Heartbleed: Biometrics are not the answer

Following on from Heartbleed, there have been poorly judged calls from many to change all your passwords.

Quite rightly many are using this to say we have to do better than passwords. However, I heard one (nameless) commentator on BBC Radio 5 suggest using biometrics, citing the iPhone 5s; the BBC also refer to biometrics in their Heartbleed article.

Sir, you are confused! 

I have used biometrics on my laptop for a while; it makes logging onto the laptop easier. It makes logging into some web sites easier.

But this does not solve my password issue.

Fundamentally, the biometric is used to release a password, that the underlying software then copies into the web site password box for you. The underlying security mechanism is still a password, so still vulnerable. In this context, sure, use biometrics, but for usability, not security.

See Also


2 thoughts on “Heartbleed: Biometrics are not the answer

  1. In the case of heartbleed, passwords weren’t the cause – they were the (potential) victim. The risk of exposing data through forcing an effective buffer overflow to reveal the session key was there, regardless of the authentication mechanism used.
    As far as biometrics are concerned, when used as the key to a password vault then no, they do not solve the password problem. However, if you use a fingerprint to authenticate to a private key held securely on your device, then authenticate using challenge-response, they can actually present a viable solution. This could be used for certificate-based authentication (replacing the PIN with a biometric, as per match-on-card PIV cards) but is also the motivation behind FIDO, where a certificate-less PK protocol provides both convenience and high security. It is early days yet, but there is some hope that the days of passwords are numbered.


Comments are closed.