Administrator’s Guide, Part 2: Passwords Are Safer Than Biometrics, PINs Are Just Passwords, and Other Tall Tales
Part of our Administrator's Guide to Passwordless blog series
Tall Tale #1: PINs Are Just Passwords
In Part 1, we talked about how passwordless authentication is still multi-factor:
Possession of a private key, ideally stored on a piece of secure hardware
A biometric or PIN the authenticator uses to locally verify the user’s identity
Reasoning about a PIN being used as a factor is simpler than a biometric. A PIN is simply a password, with a few key differences. The most critical difference is the context in which it is used for authentication in WebAuthn. Unlike a password, which is transmitted to the website and checked against the website’s record (hopefully, a salted hash, and not a copy of the password itself), a PIN is used only to unlock the credential stored on the local authenticator device. There is no central repository of user PINs for an attacker to breach and steal, no remote access to the authenticator for an attacker to brute-force over the network. The only way to unlock the credential is for the user to locally, often physically, interact with the authenticator device and enter the PIN.
By way of analogy, let’s consider the teleporting burglar problem. Why a teleporting burglar? Because remote attacks on the internet are similar in nature — an attacker can instantly “travel” to any “door” in order to attempt a theft. To reduce the risk of a burglar who can teleport, we can (a) make our keys harder to forge and our locks harder to pick, or (b) stop the burglar from being able to teleport.
Burglars who have to walk from house to house are much less of a threat. By enforcing local authentication via PIN, we effectively force remote attackers to “walk” to each account they want to hack. Even weak local authentication stops most remote attacks cold. Switching to local evaluation of a user’s identity eliminates several entire categories of attacks that impact organizations and individuals today.
Because a user must be able to locally access the authenticator to enter the PIN, and authenticators often lock after a small number of incorrect attempts, the complexity requirements we associate with “good” passwords may not be necessary. Using numbers, symbols, capital and lowercase letters, with a minimum character count, all aim to deter attackers who can brute-force guess trillions of passwords per second. When an attacker gets 10 guesses total and has to enter them all by hand, a random six-digit numerical PIN (search space of one million) becomes sufficient to block bad actors, and is substantially more practical to enter on some devices than a complex password.
Nevertheless, it can be hard to shake off a vague sense of uneasiness around using such a weak “password” as an authentication factor. Is this because we’re worried about remote attacks? Hopefully not. But what about local attacks? Shoulder surfing? Someone recording us unlocking our devices? Fingerprints on the glass that reveal which digits were pressed? Hollywood and its abundance of spy movies give us some great ideas for how a local PIN might be attacked. So if local attacks are part of your threat model, let’s consider biometrics.
Tall Tale #2: Passwords Are Safer Than Biometrics
Biometrics get a bad rap. They’re basically magic. And by magic, we mean difficult to reason about. There are many different kinds of biometric sensors, and even two sensors that measure the same biometric feature, such as a fingerprint, may do so in completely different ways, and be subject to completely different attacks.
At the lower end of the spectrum, biometric sensors like optical fingerprint sensors and single-lens cameras for facial recognition can be spoofed with photos printed by a $50 inkjet printer. On the higher end of the spectrum, facial recognition sensors like Apple’s Face ID and Google’s Face Unlock use multiple cameras and near-infrared dot emitters to capture a 3D facial map. Combined with 2D color imagery, and sometimes liveness detection, the bar is raised quite high. While headlines like to broadcast doom and gloom for biometrics, such as the 2019 BlackHat USA demonstration against Face ID, the truth is these biometrics are really quite secure.
"The attack comes with obvious drawbacks — the victim must be unconscious, for one, and can’t wake up when the glasses are placed on their face." —Lindsey O'Donnell, ThreatPost
In 2020, Talos did an investigation of fingerprint sensors and their practical spoofability on a reasonable budget. Despite achieving great success rates spoofing most of the devices they tested, they ultimately felt it was a difficult process.
