SlideShare a Scribd company logo

Deployment of Biometrics & Password - NIST63B

Download as DOCX, PDF
Hitoshi Kokumai, profile picture
Hitoshi Kokumai

The document discusses NIST's digital identity guidelines emphasizing the need for biometrics to be used alongside a physical authenticator in a multi-factor authentication system due to vulnerabilities associated with each. It raises concerns about the potential dangers of passwordless authentication and how biometrics alone may not enhance security compared to traditional passwords. The author argues that reliance on biometrics could undermine citizen control over sensitive information, ultimately questioning the effectiveness of such authentication methods.

Technology
Related topics:
Multi-Factor Authentication
1 of 9
Download to read offline
1
2
3
4
5
6
7
8
9
Deployment of Biometrics and Password - NIST Digital Identity Guidelines 800 63B It seems that the biometrics guidelinesin 800 63B (*1) are basicallymade of two key segments. (A) Biometrics now needs to be used together with a physical factor (something you have) 'IN SERIES' in view of its coherent vulnerabilities (*2) (B) When users get falsely rejected, ‘a physical authenticator PLUS <other biometrics OR password>' could be deployed 'IN SERIES' (*3) And, (A) and (B) are to be deployed 'IN PARALLEL' (*3). Its collective vulnerability is the sum of vulnerability of (A = biometrics PLUS physical authenticator) and that of (B = physical authenticator PLUS <other biometrics OR password>), which is larger than A alone and also B alone. As such, we could assume that, in NIST guidelines, a physical authenticator is the star, with biometrics and password playing an auxiliaryinterchangeable role. It is good to see that NIST no longer allows the use of biometrics with only a fallback password used ‘IN PARALLEL’. But it is worrying that NIST still allows a route of passwordless authentication with no user's volition, which could make a threat to democracy. The principle of citizen's placing their sensitive information under their own control could be eroded. The route of allowing unconscious people to get authenticated unknowingly should be precluded. Incidentally, I am still not certain what users are expected to do when they forget to carry the physical authenticator with them. It would certainly be safe to simply lock out, though very inconvenient. Should a route of fallback password (used 'IN PARALLEL') be provided, the overall security would be lower than that of the fallback password alone, rendering the costs of involving physical authenticators and biometrics utterly meaningless.
And, more fundamentally, when 'a physical authenticator PLUS password' is less complicated, less costly and more secure than 'a physical authenticator PLUS <password OR biometrics>', I wonder where there is a merit of involving the problem-ridden biometrics. We could not forget that the password is crucially required in any case. Readers’opinions on this hypothesis would be very much appreciated. ……………………………….. *1 Digital Identity Guidelines https://pages.nist.gov/800-63-3/sp800-63b.html *2 Clause 5.2.3 reads "Biometrics SHALL be used only as part of multi-factor authentication with a physical authenticator (something you have)." *3 and also “Once that limit (of rejection) has been reached, the biometric authenticator SHALL either: • Impose a delay of at least 30 seconds before the next attempt, increasing exponentially with each successive attempt (e.g., 1 minute before the following failed attempt, 2 minutes before the second following attempt), or • Disable the biometric user authentication and offer another factor (e.g., a different biometric modality or a PIN/Passcode if it is not already a required factor) if such an alternative method is already available.” <Remarks> ‘in series’ deployment = both to pass, And/Conjunction ‘in parallel’ deployment = either to pass, Or/Disjunction < Related Articles > - P3 Clues to Unravelling Conundrums - Biometrics deployed ‘in parallel’ - P5 Truth does not matter in infosec? - P6 iPhone X Face ID - What FAR means when it does not come with the corresponding FRR? - P7 Mitigation of Password Predicament - P8 Democracy would be dead where the password is killed P9 Mix up “Unique” with “Secret” and confuse “Identification” with “Authentication”
