Biometrics and password operated together by OR/Disjunction only increases the convenience by bringing down the security. Mixing up the case of OR/Disjunction with that of AND/Conjunction, we would be trapped in a false sense of security (We wrongly feel safer when we are actually less safe).
1. Biometrics
&
False Sense of Security
Can it be true that
Two-factor Authentication of
Biometrics and Password
actually provide stronger authentication?
2. (A and B) or (A or B)
Biometrics could help for better security
ONLY WHEN it is operated together with a
password by AND/Conjunction (we need to go
through both of the two),
NOT WHEN operated with a password by
OR /Disjunction (we need only to go through
either one of the two) as in the cases of most
of the biometric products on the market.
3. False Sense of Security
Biometrics and password operated together
by OR/Disjunction only increases the
convenience by bringing down the security.
Mixing up the case of OR/Disjunction with
that of AND/Conjunction, we would be
trapped in a false sense of security (We
wrongly feel safer when we are actually less
safe).
4. Recommendations
The false sense of security is often worse
than the lack of security itself.
Biometric solutions could be recommended
to the people who want convenience but
should not be recommended to those who
need security in cyber space.
2nd
August, 2015
Hitoshi Kokumai
5. More about “OR/Disjunction”
Biometric sensors and monitors, whether static, behavioral or
electromagnetic, can theoretically be operated together with passwords
in two ways, (1) by AND/conjunction or (2) by OR/disjunction.
The cases of (1) are hardly known in the real world because the falsely
rejected users would have to give up the access altogether even if they
can recall their passwords.
Most of the biometric products are operated by (2) so that the falsely
rejected users can unlock the devices by registered passwords. This
means that the overall vulnerability of the product is the sum of the
vulnerability of biometrics (x) and that of a password (y).
The sum (x + y - xy) is necessarily larger than the vulnerability of a
password (y), say, the devices with biometric sensors are less secure
than the devices protected by a password-only authentication.
Appendix
6. More about “OR/Disjunction”
Biometric sensors and monitors, whether static, behavioral or
electromagnetic, can theoretically be operated together with passwords
in two ways, (1) by AND/conjunction or (2) by OR/disjunction.
The cases of (1) are hardly known in the real world because the falsely
rejected users would have to give up the access altogether even if they
can recall their passwords.
Most of the biometric products are operated by (2) so that the falsely
rejected users can unlock the devices by registered passwords. This
means that the overall vulnerability of the product is the sum of the
vulnerability of biometrics (x) and that of a password (y).
The sum (x + y - xy) is necessarily larger than the vulnerability of a
password (y), say, the devices with biometric sensors are less secure
than the devices protected by a password-only authentication.
Appendix