In defense of biometrics
Say no to passwords.
Hi! Can here again. Today, we talk about biometrics.
One of the many joys of moving to the US is discovering the madness that is Social Security Numbers. My first experience with them was defined by my lack of one. Around 15 years ago, I was at a Cingular store in Squirrel Hill in Pittsburgh, trying to get a phone number. The first person trying to help me was new, so he didn’t know how to proceed. Luckily, another clerk showed up and, having dealt with foreign students before, did some magic, and I was then the owner of my first (and still the same) American phone number. I didn’t like my phone one bit, and it was pretty eventless.
It would only become clear to me a couple years later what that guy did when I tried to get an iPhone —the first one, mind you— at the Apple Store in Shadyside. Apple’s then-brand-new (and quite buggy) activation system on iTunes asked me for my SSN, and I blanked out. I didn’t have one. Somewhat unsurprisingly, the Apple Store guy (Genius?) asked me if I was a foreign student, I said yes, and then he entered 999-99-9999 as my SSN. And then, there I was, the proud owner of a brand new iPhone. My new internet communications device brought me many joys, and my ownership of it was pretty eventful.
I bring Social Security Numbers up because they are stupid. Of course, now that I am a real person who makes money and stuff, I have a real one, but I do not like the concept one bit. There’s nothing to love about it. They are sort-of-random, but only as-of recently. You are supposed to keep it a secret, except every other form you have to fill out as an adult requires it. You aren’t supposed to share them with anyone, but customer service agents will casually ask you for it (my employer has solutions for this) and harass you when you refuse to repeat it on the phone. If someone asked you to design a database schema where the unique ID is the same as the password, you’d be fired in an instant, but here we are! Social Security Numbers, as they are currently used in many systems, are both usernames and passwords. It’s just stupid throughout.
But, OK, you know what else is stupid? Passwords. They are. I hate passwords with a passion. I hope they go to hell. Of course, I use a password manager because it’s the right thing to do, but I am also glad it’s called 1Password because that’s the number of passwords I can bother having in my life. I also have a couple other passwords, or rather pass phrases really, for a couple computers I own, but that’s about it. None of you should be remembering more than a few passphrases.
There are so many things wrong with passwords. For starters, many of you use, somewhat ironically, again, but from the other side this time, a single password for all the services you use. “Password re-use” is the industry term here, and it’s so rampant that it’s pretty likely that if you’ve been using re-using a password for a while, it’s probably out in the clear in many of the hacked databases already. I know mine is. In fact, you can even read about my password on TechCrunch.
But that’s just the biggest problem, and there are so many. Another is that everyone, at some point, misuses passwords to the point where they don’t even protect anything. Often, they are so weakly encrypted that an underpowered laptop is all you need to crack them. Other times, people don’t even bother encrypting them, so you end up with the leaks mentioned above. I wrote about these before.
And there are human problems too. Passwords are supposed to be things you only know, but people are generally bad at remembering things that they don’t use often. So you have to design your service with “forgot password” functionality in mind. The so-called account recovery flows are not just painful to implement, they are generally hard to get right, often becoming one of the first attack vectors. The easier you make it for people to recover their accounts in the case of lost passwords, the more gaping holes you open in your system. My co-author Ranjan pointed out that this is, in fact, how John Podesta got hacked, and we all know how that turned out. It’s not that we are at the risk of liberal world order collapsing because of credential management, but passwords certainly didn’t help.
Look, I can sit here and tell you hundreds of other ways passwords are bad. You know what fixes them? Not having them in the first place! Yet, you obviously need something to replace them with, in order to, as we say in the industry, “authenticate” yourself. You need something that is unique to you, that you and only you have access to, that you can’t easily misplace, forget, lose, or generally be without.
And I know you won’t like this, but replacing them with your biometrics is the end solution here. Your fingerprints, or your face, or retinal patterns; pick anything. They are all better than your passwords. This, however, is a touchy subject. Part of our goal on Margins, both for Ranjan and me, is to explore these ideas out in public and see what you all think.
