Quick Money from False Sense of Security – Ethically Dubious Business Practice

Summary: The password is insufficient, but not harmful. Biometrics is harmful, and not sufficient. 

Attempting to make quick money by spreading a false sense of security is ethically dubious and practically suicidal.

- Is the password weaker than biometrics?

It is not feasible to compare a biometrics on its own, which is probabilistic, with a password on its own, which is deterministic. And, in reality, how can we select the test samples to compare from among numerous possible combinations, say, between the two extremes of ‘the securest password vs the least accurate biometrics’ and ‘the poorest password vs the most accurate biometrics’? If we hear someone speaking that biometrics is more secure than passwords, we should doubt their integrity.

On the other hand, it is feasible and logically correct to compare (1) a password with (2) a biometrics with the same password as a fallback measure against false rejection/non-match of the biometrics. Logic leads us to conclude that (2) is inevitably weaker than (1) as outlined in this video - https://youtu.be/wuhB5vxKYlg

As for the perplexing security effect of liveness detection now being touted as a countermeasure against biometrics spoofing, this article might help to unravel the conundrum - "Spoofing and Liveness-Detection of Biometrics"

- Is Biometrics-only Authentication achievable?

If taken narrowly and literally, 'biometrics-only authentication' could bring such tragedies as reported in India and examined in this article - "Unnecessary Deaths Presumably Brought By Biometrics Misunderstood"

It also brings a 1984-like Dystopia. Democracy is dead where our identity is authenticated without having our will/volition confirmed.

If taken broadly and ambiguously as 'biometrics-only authentication that is backed up by a default/fallback password/pincode', it only brings security down to the level lower than a password/pincode-only authentication as analyzed in the above video and in this article - "Early models of smartphones were safer than newer models - How come?"

- What can we gain from bringing in biometrics into multi-factor authentication?

A password and a physical token can be used on its own and also used as a second layer in 'multi-layer' deployment, whereas biometrics cannot be used on its own but must always be used with another authenticator in 'multi-entrance' deployment.

This means that biometrics cannot be a factor of the true multi-factor authentication that is supposed to be deployed in a security-enhancing 'multi-layer' method. Biometrics-involved multi-factor authentications would inevitably bring down the security that could otherwise be maintained.

We ought to be very careful about what security professionals tell us. Many of them are ignorant of or indifferent to the opposite security effects of two authenticators used in 'multi-layer' and 'multi-entrance' deployments as analyzed here– ”Quantitative Examination of Multiple Authenticator Deployment”

We often hear some professionals say that we should not make a ruling on biometrics by looking at its current performance but we should take it into account that biometrics technologies is improving.

What would you say if you hear pharmaceutical companies stating "We recommend this drug for your healthier life. At present this drug is harmful to your health but we expect that it will evolve to become really effective sometime in the future. So please take this drug now"?

- Haven’t the biometrics promoters been building a huge sandcastle?

Biometrics is said to be growing to be a gigantic business as reported here - https://www.biometricupdate.com/201910/biometrics-research-notes-banking-systems-asian-retail-and-smart-tickets

It reads "Biometrics systems will generate over $65B by 2024, according to new research, with growth in different areas for different regions. Signs are also positive for the industry in banking and securities, Asian retail, and smart ticketing, with significant investments anticipated in each."

The figure of $65 billion is really mind-boggling even if it is bloated 10 times! Then, it should be extremely exciting to imagine what will happen when the myths of biometrics as examined above get debunked in front of the public and the gigantic castle of biometrics proves to have actually been a sandcastle. We might well be watching a huge vacuum generated where there was the gigantic sandcastle.

- This false sense of security has been benefiting criminals, hasn’t it?

As examined above, biometrics has continuously contributed to providing a favorable environment to criminals, not to citizens, for more than a decade and the public has been misled to believe that biometrics has provided better security for citizens. This false sense of security might well keep causing huge damages on our societal life for many more years unless we speak out articulately right now.

The password is insufficient, but not harmful. Biometrics is harmful, and not sufficient. Attempting to make quick money by spreading a false sense of security is ethically dubious and practically suicidal.

< Related Articles >

Update - History, Current Status and Future Scenarios of Expanded Password System

Biometrics and Me

 Publication on EDPACS of Taylor & Francis

#identity #authentication #password #security #safety #biometrics #ethic #privacy #civilrights #democracy