of it this way, there are chances of your password getting compromised and there are chances of biometrics getting compromised, in two-factor authentication (using password and biometric), the chances would be multiplying the percent of chance that your password getting compromised by the chance of biometrics getting compromised (or vice versa). For example, if there is a 50 percent chance that your password will get compromised, and a 25 percent chance that your fingerprint will be compromised, using double-factor authentication with the password and fingerprint would mean that overall there would be a 12.5 percent chance that both systems will get compromised and unauthorized access will happen.

 

 

This is true if for 2-factor authentication, but in common use biometric systems are used as an alternative access mechanism

So if one method has a 50% chance of being compromised and the other has a 25% chance of being compromised, the probability of the system being compromised is equal to 1-(0.5*0.25) to 87.5%

 

[0pp0]

4 minutes ago, WereCatf said:

For the Average Jane and Joe, the biggest security-risk is malware and phishing, not physical unauthorized access to their devices. This is to say, for those people, it's unlikely to matter much, if at all.

 

If, on the other hand, the person handles or has access to any sort of critical/valuable data or is in a position of power, I'd actually recommend using a strong password. Even better, if one uses two-factor authentication.

Yes, this is true but losing the phone is not that unusual and if from this then comes a loss of all the money in the current account is not so negligible. 

[Boomwebsearch]

 

 

1 hour ago, 0pp0 said:

Yes, this is true but losing the phone is not that unusual and if from this then comes a loss of all the money in the current account is not so negligible. 

 

 

Here is what I would recommend (in balance of security and convenience), require the password to contain at the minimum 6-8 characters, one number, one symbol, and at least one uppercase and lowercase letter. Let users sign in with their username and password through a site with the 256 bit AES, and when it comes to signing in with their accounts on devices through a client application, first require sign-in with username and password through the 256 bit AES and have a setting option for users to add biometric authentication options which will be stored encrypted on the device. When users open the application with their user account (require users to sign-in to their operating system user account name again if it has been more than a few hours), a prompt will appear to sign-in with biometrics and since the encrypted credentials are stored locally, an attacker would have a hard time to get access to it and even if they get access to the biometric credentials on the user's device, they will still remain in encrypted format.

 

 

[Franck]

Probably depends but the fact that me and my brother can both unlock each other phone with facial recognition and that i can unlock his laptop with windows hello despite our 6 years difference. This doesn't give me any good feeling toward that specific king of biometric. I also unlocked 2 or 3 times my wife cell phone with the fingerprint sensor on a Samsung A50. I have never had a fail or miss identification with retina scan yet and i used with for about a year only so i don't have a long use case scenario yet.