Clues to Unravelling Conundrums - Biometrics deployed ‘in parallel’ as against ‘in series’ In my earlier writing “Truth does not matter in infosec?” I wrote as follows: -------- So long as the biometrics is backed up by a fallback password, irrespective of which are more accurate than the others, its security is lower than that of a password-only authentication. Then, we have to wonder why and how the biometrics has been touted as a security-enhancing tool for so long, with so many security professionals being silent about the fact. --------- It appears that we may have got some clues to this conundrum. We had a chance to look at a document produced by NIAP (National Information Assurance Partnership), in which ‘hybrid biometrics authentication’ was discussed. The biometrics advocates got a NIAP committee to positively evaluate the hybrid (two-factor) deployment of biometrics and passwords by just talking about the 'in series' deployments. Then, the concept that the hybrid biometrics authentications provide good security was solidly established with authority. There may have been some more similar cases. On the other hand, a number of biometrics vendors put on the market the biometrics products, which are deployed 'in parallel', without referring¸ knowingly or unknowingly, to the difference between the 'in parallel' deployments and the 'in series' deployments. I would not like to suspect that there were choreographers for it. I assume that it might well have happened due to lack of good communication and misunderstanding among the people concerned. The outcome was a number of misguided security professionals and tech media spreading the misguiding information in a gigantic scale. We are now witnessing such a worrying situation that a number of financial institutions are adopting the 'in parallel' hybrid biometrics for the applications for which they say they require the level of security higher than the password. It is defeating the purpose.
Well, I am not happy with this uncomfortable hypothesis. I would appreciate it if someone could let me know the presence of different materials that might lead us to different observations. I would also welcome any information on whether the publicized FAR and FRR are empirical or theoretical and how they are measured, monitored or calculated. <Remarks> ‘in series’ deployment = both to pass, And/Conjunction ‘in parallel’ deployment = either to pass, Or/Disjunction
Truth does not matter in infosec? Tech media seem busy arguing which biometrics is better than the others. But it is all nonsense from security’s point of view. Instead we should ask why security-lowering measures have been touted as security-enhancing solutions. Because of its inherent characteristics, biometrics depends on a fallback means in case of false rejection. In physical security, it could be handled by personnel in charge other than the user. In cybersecurity, however, it needs to be handled by the user themselves, in most cases by way of a password that the user themselves needs to feed. So long as the biometrics is backed up by a fallback password, irrespective of which are more accurate than the others, its security is lower than that of a password-only authentication as illustrated in this video. https://youtu.be/wuhB5vxKYlg Then, we have to wonder why and how the biometrics has been touted as a security-enhancing tool for so long, with so many security professionals being silent about the fact. There could be various explanations – from agnotology, neuroscience, psychology, sociology, behavioral economics and so on. This phenomenon will perhaps be found to have provided an excitingly rich material for a number of scientists and researchers in those fields. Summary of the video > >
iPhone X Face ID What FAR means when it does not come with the corresponding FRR? Answer: It means nothing. According to some tech media¸the FAR (false acceptance rate) of iPhone X Face ID is said to be one millionth, which might be viewed as considerably better than the reported one 50,000th of Touch ID. It is not the case, however. The fact is that which is better or worse can by no means be decided when the corresponding FRR (false rejection rates) of Face ID and Touch ID, which are in the trade-off relation with FAR, are not known. This crucial observation is seldom reported by major tech media. It is really sad to see the misguided tech media spreading the misguiding information in a huge scale. The only meaningful fact that we can logically get confirmed by the trade-off between FAR and FRR is that the biometrics deployed with a password as a fallback means against false rejection would only provide the level of security lower than that of a password-only authentication. Face ID, which brings down security as such, could be recommended only for those who want better convenience, as in the case of Touch ID. If recommended for better security, it would only get criminals and tyrants delighted. Security professionals are expected to speak up. 30-second video - https://youtu.be/7UAgtPtmUbk
