Part I of this series on biometrics addressed Microsoft's Windows Hello -- a biometric platform to be built into Windows 10. Windows Hello is based on standards developed by the FIDO Alliance. FIDO (Fast IDentity Online) is a nonprofit organization whose mission includes developing standards for global adoption that will "reduce the reliance on passwords" worldwide.
Microsoft argues -- with some hand-waving about local storage of login credentials -- that its new biometric system will be superior and more secure than passwords (Windows Hello's local storage of biometric data notwithstanding). I concluded that passwords are only as problematic as the ignorance or stupidity of their users.
Paternalists might argue that this is exactly why broad adoption of biometrics is needed -- to protect people from themselves. Microsoft's new approach to passwords is inspired by one of the biggest paternalists of all: the federal government.
The company's password scaremongering -- presenting the idea that biometrics are accessible and friendly while stored passwords are ripe for the taking (and decrypting) by any random schlub -- echoes that of the Obama Administration's National Strategy for Trusted Identities in Cyberspace (NSTIC) -- most noted for its explicit goal of getting everyone in the US to have a federal Internet ID. Indeed, Microsoft notes that its desire to rely less on passwords and more on biometrics is part and parcel of strategies hashed out at February's White House Cybersecurity and Consumer Protection Summit. One of the Obama Administration's top five cyber security priorities, as elucidated in conjunction with the Summit, is "moving beyond passwords."
The US government has a special interest in achieving universal biometric adoption. Unlike passwords (sometimes), biometrics -- as plain facts and features of a person's body -- are not Constitutionally protected. Law-enforcement agencies are not always successful in compelling a person to reveal a password because of Constitutional protections against self-incrimination. But the US Constitution affords no such protections against self-incrimination where fingerprints and other biometric factors are concerned, because of the difference between admissions and observable biological facts. Hence, in certain situations, US law enforcement agencies have the power to literally force someone's finger, face, or other body part to a biometric scanner to access his or her data.
[Read the other two articles in this series: Bypassing The Password, Part 1: Windows 10 Scaremongering and Bypassing The Password, Part 3: Freedom Compromised.]
Biometrics are further problematic for data privacy and security interests for the same reason that makes them attractive for data security -- because of how inherently they're tied to individual-identity biometric markers. Passwords can be easily shared, but that is not the case with biometric markers -- short of having the relevant body part(s) physically removed.
Biometrics are far from hack-proof (see this, this, this, this, and this), and a human being only has so many fingerprints, so many irises, and so many other unique body parts. If people's biometric markers become compromised, they are limited in how they can change their biometric-reliant login credentials. (Consider the potential problem if the affected body part is injured in a way that makes it unreadable.) Available passwords, however, are nearly infinitely plentiful.
Biometrics also make it difficult to protect one's identity on the Internet. As ZDNet's UK editor-in-chief recently observed while reporting on Windows Hello and FIDO:
"In some ways, biometrics may be a too perfect a way of proving our identity. For many services, a vaguer sense of identity is more appropriate: most people would be uncomfortable about an auction site or ... [a] once-visited online retailer having access to such intimate details. Online identity has often been ambiguous, fleeting, and shifting for all sorts of reasons. Biometrics provide an absolute level of identity that must be used carefully."
Meanwhile, pseudonymity -- which has allowed popular sites like Reddit and Twitter to thrive -- has proven to be integral in enabling protest against oppressive government regimes.
Security pundits have raised further concerns about the security of elliptic curves adopted as standards by the National Institute of Science and Technology (NIST) -- such as the type relied upon by FIDO -- in the wake of Edward Snowden's revelation that the NSA inserted a backdoor into at least one such NIST encryption standard. (NIST, incidentally, is the agency spearheading NSTIC.)
Cyber security innovation and experimentation should generally be applauded, but -- even if unwittingly and unwillingly so -- FIDO's biometrics may wind up serving as a lapdog for government interests.
[Continue to the next article in this series: Bypassing The Password, Part 3: Freedom Compromised]
Attend Interop Las Vegas, the leading independent technology conference and expo series, designed to inspire, inform, and connect the world's IT community. In 2015, look for all-new programs, networking opportunities, and classes that will help you set your organization's IT action plan. It happens April 27 to May 1. Register with Discount Code MPOIWK for $200 off Total Access & Conference Passes.