When evaluating the security of biometrics in the context of passwordless authentication, the bar we have to beat is to be stronger than a local (often 6-digit) PIN. A biometric, measured and analyzed locally, inherits the same game-changing properties as the PIN does. It unlocks the unguessable, private credential stored on the authenticator device itself, and avoids sharing a cloneable secret with the web server — so even if it becomes compromised someday, it cannot compromise credentials used on other sites. The biometric can only be attacked locally in analog space, eliminating much of the risk of remote attacks entirely (more on the topic of remote attack mitigation in Part 3).
"We defined the threat models starting from the collection methods. The creation process is time-consuming and complex. We had to create more than 50 molds and test it manually. It took months. Once we created an accurate mold, the fake fingerprint creation was easy. Today, by using our methodology and our budget it is not possible to create a fingerprint copy on-demand and quickly." —Paul Rascagneres, Security Researcher, Talos Security and Vitor Ventura, Technical Lead/Security Researcher, Talos Security
Tall Tale #3: Biometrics Are Secrets
Another point that bears mentioning: Biometrics are also used in an entirely different context than we discuss here. That is, while biometrics can be used for authentication, they can also be used for surveillance. Luckily, there’s a fairly easy way to differentiate between these: whether your biometric information is stored in a centralized database with biometric information of many other people, or kept local to the one device that you used to generate your credential. For instance, biometrics used at border crossings, despite being used to identify users, are checked against a central database rather than a device you carry locally with you, and so fall under the surveillance category.
This distinction is significant for several reasons, both technical and non-technical. Surveillance itself is a thorny topic with both legitimate and illegitimate uses, and the ethical boundaries of surveillance and privacy are an area of significant public debate. This clouds the discussion around the use of biometrics for authentication, which is highly privacy-preserving.
Additionally, the use of central databases risks large-scale biometric leaks, as occurred in the CBP biometric leak (2019), Biostar Leak (2019), OPM Hack (2015), SenseNet (2019), and was feared during ClearView AI’s account breach (2020). Biometric data is often considered sensitive or personal information under laws and regulations such as HIPAA, CPRA, and BIPA, with harsh penalties for data leakage, creating even further risk for storing it centrally.
However, the single most significant distinction between authentication and surveillance is that surveillance relies upon a remote representation of a user’s biometric. To fool a remote biometric check, I must simply submit a digital equivalent to the remote verification engine. A digital representation of a biometric is trivial to replicate and distribute, and is therefore an incredibly weak proof of identity. The original, physical, biometric is very difficult to replicate with sufficient fidelity to pass as the original. By verifying a biometric locally, you gain a high level of assurance in the user’s identity. By verifying a biometric remotely, you verify that the user is in possession of a shared secret that is the user’s digital biometric.
Biometrics may be sensitive and personally identifiable, but they aren’t secrets. Evaluating a biometric digitally, remotely, turns the biometric into a password that can never be changed and that you wear around on your face all day. In short, remote biometric matching should be considered distinct, separate, and vastly inferior to local biometric authentication.
Today, there are really good, easy to use, biometric-based authenticators that achieve the right security properties — and best of all, you may already have many of these in your environment:
Apple Face ID and Touch ID
Google Face and Fingerprint Unlock
Yubico Yubikey 5 Bio (coming soon)
This isn’t meant to be an all-inclusive list, or to advertise or advocate for any particular product or vendor. Instead, it’s meant to illustrate that your users probably already have a FIDO2-capable and secure authenticator in their pocket, and even if they don’t have one today, your organization’s equipment refresh cycle may supply your users with one or even multiple secure authenticators, simply as a side effect.
Duo’s Passwordless Authentication Resources
Explore more of our Administrator's Guide to Passwordless blog series
Learn more about our upcoming passwordless authentication solution, and sign up for updates
Read our white paper, Passwordless: The Future of Authentication
Watch our webinar, How Duo is Making Passwordless Progress Easier
Watch a Threatwise TV video that discusses and demos Duo passwordless authentication
Read a Cisco blog by Product Marketing Manager Ted Kietzman explaining why passwordless is just one part of a holistic security strategy
Try Duo for Free
Want to test it out before you buy? Try Duo for free using our 30-day trial and get used to being secure from anywhere at any time.