Mitigation of Password Predicament This article talks about the old and new NIST password guidelines. https://www.theverge.com/2017/8/7/16107966/password-tips-bill-burr-regrets-advice-nit s-cybersecurity It is nice to see repealed the odd recommendations like the complicated hard-to-recall passwords which would result in reusing the same password across many accounts and the regular password change which would result in using the easiest-to-guess passwords. It is not nice, however, to see ‘passphrase’ and ‘password manager’ being touted so naively. Caveats should come with these recommendations. Passphrase: It could be longer and yet easier to remember but it does not necessarily mean a higher entropy despite the troubles of tiresome typing. It is generally made of known words that are just vulnerable to automated dictionary attacks. The cartoon shown in this Verge article reads that a 44-bits entropy is hard to guess. It may be extremely hard for humans to guess, but it would be so easy a prey for criminals who possess the automated attack software with the intelligent dictionaries. Password Manager: It remembers all my passwords when un-hacked and loses all my passwords to criminals when hacked. It should be operated in a decentralized formation or should be considered mainly for low-security accounts, not for the high-security business that should desirably be protected by all different strong passwords unique to each account. Then, what else can we do? Our proposition.is “Intuitive Passwords: Passwords to Succeed Passwords” http://virtual-strategy.com/2017/04/14/intuitive-passwords-passwords-to-succeed-passw ords/
Democracy would be dead where the password is killed Some security people are advocating that the password should be killed dead. I wonder if they are aware of what they mean by what they say. A society where login without users’ volition is allowed would be the society where democracy is dead. It’s a tyrant’s utopia. We know that biometrics, which relies on a fallback password, can by no means be an alternative to the password, that the password is an indispensable factor for multi-factor schemes and that the security of password managers and single-sign-on schemes needs to hinge on the reliability of the password. The password (memorized secret) is absolutely necessary. Don’t let it be killed. Don’t accept any form of passwordless login. <Reference> Slide: Password Fatigue and Expanded Password System http://www.slideshare.net/HitoshiKokumai/password-fatigue-and-expanded-password-s ystem Article (7-page): Intuitive Password – passwords succeeding passwords https://www.slideshare.net/HitoshiKokumai/intuitive-passwords-passwords-succeeding- passwords
Mix up “Unique” with “Secret” and we would confuse “Identification” with “Authentication” Biometrics follows “unique” features of individuals’ bodies and behaviors. It means that it could be well used when deployed for identification of individuals who may be conscious or unconscious, alive or dead. Due respect could be paid to biometrics in this sphere. Being “unique” is different from being “secret”, however. It would be a misuse of biometrics if deployed for security of the identity authentication of individuals. Confusing “Identification” with “Authentication”, we would be building a sandcastle in which people are trapped in a nefarious false sense of security. However gigantic and grandiose it may look, the sandcastle could melt away altogether when we have a heavy storm. And, the storm will come. The question is not “if”, but just “how soon”. < Videos > Turn off biometrics where security matters (30 seconds) https://youtu.be/7UAgtPtmUbk Biometrics in Cyber Space - "below-one" factor authentication https://youtu.be/wuhB5vxKYlg Six Reasons to Believe Biometrics Don't Ruin Cyber Security https://youtu.be/lODTiO2k8ws Password-free Life - Utopia or Dystopia? (30 seconds) https://youtu.be/UJDBZpX1a0U Password Predicament and Expanded Password System https://youtu.be/-KEE2VdDnY0

