Intro

Passwords have many known issues:

  • Password strength tends to inversely correlate with usability
  • Passwords can be attacked remotely
  • Attackers have built a variety of automated tools for cracking passwords

These issues have prompted the rise of biometrics and other methods of authenticating, with advantages such as:

  • High ease of use
  • Local-only authentication mitigates remote attacks
  • Authentication hardware mitigates the use of automated tools
  • Biometric data meets or exceeds most PINs and medium to strong passwords when compared on bits of entropy; for example, a scanned fingerprint typically has 40-82 bits |LS|1|RS|, while a 4-digit numeric PIN has only 5.8 bits |LS|2|RS|.

However, biometrics have drawbacks:

  • In the event your biometric information is stolen, as it was in the OPM hack of 6 million victims |LS|3|RS|, there is no password reset feature for that information.
  • Attackers can and have used a victim's online photos (social media, etc.) to fool current finger, eye/iris, and facial biometrics systems (except Apple Face ID and Windows Hello for Business facial recognition) |LS|4|RS|, |LS|5|RS|.
     

The two main criteria we use when evaluating the security of passwordless authentication are the False Acceptance Rate (FAR) and published attacks.

FAR refers to the odds that a random person will successfully impersonate another. A FAR of 0.002% means that on average, only 1 out of 50,000 people will successfully impersonate another with that authentication system, using their own biometrics rather than an attack technique. It would be like trying to enter a random password to see if it works. 

Published attacks vary in success rate, complexity, speed, and whether they can be done remotely or require a local attacker. 

With these factors in mind, below are guidelines to help you match passwordless authentication solutions to your security and business needs. If you would like us to evaluate an authentication option not listed below, please contact the Information Security Office at security@utexas.edu.

Passwordless Authentication - Top Security

The Information Security Office recommends the following, based on a strong baseline False Acceptance Rate (1 out of 1,000,000) and a lack of published attacks as of this writing. These methods are ideal for the most valuable systems in your department.

Authentication Option Operating System Notes
Apple Face ID* iOS 11 Available on iPhone X |LS|6|RS|
Token (Smartwatch, BlueTooth token, FIDO-compliant USB, etc.) Multi-platform  
Windows Hello for Business Windows 10 Facial recognition* and PIN** only |LS|7|RS|, |LS|8|RS|, |LS|9|RS|

*Biometrics is still a rapidly changing landscape, with new attacks and countermeasures developing yearly. This list is subject to change.

**A Windows Hello PIN must meet the following requirements:

  • It must be at least 8 characters long.
  • Avoid easily guessed sequences such as 1234 or abcd.
  • If the PIN is numeric, it should not contain personally identifying information like your birthday, phone number, or other information publicly obtainable about you.
  • Do not use the same PIN as you do for your ATM card, voicemail, or other accounts.
  • If alphanumeric, a PIN should not contain personally identifying information like your name, or other publicly obtainable information about you (e.g., address, phone number, office number, etc.).
  • If alphanumeric, a PIN should not contain a dictionary word unless it is part of a hard-to-guess phrase.
  • A changed PIN should be substantially different from the previous PIN.
  • A PIN should be memorized.

IT Support Staff should implement Group Policies for enforcing the above PIN requirements; resources can be found here.

Passwordless Authentication - Secure

While these authentication methods are not as strong as those in the Top Security section, they are still effective, with a False Acceptance Rate of 1 out of 50,000 or better. 

