Biometrics and password logon

Biometrics is popular these days and it is common thought it can be used to replace password login on systems. Well, technically speaking it cannot. It can be built on top of a password scheme or as a second factor for it but not instead. And Microsoft Biometric solution, based on Digital Persona, is a good example. There is nothing wrong with this solution, it is simply a generic issue of biometrics.

There is no secret in biometric, only Boolean “yes/no”. The secret derived from the user password can be used for further user authentication on network resources for example or to protect user’s content. Biometrics itself cannot provide the same feature. This is how it works:

There is a template with registration features stored on the system. The verification features extracted during logon and matched against the registration ones. The result is a ratio of resemblance. If this ratio is sufficiently high then it goes to “verification accepted” else it goes to “verification failed”. The extracted verification features are different on every logon because its extraction depends on few external factors such as object’s position on the scanner, light, cleanness of scan surface, etc. The only source to derive a secret from is a template with registration features because it remains the same (For simplicity let assume there is no learning option used when registration features may be updated too). It is an open source because it shall be revealed during logon to do a match. Thus it is not a secret. If there is no other user secret then the best way to protect the template is to encrypt it with some “standard” secret such as hard-coded password or derived from another public source. It is obfuscation and it is not secure and the secret derived from the registration template is not a secret again after all. We need the first factor together with biometrics to make the secure system or we may end up with an insecure solution with user password stored and wrapped by some “standard” secret and unwrap procedure initiates only if biometrics succeed. Needless to say it is only the matter of knowledge of the “standard” secret to unwrap the stored password without biometrics.

Certainly the systems with biometrics as a single factor have all rights to exist and they are as they provide better usability. However mind they are not to replace, otherwise it will be a very-very bad system.