More Related Content

PDF
Review on Implementation Visual Cryptography & Steganography for Secure Authe...
IRJET Journal
 
PDF
IRJET- Authentic and Anonymous Data Sharing with Enhanced Key Security
IRJET Journal
 
PDF
HOW TO MEASURE WHAT HACKERS KNOW ABOUT YOU
NormShield
 
DOCX
61370436 main-case-study
homeworkping4
 
PDF
IRJET- Honeywords: A New Approach for Enhancing Security
IRJET Journal
 
PDF
Big Data Dectives
- Mark - Fullbright
 
PDF
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Robert Brandel
 
PDF
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Security B-Sides
 
Review on Implementation Visual Cryptography & Steganography for Secure Authe...
IRJET Journal
 
IRJET- Authentic and Anonymous Data Sharing with Enhanced Key Security
IRJET Journal
 
HOW TO MEASURE WHAT HACKERS KNOW ABOUT YOU
NormShield
 
61370436 main-case-study
homeworkping4
 
IRJET- Honeywords: A New Approach for Enhancing Security
IRJET Journal
 
Big Data Dectives
- Mark - Fullbright
 
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Robert Brandel
 
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Security B-Sides
 

What's hot (18)

PDF
Certified Secure - Ineffective Detection Systems
frankvv
 
PDF
Two factor authentication-in_your_network_e_guide
Nick Owen
 
DOCX
Do biometric gun safes work
biometriservic78
 
PDF
finalreportsoarnew (1).pdf
Firozkumar2
 
PDF
firozreport.pdf
Firozkumar2
 
PDF
M-Pass: Web Authentication Protocol
IJERD Editor
 
PPTX
Gdpr encryption and tokenization
Ulf Mattsson
 
DOCX
Backup of FinalExam-EssayQ-Mon
Fares Sharif
 
PDF
Layer8 exploitation: Lock'n Load Target
Prathan Phongthiproek
 
PDF
Ce hv8 module 14 sql injection
Mehrdad Jingoism
 
PDF
Security Mechanisms for Precious Data Protection of Divergent Heterogeneous G...
RSIS International
 
PDF
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
Andris Soroka
 
PPTX
Green Security
Shahar Geiger Maor
 
PPTX
SCIT Labs - intrusion tolerant systems
Zsolt Nemeth
 
PDF
Ricardo Mendez, Technical Director Europe ,Samsung NEXT - Identity, Privacy a...
Techsylvania
 
PPTX
Internet transaction and communication security
Dianoesis
 
PDF
Issa chicago next generation tokenization ulf mattsson apr 2011
Ulf Mattsson
 
DOCX
COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITY
Nexgen Technology
 
Certified Secure - Ineffective Detection Systems
frankvv
 
Two factor authentication-in_your_network_e_guide
Nick Owen
 
Do biometric gun safes work
biometriservic78
 
finalreportsoarnew (1).pdf
Firozkumar2
 
firozreport.pdf
Firozkumar2
 
M-Pass: Web Authentication Protocol
IJERD Editor
 
Gdpr encryption and tokenization
Ulf Mattsson
 
Backup of FinalExam-EssayQ-Mon
Fares Sharif
 
Layer8 exploitation: Lock'n Load Target
Prathan Phongthiproek
 
Ce hv8 module 14 sql injection
Mehrdad Jingoism
 
Security Mechanisms for Precious Data Protection of Divergent Heterogeneous G...
RSIS International
 
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
Andris Soroka
 
Green Security
Shahar Geiger Maor
 
SCIT Labs - intrusion tolerant systems
Zsolt Nemeth
 
Ricardo Mendez, Technical Director Europe ,Samsung NEXT - Identity, Privacy a...
Techsylvania
 
Internet transaction and communication security
Dianoesis
 
Issa chicago next generation tokenization ulf mattsson apr 2011
Ulf Mattsson
 
COST-EFFECTIVE AUTHENTIC AND ANONYMOUS DATA SHARING WITH FORWARD SECURITY
Nexgen Technology
 
Ad

Similar to Deployment of Biometrics & Password - NIST63B (20)

