Bypassing The Password, Part 2: Trusted Identities - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Government // Cybersecurity
Commentary
4/21/2015
08:00 AM
Joe Stanganelli
Joe Stanganelli
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
100%
0%

Bypassing The Password, Part 2: Trusted Identities

The federal government's collaborative efforts with the private sector to "mov[e] beyond the password" are difficult to trust when there are potentially ulterior motives at play.

Part I of this series on biometrics addressed Microsoft's Windows Hello -- a biometric platform to be built into Windows 10. Windows Hello is based on standards developed by the FIDO Alliance. FIDO (Fast IDentity Online) is a nonprofit organization whose mission includes developing standards for global adoption that will "reduce the reliance on passwords" worldwide.

Microsoft argues -- with some hand-waving about local storage of login credentials -- that its new biometric system will be superior and more secure than passwords (Windows Hello's local storage of biometric data notwithstanding). I concluded that passwords are only as problematic as the ignorance or stupidity of their users.

Paternalists might argue that this is exactly why broad adoption of biometrics is needed -- to protect people from themselves. Microsoft's new approach to passwords is inspired by one of the biggest paternalists of all: the federal government.

The company's password scaremongering -- presenting the idea that biometrics are accessible and friendly while stored passwords are ripe for the taking (and decrypting) by any random schlub -- echoes that of the Obama Administration's National Strategy for Trusted Identities in Cyberspace (NSTIC) -- most noted for its explicit goal of getting everyone in the US to have a federal Internet ID. Indeed, Microsoft notes that its desire to rely less on passwords and more on biometrics is part and parcel of strategies hashed out at February's White House Cybersecurity and Consumer Protection Summit. One of the Obama Administration's top five cyber security priorities, as elucidated in conjunction with the Summit, is "moving beyond passwords."

(Image: Geralt via Pixabay)

(Image: Geralt via Pixabay)

The US government has a special interest in achieving universal biometric adoption. Unlike passwords (sometimes), biometrics -- as plain facts and features of a person's body -- are not Constitutionally protected. Law-enforcement agencies are not always successful in compelling a person to reveal a password because of Constitutional protections against self-incrimination. But the US Constitution affords no such protections against self-incrimination where fingerprints and other biometric factors are concerned, because of the difference between admissions and observable biological facts. Hence, in certain situations, US law enforcement agencies have the power to literally force someone's finger, face, or other body part to a biometric scanner to access his or her data.

[Read the other two articles in this series: Bypassing The Password, Part 1: Windows 10 Scaremongering and Bypassing The Password, Part 3: Freedom Compromised.]

Biometrics are further problematic for data privacy and security interests for the same reason that makes them attractive for data security -- because of how inherently they're tied to individual-identity biometric markers. Passwords can be easily shared, but that is not the case with biometric markers -- short of having the relevant body part(s) physically removed.

Biometrics are far from hack-proof (see this, this, this, this, and this), and a human being only has so many fingerprints, so many irises, and so many other unique body parts. If people's biometric markers become compromised, they are limited in how they can change their biometric-reliant login credentials. (Consider the potential problem if the affected body part is injured in a way that makes it unreadable.) Available passwords, however, are nearly infinitely plentiful.

Biometrics also make it difficult to protect one's identity on the Internet. As ZDNet's UK editor-in-chief recently observed while reporting on Windows Hello and FIDO:

"In some ways, biometrics may be a too perfect a way of proving our identity. For many services, a vaguer sense of identity is more appropriate: most people would be uncomfortable about an auction site or ... [a] once-visited online retailer having access to such intimate details. Online identity has often been ambiguous, fleeting, and shifting for all sorts of reasons. Biometrics provide an absolute level of identity that must be used carefully."

Meanwhile, pseudonymity -- which has allowed popular sites like Reddit and Twitter to thrive -- has proven to be integral in enabling protest against oppressive government regimes.

Security pundits have raised further concerns about the security of elliptic curves adopted as standards by the National Institute of Science and Technology (NIST) -- such as the type relied upon by FIDO -- in the wake of Edward Snowden's revelation that the NSA inserted a backdoor into at least one such NIST encryption standard. (NIST, incidentally, is the agency spearheading NSTIC.)

Cyber security innovation and experimentation should generally be applauded, but -- even if unwittingly and unwillingly so -- FIDO's biometrics may wind up serving as a lapdog for government interests.

[Continue to the next article in this series: Bypassing The Password, Part 3: Freedom Compromised]

Attend Interop Las Vegas, the leading independent technology conference and expo series, designed to inspire, inform, and connect the world's IT community. In 2015, look for all-new programs, networking opportunities, and classes that will help you set your organization's IT action plan. It happens April 27 to May 1. Register with Discount Code MPOIWK for $200 off Total Access & Conference Passes.

Joe Stanganelli is founder and principal of Beacon Hill Law, a Boston-based general practice law firm. His expertise on legal topics has been sought for several major publications, including US News and World Report and Personal Real Estate Investor Magazine. Joe is also ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
HAnatomi
50%
50%
HAnatomi,
User Rank: Apprentice
4/23/2015 | 4:02:05 AM
Physical security vs cyber security
That biometrics work for physical security does not mean that it also works for cyber security.  For the former we can assume the managers who take care of false rejected users, but not for the latter. 
PeterF028
100%
0%
PeterF028,
User Rank: Moderator
4/22/2015 | 2:29:37 PM
Biometrics necessary when IoT hits mainstream?
No doubt about it, IoT is going to usher in a number of new risks that IT will need to overcome. And, I wonder if biometrics could play a role in helping control who is accessing this growing stream of data, and systems for that matter. All we really know is that today's common practices will not be enough. Peter Fretty, IDG blogger working on behalf of Cisco
driverlesssam
100%
0%
driverlesssam,
User Rank: Strategist
4/22/2015 | 11:29:08 AM
There is a downside
Sometimes I want someone else to access my phone, e.g., I misplace my phone, then call it, noone can answer it to tell me where it is.

 
PedroGonzales
0%
100%
PedroGonzales,
User Rank: Ninja
4/21/2015 | 1:39:04 PM
giving biometric a chance
I think Biometrics is't ready to make it main stream.  All new technology has many issues. I do not know whether biometric opponents will be able to forgive some of these issues so biometric can make it to the real world. 
News
COVID-19: Using Data to Map Infections, Hospital Beds, and More
Jessica Davis, Senior Editor, Enterprise Apps,  3/25/2020
Commentary
Enterprise Guide to Robotic Process Automation
Cathleen Gagne, Managing Editor, InformationWeek,  3/23/2020
Slideshows
How Startup Innovation Can Help Enterprises Face COVID-19
Joao-Pierre S. Ruth, Senior Writer,  3/24/2020
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
IT Careers: Tech Drives Constant Change
Advances in information technology and management concepts mean that IT professionals must update their skill sets, even their career goals on an almost yearly basis. In this IT Trend Report, experts share advice on how IT pros can keep up with this every-changing job market. Read it today!
Slideshows
Flash Poll