Re: SQRL (Re: [SECURITY] Image, word, and password login)

[Ryan Hiebert <ryan () RYANHIEBERT COM>]

On Fri, Dec 6, 2013 at 8:25 PM, Mclaughlin, Kevin (mclaugkl)
<mclaugkl () ucmail uc edu> wrote:
> Ben and all:
>
> I would like to hear a bit more on the idea of biometrics asserting identity and not authorization.  I am curious as 
> to the distinction and what would then provide authorization.   This seems like a change in the tried and true 1,2,3 
> factor of authentication which is used to provide proof of your identity but which is then used to provide the 
> identified user with authorization to the items they are entitled.  If that is the case wouldn't that mean that any 
> of the forms (password, biometric, token, etc.) are for both asserting identity and authorization.
>
> - Kevin

Hi Kevin. The issue for me regarding using fingerprints for
authentication (proving you are somebody) instead of identity
(figuring out who you're claiming to be) is that fingerprints cannot
ever be changed. Because of this, it ends up being a bit closer to a
Social Security Number than a username and password. Since the user
cannot ever change his fingerprint, if it is ever compromised, all
systems that rely on his fingerprint for authentication are now
vulnerable.

Some systems (iPhone 5S) are encouraging use of a fingerprint for some
authentication. This is a trade-off in security, trading security for
convenience. It's convenient, quick, and of moderate difficulty to
bypass, but it is possible, and once it's done, the user cannot go
change his fingerprint as he would a password. If his fingerprint is
compromised, and his authentication rely on his fingerprint, then his
authentication are permanently compromised.

Perhaps for your application that trade-off is a reasonable idea.
However, it's very important to consider the ramifications of this,
because it is true: fingerprints merely assert identity, not
authentication.

Ryan