DOCX
Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...
Hitoshi Kokumai
 
PDF
Brafton White Paper Example
Kayla Perry
 
DOCX
Biometrics
Satish Chandra
 
PDF
Multi factor authentication issa0415-x9
Clare Nelson, CISSP, CIPP-E
 
PDF
AnevaluationofsecurestorageofauthenticationdataIJISR.pdf
tonkung6
 
PDF
Role Of Biometric Security- Bahaa Abdul Hadi.pdf
Bahaa Abdulhadi
 
PDF
Two factor authentication
Hai Nguyen
 
PDF
Two factor authentication
Hai Nguyen
 
PDF
8.biometric security
nishiyath
 
PPTX
Biometrics security
Vuda Sreenivasarao
 
DOCX
Final report
Pranjul Mishra
 
PPTX
Bi ometric security
nishiyath
 
PDF
Making User Authentication More Usable
Jim Fenton
 
DOCX
More Issues on Digital Identity (24Feb2023)
Hitoshi Kokumai
 
PDF
Sonic WALL Secure Wireless Network Integrated Solutions Guide 1st Edition Joe...
kolindmryl
 
PDF
Enterprise Biometric Solution
Tanvir Ahmed
 
PDF
Three types of Authentications
deorwine infotech
 
PDF
Behavioural biometrics and cognitive security authentication comparison study
acijjournal
 
PDF
Two-factor authentication- A sample writing _Zaman
Asad Zaman
 
PPTX
Leveraging AI for Advanced Facial and Biometric Authentication
Boston Institute of Analytics
 
Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...
Hitoshi Kokumai
 
Brafton White Paper Example
Kayla Perry
 
Biometrics
Satish Chandra
 
Multi factor authentication issa0415-x9
Clare Nelson, CISSP, CIPP-E
 
AnevaluationofsecurestorageofauthenticationdataIJISR.pdf
tonkung6
 
Role Of Biometric Security- Bahaa Abdul Hadi.pdf
Bahaa Abdulhadi
 
Two factor authentication
Hai Nguyen
 
Two factor authentication
Hai Nguyen
 
8.biometric security
nishiyath
 
Biometrics security
Vuda Sreenivasarao
 
Final report
Pranjul Mishra
 
Bi ometric security
nishiyath
 
Making User Authentication More Usable
Jim Fenton
 
More Issues on Digital Identity (24Feb2023)
Hitoshi Kokumai
 
Sonic WALL Secure Wireless Network Integrated Solutions Guide 1st Edition Joe...
kolindmryl
 
Enterprise Biometric Solution
Tanvir Ahmed
 
Three types of Authentications
deorwine infotech
 
Behavioural biometrics and cognitive security authentication comparison study
acijjournal
 
Two-factor authentication- A sample writing _Zaman
Asad Zaman
 
Leveraging AI for Advanced Facial and Biometric Authentication
Boston Institute of Analytics
 
Ad

More from Hitoshi Kokumai (13)

PPTX
Image-to-Code Converter 31July2023.pptx
Hitoshi Kokumai
 
DOCX
Fend Off Cyberattack with Episodic Memory (24Feb2023)
Hitoshi Kokumai
 
PDF
Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022
Hitoshi Kokumai
 
PDF
Fend Off Cybercrime with Episodic Memory
Hitoshi Kokumai
 
DOCX
Bring healthy second life to legacy password system
Hitoshi Kokumai
 
DOCX
Intriguing Evlolution from One to Two and Back to One
Hitoshi Kokumai
 
DOCX
Cyber Predicament by Text-Only Password Systems
Hitoshi Kokumai
 
PDF
Updated: Presentation with Scripts at CIW2018
Hitoshi Kokumai
 
DOCX
Presentation with Scripts at CIWEU2018
Hitoshi Kokumai
 
PPTX
Updated: Identity Assurance by Our Own Volition and Memory
Hitoshi Kokumai
 
DOCX
Help unravel the conundrum over NIST authentication guideline
Hitoshi Kokumai
 
PPT
Business Dimension of Expanded Password System
Hitoshi Kokumai
 
PPT
Expanded password system - Reliable Identity Assurance
Hitoshi Kokumai
 
Image-to-Code Converter 31July2023.pptx
Hitoshi Kokumai
 
Fend Off Cyberattack with Episodic Memory (24Feb2023)
Hitoshi Kokumai
 
Slide Share (Updated) - Fend Off Cybercrime with Episodic Memory 29Aug2022
Hitoshi Kokumai
 