A common reprise among the engineer types against using biometrics is that you can’t “rotate” them, which is an odd way to say “change.” The notion flows from what is a common security practice for managing electronic keys (which are really passwords between computers, that aren’t meant to be read but still kept secret). In order to shrink the time window, you might be open to an attack by an exposed key, server admins rotate or change their passwords periodically. There are arguments against this, as people often screw this up and actually end up exposing themselves, but it remains a generally accepted good practice.
Of course, biometrics do have this problem of being tied to your bio, and hence being impossible to rotate. Yet, I think this is not a huge problem for a couple reasons. First of all, there’s the philosophical argument that this is a feature, but not a bug; that your body is generally (with some notable exceptions) unique and consistent across time. Of course, people age, and you can alter some of your measures in some painful (or not?) ways, but specific biometrics stay the same.
But more importantly, the big reason to rotate keys is that it’s actually pretty easy to reproduce a computer key, which is just a piece of text. Biometrics, if done right (again, a big if), are much harder to reproduce. You can, for example, steal someone’s digital representation of their retinal scan, but currently, we do not have the technology to reproduce a retina without the pesky human thing it’s attached to. Moreover, even if you could, it would still take a lot more effort than, say, entering something on a text field or copy-pasting a computer key. People made fun of Apple when it first launched TouchID, but remember it was replacing a system where you entered 4 digits on a flashing screen in public. The threat models make a difference.
Problem isn’t the Technology
A more serious problem with biometrics is more political than technical. As technology improves, so does biometrics technology. When I had my first computer, detecting a face on an image seemed like an insurmountable problem. By the time I was in college, not just detecting but identifying someone on a well-lit picture was a sophomore-level homework project. Today, a decade or so later, you can download a library from GitHub to do all that for free and run it on a $5 chip tied to a $10 camera.
The darker implications are pretty obvious, and we are seeing some of it unravel in real-time as we speak. Just recently, China announced that you’ll have to get your face scanned just to get a cell phone number—no pesky SSN required! And that’s neither the beginning nor the end of it; biometrics do not just identify you, but they can also correctly identify many characteristics such as race and gender. Things can and do go wrong here often, and that’s assuming the technology works as advertised, which is often not the case.
So, why am I not extremely worried? I am. But I also think that we can solve some of these problems. The solutions will surely involve technology, but I think the real trick will be the political will required to deploy these technologies responsibly.
As a Turkish immigrant to the US who travels internationally often, I have given my fingerprints and facial scans, and god knows what other data to various countries’ immigration departments many times. Just a couple weeks ago, I entered the US using Global Entry without ever removing my passport or Green Card from my pocket, just by scanning my fingerprints. Out there in the developed world, Europeans had these automated passport gates for years. When I lived in Singapore, I just had to press my thumb to enter the country.
I know this proliferation of biometrics-based identification bothers many people, and they think it sets a bad precedent. At some level, I agree. In the current political climate we are living in the US, some of what I say doesn’t immediately sit well with me. Yet, on the other hand, I do recognize that we are living in a society that is governed by rules that are imposed by entities that have monopolies in violence. I do not like Trump, nor Erdogan, but I remain a law-abiding citizen of Turkey and a legal permanent resident of the United States.
The point I am making is not one of boot-licking or rescinding my individual liberties. Rather, I acknowledge that we are (most of our readers, at least) living in rules-based societies. We do, can, and should build technologies that allow people to live their lives more securely, easily, and while keeping them safe from oppression. The idea that a password is what would keep the G-men away from me is an odd one.
In this case, for me, the idea of having my identity, my data, my being locked away behind some poorly implemented technologies, like passwords, does seem like a worse deal than using my biometrics on my phone and my laptop. I do trust, maybe misguidedly, that a client-side identity verification using my face, is a better option. I type this on a laptop that I unlock with my fingerprint and come tomorrow, I’ll be reading your replies on my phone that scans my face. My bank account is protected by the password manager that you can unlock with either. This seems, to me, the right direction.