Why do we still need password while we have biometry?

It now happens more and more often that I try to login somewhere and my password doesn’t work. Many sites require an account, with different rules for user names and passwords. Using the same password everywhere only partly alleviates the issue, and can increase security risks. Password reset procedures differ from one site to the other: most of the times an email with a link is sent. Sometimes, a new temporary password is sent by email. More rarely, it is required to make a phone call to complete the reset.

Another more and more annoying (for me at least) trend is to ask for security questions picked among a finite list. These questions are often too subjective and the right answer for me may change over time. I don’t really have a favorite color, my nicknames can be spelled different ways, I’m not totally sure of the spelling of my childhood’s best friend, etc. Some questions are just really stupid and don’t apply to me. Being visually impaired, I cannot and will never be able to drive (unless autonomous vehicles are available in the future), so asking for the brand make of my first car is just silly. Instead of spending five minutes and more looking at the list, I got fed up yesterday and picked a random question, noted it down somewhere, and stuck a silly response, noted down as well. This is pointless loss of time and energy.

Password storage systems such as KeePass or LastPass can help alleviate this. However, they either introduce extra steps to login (start KeePass, enter master password, find site entry, copy, paste), or are not available for all platforms. The commonly excluded platform is Linux, which is quite a shame. Mobile devices are also left alone with no solution, at least nothing free. Moreover, these solutions don’t free the user from entering, creating or regenerating passwords at registration time.

Instead, we should just get rid of passwords altogether. The initial idea for doing so comes from how SSH private key authentication works. SSH is used to establish connections on servers, allowing to open a terminal commands can be entered on. Instead of setting a password to login somewhere, SSH can generate a pair of keys: a private part remaining secret, a public part that is sent to any number of servers on which one would like to connect. SSH manages to authenticate the user without having to transfer the private key. This is done using a cryptographic algorithm called RSA. Any message encrypted with the public key is easy to decrypt using the corresponding secret key but extremely computationally expensive without. The SSH server leverages RSA by using the public key of the user to encrypt a challenge message, that only the corresponding private key can decrypt, then the client sends back the response, possibly encrypted using server’s public key.

Problem with this is that this private key can be lost or compromised. When this happens, it needs to be regenerated. It is possible to protect the key using a password, which decreases the risk of it being compromising if stolen. If the public key is reused several places, at least there is just one master password. But that password can be forgotten of course.

But what if that private key is part of the user’s biology: fingerprints, voice print, eye scan or, even further fetched, a subsequence of DNA? The key cannot be lost, unless the user is harmed or killed. But there is a small problem with that: the key cannot be replaced if it is compromised. Well, I thought about the possibility to encode the key in an unused portion of DNA, but the only idea of having some piece of hardware screwing up the DNA is kind of freaking. It is better to observe some biometric aspects, without altering them.

Well, how about a part of the biometric element? The exact part of the finger print, the exact aspects of the voice print, the exact subsequence of DNA, can be encoded in the public key, and used by to calibrate the scanner in a way reconstructing the private key. Replacing the key is just a matter of picking a new part.

This is just a case of multi-factor authentication. Models for this exist and are implemented by some providers. The problem is nothing is standard, wide-spread.

Unfortunately, this thrilling idea won’t apply easily, and won’t standardize overnight. First, there needs to be a standard piece of hardware each and every device would need to be equipped with in order to acquire the biometric signature. That hardware must not be available just for new computers, it would have to be possible to install it on an existing machine, without complications, without forcing the user to upgrade, even worse change OS. A USB-driven scanner is probably the key here, but that would have to work on any OS: Windows, Linux, Mac. But the device maker will make it work just on Windows, maybe Mac, because there is no such thing as a universal device driver except for very simple device like keyboards and mice. But well, if it is possible for these devices, why not a footprint scanner? Phones would also need to be covered as well, since it is more and more common to authenticate from such a device.

Next issue is integration. Each and every service provider would have to agree on a standard and comply to it. That would probably start with the biggest players like Google, Microsoft, etc., but if small businesses do not enter in, we will be stuck with yet another authentication method.

Ideally, a solution based on a service should be put in place. Anybody would be able to subscribe to this authentication service and use it in his own application, whether he is an individual developer, small or large business. This is similar to popular platforms such as AWS, Heroku, etc.

That thus seems perfectly possible. Will this happen? I don’t know, but if we don’t think about it, it won’t.