Fend Off Cybercrime with Episodic Memory
Hitoshi Kokumai
 
Bring healthy second life to legacy password system
Hitoshi Kokumai
 
Intriguing Evlolution from One to Two and Back to One
Hitoshi Kokumai
 
Cyber Predicament by Text-Only Password Systems
Hitoshi Kokumai
 
Updated: Presentation with Scripts at CIW2018
Hitoshi Kokumai
 
Presentation with Scripts at CIWEU2018
Hitoshi Kokumai
 
Updated: Identity Assurance by Our Own Volition and Memory
Hitoshi Kokumai
 
Help unravel the conundrum over NIST authentication guideline
Hitoshi Kokumai
 
Business Dimension of Expanded Password System
Hitoshi Kokumai
 
Expanded password system - Reliable Identity Assurance
Hitoshi Kokumai
 

Recently uploaded (20)

PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Cloud computing and distributed systems.
kkkkkhan
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 

Deployment of Biometrics & Password - NIST63B

  • 1. Deployment of Biometrics and Password - NIST Digital Identity Guidelines 800 63B It seems that the biometrics guidelinesin 800 63B (*1) are basicallymade of two key segments. (A) Biometrics now needs to be used together with a physical factor (something you have) 'IN SERIES' in view of its coherent vulnerabilities (*2) (B) When users get falsely rejected, ‘a physical authenticator PLUS <other biometrics OR password>' could be deployed 'IN SERIES' (*3) And, (A) and (B) are to be deployed 'IN PARALLEL' (*3). Its collective vulnerability is the sum of vulnerability of (A = biometrics PLUS physical authenticator) and that of (B = physical authenticator PLUS <other biometrics OR password>), which is larger than A alone and also B alone. As such, we could assume that, in NIST guidelines, a physical authenticator is the star, with biometrics and password playing an auxiliaryinterchangeable role. It is good to see that NIST no longer allows the use of biometrics with only a fallback password used ‘IN PARALLEL’. But it is worrying that NIST still allows a route of passwordless authentication with no user's volition, which could make a threat to democracy. The principle of citizen's placing their sensitive information under their own control could be eroded. The route of allowing unconscious people to get authenticated unknowingly should be precluded. Incidentally, I am still not certain what users are expected to do when they forget to carry the physical authenticator with them. It would certainly be safe to simply lock out, though very inconvenient. Should a route of fallback password (used 'IN PARALLEL') be provided, the overall security would be lower than that of the fallback password alone, rendering the costs of involving physical authenticators and biometrics utterly meaningless.
  • 2. And, more fundamentally, when 'a physical authenticator PLUS password' is less complicated, less costly and more secure than 'a physical authenticator PLUS <password OR biometrics>', I wonder where there is a merit of involving the problem-ridden biometrics. We could not forget that the password is crucially required in any case. Readers’opinions on this hypothesis would be very much appreciated. ……………………………….. *1 Digital Identity Guidelines https://pages.nist.gov/800-63-3/sp800-63b.html *2 Clause 5.2.3 reads "Biometrics SHALL be used only as part of multi-factor authentication with a physical authenticator (something you have)." *3 and also “Once that limit (of rejection) has been reached, the biometric authenticator SHALL either: • Impose a delay of at least 30 seconds before the next attempt, increasing exponentially with each successive attempt (e.g., 1 minute before the following failed attempt, 2 minutes before the second following attempt), or • Disable the biometric user authentication and offer another factor (e.g., a different biometric modality or a PIN/Passcode if it is not already a required factor) if such an alternative method is already available.” <Remarks> ‘in series’ deployment = both to pass, And/Conjunction ‘in parallel’ deployment = either to pass, Or/Disjunction < Related Articles > - P3 Clues to Unravelling Conundrums - Biometrics deployed ‘in parallel’ - P5 Truth does not matter in infosec? - P6 iPhone X Face ID - What FAR means when it does not come with the corresponding FRR? - P7 Mitigation of Password Predicament - P8 Democracy would be dead where the password is killed P9 Mix up “Unique” with “Secret” and confuse “Identification” with “Authentication”
