Thursday, August 11, 2016

Biometrics – Have your fingers been pwned?


First to start with I believe biometrics are in many ways the future of authentication but sometimes people forget to think about the bad sides as well – when they get too excited. I wanted to take some time and write down my thoughts on this and related topics. I’m talking about Security Internals in Estonia this year (http://koolitus.ee/blackbelt/) and I started to gather my thoughts on current trends in security and that gave me the inspiration to write this article. One important trend in my life also changed dramatically this summer as I and my family moved to iPhones. I still think that Windows OS is the best one that there is for mobile phones but at some point the lack of stability and apps just threw me over the Edge. “Over the Edge” in this context is actually just funny if you ask me ;) The iPhone introduced me with the simplicity of using my fingerprint to authenticate to my phone and boy did I welcome this ease! After the honeymoon with my new iPhone I started to seriously consider about this. In the next few paragraphs I’m going to talk about some common questions/comments I get and some points that I don’t believe all people totally understand.

 

#1 Ease of changing a password

 

I hope all of you know the best website out there monitoring system breaches called http://haveibeenpwned.com/ It’s run by a fellow PluralSight author and highly appreciated security expert called Troy Hunt. So what if you lose a password as you just need to change it, right? Right. So now what happens if your biometrics get stolen? You change your finger? Or even worse your face or your retina? So to cut corners a bit you can only be ten times pwned when it comes to your fingerprints.

 

#2 Lack of true biometric data in Windows

 

This is what I hear quite often: “Why do we still need to use a password in Windows which is then protected by a PIN or a biometric info? Why can’t we yet in 2016 save the biometric data to Active Directory and just use that?” Think about the previous point and the bad thing about not using a password. If your fingerprint is value 400 and your password is value 400 we can calculate a value of 160000 by multiplying them. If I lose my biometric data to someone I just need to change the password to invalidate the result. So from this perspective I am happy that my true biometric data is not stored in my AD as it would make it more probable for someone to steal my true identity and a lot harder for me to recover when it happens – and it will.

 

#3 Difference between physical and mental proof of ownership

 

By law in US you can be forced to use your finger or your “face” to open your device. By law you cannot be forced to give your PIN code to open your device. I would say I have nothing to hide and I’m not a criminal so it doesn’t really matter but many people don’t like the fact that a device with a biometric protection can be used to incriminate you and one with a PIN code can’t.

 

#4 Why Windows wants me to use a 4 digit PIN code when I have a 16 character password?

 

When you install Windows 10 and start using any cloud related features it will ask you to change to using a PIN code even if your password would be a lot stronger mathematically. This is because this PIN code protects your password on that certain device. If your real password is stolen all of your physical devices can be used to access your data but with the PIN code only that one device is compromised. That is if you use a different PIN on different devices – As this has always been the suggested best practice I’m sure all of you adhere to it ;) BTW. If your computer has a TPM then that is used to store the PIN making it very secure but if you don’t have one then the PIN is actually just saved in the registry making it a lot less secure.

 

#5 How do I do it?

 

To finalize I believe it’s fair to share how I do it personally. So here are some of my best practices I know I use and I also really, I mean REALLY, have the strength to follow.

 

-          My Windows passwords are always passphrases that have at least 15 characters, have at least characters from three different character sets and have numbers in the middle. So for example Jakedrank16beers! is a very good password but easy to remember. Most people use numbers at the beginning or the end and that’s also programmatically a lot easier to break so put them in the middle. I’m not trying to play Mother Teresa here so next time Jake might have drunk 17 beers ;)

-          I protect that password with facial detection on my SurfaceBook and with different PINs on my tablets that don’t have a keyboard.

-          I will never buy a device that doesn’t have a TPM, and I’d prefer them to have an IO-MMU for future features.

-          When signing in to websites I have a strong base-password but I use the two first letters of the websites Top Level Domain name to make it more unique.

-          I always use a password manager. I prefer LastPass although I hate that they were acquired by LogMeIn and I know they have had their break ins. It is still the only tool that does everything I need.

-          I never logon as an Admin to my workstations! And my Domain Admins are always prevented by policy from logging on to any computer except Domain Controllers

-          And YES, on my iPhone I use a fingerprint – the ease of use wins in my case – at least with my personal phone.

-          If you would ask me what the secure authentication of my choice would be I would like it to be a PIN+Biometrics so I could have a strong protection, easily change the password, not forget my dongles and not too complicated a method to use.

 

Stay safe,

 

Sami

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.