  • 3. Clues to Unravelling Conundrums - Biometrics deployed ‘in parallel’ as against ‘in series’ In my earlier writing “Truth does not matter in infosec?” I wrote as follows: -------- So long as the biometrics is backed up by a fallback password, irrespective of which are more accurate than the others, its security is lower than that of a password-only authentication. Then, we have to wonder why and how the biometrics has been touted as a security-enhancing tool for so long, with so many security professionals being silent about the fact. --------- It appears that we may have got some clues to this conundrum. We had a chance to look at a document produced by NIAP (National Information Assurance Partnership), in which ‘hybrid biometrics authentication’ was discussed. The biometrics advocates got a NIAP committee to positively evaluate the hybrid (two-factor) deployment of biometrics and passwords by just talking about the 'in series' deployments. Then, the concept that the hybrid biometrics authentications provide good security was solidly established with authority. There may have been some more similar cases. On the other hand, a number of biometrics vendors put on the market the biometrics products, which are deployed 'in parallel', without referring¸ knowingly or unknowingly, to the difference between the 'in parallel' deployments and the 'in series' deployments. I would not like to suspect that there were choreographers for it. I assume that it might well have happened due to lack of good communication and misunderstanding among the people concerned. The outcome was a number of misguided security professionals and tech media spreading the misguiding information in a gigantic scale. We are now witnessing such a worrying situation that a number of financial institutions are adopting the 'in parallel' hybrid biometrics for the applications for which they say they require the level of security higher than the password. It is defeating the purpose.
  • 4. Well, I am not happy with this uncomfortable hypothesis. I would appreciate it if someone could let me know the presence of different materials that might lead us to different observations. I would also welcome any information on whether the publicized FAR and FRR are empirical or theoretical and how they are measured, monitored or calculated. <Remarks> ‘in series’ deployment = both to pass, And/Conjunction ‘in parallel’ deployment = either to pass, Or/Disjunction
  • 5. Truth does not matter in infosec? Tech media seem busy arguing which biometrics is better than the others. But it is all nonsense from security’s point of view. Instead we should ask why security-lowering measures have been touted as security-enhancing solutions. Because of its inherent characteristics, biometrics depends on a fallback means in case of false rejection. In physical security, it could be handled by personnel in charge other than the user. In cybersecurity, however, it needs to be handled by the user themselves, in most cases by way of a password that the user themselves needs to feed. So long as the biometrics is backed up by a fallback password, irrespective of which are more accurate than the others, its security is lower than that of a password-only authentication as illustrated in this video. https://youtu.be/wuhB5vxKYlg Then, we have to wonder why and how the biometrics has been touted as a security-enhancing tool for so long, with so many security professionals being silent about the fact. There could be various explanations – from agnotology, neuroscience, psychology, sociology, behavioral economics and so on. This phenomenon will perhaps be found to have provided an excitingly rich material for a number of scientists and researchers in those fields. Summary of the video > >
  • 6. iPhone X Face ID What FAR means when it does not come with the corresponding FRR? Answer: It means nothing. According to some tech media¸the FAR (false acceptance rate) of iPhone X Face ID is said to be one millionth, which might be viewed as considerably better than the reported one 50,000th of Touch ID. It is not the case, however. The fact is that which is better or worse can by no means be decided when the corresponding FRR (false rejection rates) of Face ID and Touch ID, which are in the trade-off relation with FAR, are not known. This crucial observation is seldom reported by major tech media. It is really sad to see the misguided tech media spreading the misguiding information in a huge scale. The only meaningful fact that we can logically get confirmed by the trade-off between FAR and FRR is that the biometrics deployed with a password as a fallback means against false rejection would only provide the level of security lower than that of a password-only authentication. Face ID, which brings down security as such, could be recommended only for those who want better convenience, as in the case of Touch ID. If recommended for better security, it would only get criminals and tyrants delighted. Security professionals are expected to speak up. 30-second video - https://youtu.be/7UAgtPtmUbk
  • 7. Mitigation of Password Predicament This article talks about the old and new NIST password guidelines. https://www.theverge.com/2017/8/7/16107966/password-tips-bill-burr-regrets-advice-nit s-cybersecurity It is nice to see repealed the odd recommendations like the complicated hard-to-recall passwords which would result in reusing the same password across many accounts and the regular password change which would result in using the easiest-to-guess passwords. It is not nice, however, to see ‘passphrase’ and ‘password manager’ being touted so naively. Caveats should come with these recommendations. Passphrase: It could be longer and yet easier to remember but it does not necessarily mean a higher entropy despite the troubles of tiresome typing. It is generally made of known words that are just vulnerable to automated dictionary attacks. The cartoon shown in this Verge article reads that a 44-bits entropy is hard to guess. It may be extremely hard for humans to guess, but it would be so easy a prey for criminals who possess the automated attack software with the intelligent dictionaries. Password Manager: It remembers all my passwords when un-hacked and loses all my passwords to criminals when hacked. It should be operated in a decentralized formation or should be considered mainly for low-security accounts, not for the high-security business that should desirably be protected by all different strong passwords unique to each account. Then, what else can we do? Our proposition.is “Intuitive Passwords: Passwords to Succeed Passwords” http://virtual-strategy.com/2017/04/14/intuitive-passwords-passwords-to-succeed-passw ords/
  • 8. Democracy would be dead where the password is killed Some security people are advocating that the password should be killed dead. I wonder if they are aware of what they mean by what they say. A society where login without users’ volition is allowed would be the society where democracy is dead. It’s a tyrant’s utopia. We know that biometrics, which relies on a fallback password, can by no means be an alternative to the password, that the password is an indispensable factor for multi-factor schemes and that the security of password managers and single-sign-on schemes needs to hinge on the reliability of the password. The password (memorized secret) is absolutely necessary. Don’t let it be killed. Don’t accept any form of passwordless login. <Reference> Slide: Password Fatigue and Expanded Password System http://www.slideshare.net/HitoshiKokumai/password-fatigue-and-expanded-password-s ystem Article (7-page): Intuitive Password – passwords succeeding passwords https://www.slideshare.net/HitoshiKokumai/intuitive-passwords-passwords-succeeding- passwords
  • 9. Mix up “Unique” with “Secret” and we would confuse “Identification” with “Authentication” Biometrics follows “unique” features of individuals’ bodies and behaviors. It means that it could be well used when deployed for identification of individuals who may be conscious or unconscious, alive or dead. Due respect could be paid to biometrics in this sphere. Being “unique” is different from being “secret”, however. It would be a misuse of biometrics if deployed for security of the identity authentication of individuals. Confusing “Identification” with “Authentication”, we would be building a sandcastle in which people are trapped in a nefarious false sense of security. However gigantic and grandiose it may look, the sandcastle could melt away altogether when we have a heavy storm. And, the storm will come. The question is not “if”, but just “how soon”. < Videos > Turn off biometrics where security matters (30 seconds) https://youtu.be/7UAgtPtmUbk Biometrics in Cyber Space - "below-one" factor authentication https://youtu.be/wuhB5vxKYlg Six Reasons to Believe Biometrics Don't Ruin Cyber Security https://youtu.be/lODTiO2k8ws Password-free Life - Utopia or Dystopia? (30 seconds) https://youtu.be/UJDBZpX1a0U Password Predicament and Expanded Password System https://youtu.be/-KEE2VdDnY0