Authentication Option OS Notes
Eye/iris scanners Multi-platform Published Attacks: |LS|4|RS|, |LS|5|RS|, |LS|10|RS|
Finger/thumb scanners (includes Apple Touch ID) Multi-platform Published Attacks: |LS|4|RS|, |LS|5|RS|, |LS|11|RS|, |LS|12|RS|, |LS|13|RS|, |LS|14|RS|, |LS|15|RS|, |LS|16|RS|, |LS|17|RS|
Face scanners, other Multi-platform Published Attacks: |LS|4|RS|, |LS|5|RS|, |LS|18|RS|, |LS|19|RS|
OTP software or hardware token Multi-platform Published Attacks: |LS|20|RS|, |LS|21|RS|

If you have questions about these products, or satisfying policy, please do not hesitate to contact the Information Security Office at security@utexas.edu

References
  1. Ratha, N. K.; Connell, J. H.; Bolle, R. M. "Enhancing security and privacy in biometrics-based authentication systems (2001)". IBM Systems Journal (Volume 40, No. 3, 2001), pg. 614-634. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.93.207&rep=rep1&type=pdf

  2. "NIST Special Publication 800-63 v1.0.2: Electronic Authentication Guideline", Appendix A—Strength of Memorized Secrets. National Institute of Standards and Technology. Retrieved 11 October 2017.
  3. "Fingerprints were stolen in the OPM hack. There is no “password reset” equivalent for your fingerprints.". Wired. Retrieved 5 October 2017.

  4. Jan "starbug" Krissler, "I see therefore I am...You", filmed December 2014 at Chaos Communication Congress (CCC) , video. https://www.youtube.com/watch?v=VVxL9ymiyAU.

  5. "I see therefore I am…You (2015 slides)". Retrieved 2 October 2017.

  6. "Face ID Security". Apple. Retrieved 2 October 2017.
  7. "Windows Hello face authentication". Microsoft. Retrieved 2 October 2017.

  8. "Windows Hello biometrics in the enterprise". Microsoft. Retrieved 2 October 2017.

  9. "Windows Hello - Why a PIN is better than a password". Microsoft. Retrieved 2 October 2017.

  10. "Hacker beats Galaxy S8 iris scanner using an IR image and a contact lens". . Retrieved 3 October 2017.

  11. "MacOS - NEW METHOD ; How To Hack The iPhone Touch ID Fingerprint Sensor Bypass (WORKING PROOF) (2017)". YouTube, video. Retrieved 5 October 2017.
  12. Roy, Aditi; Memon, Nasir; Ross, Arun. "MasterPrint: Exploring the Vulnerability of Partial Fingerprint-Based Authentication Systems". IEEE Transactions on Information Forensics and Security (Volume: 12, Issue: 9, Sept. 2017), pg. 2013-2025. http://ieeexplore.ieee.org/document/7893784/?reload=true.

  13. Engelsma, Joshua J.; Arora, Sunpreet S.; Jain, Anil K.; Paulter Jr., Nicholas G. "Universal 3D Wearable Fingerprint Targets: Advancing Fingerprint Reader Evaluations". Michigan State University Department of Computer Science and Engineering (2017). http://biometrics.cse.msu.edu/Publications/Fingerprint/EngelsmaAroraJainPaulter_Universal3DWearableFingerprintTargetsAdvancingFingerprintReaderEvaludations_arxiv2017.pdf.

  14. Engelsma, Joshua J.; Cao, Kai; Jain, Anil K. "RaspiReader: An Open Source Fingerprint Reader Facilitating Spoof Detection (2017)". Michigan State University Department of Computer Science and Engineering (2017). http://biometrics.cse.msu.edu/Publications/Fingerprint/EngelsmaCaoJain_RaspiReaderAnOpenSourceFingerprintReaderFacilitatingSpoofDetection_arXiv2017.pdf.

  15. Cao, Kai; Jain, Anil. "Hacking Mobile Phones Using 2D Printed Fingerprints". Michigan State University Department of Computer Science and Engineering (2016). http://biometrics.cse.msu.edu/Publications/Fingerprint/CaoJain_HackingMobilePhonesUsing2DPrintedFingerprint_MSU-CSE-16-2.pdf.

  16. Fiebig, Tobias; Krissler, Jan; Hansch, Ronny. "Security Impact of High Resolution Smartphone Cameras" USENIX Security '14 (2014). https://www.usenix.org/system/files/conference/woot14/woot14-fiebig.pdf
  17. "How Touch ID can be fooled and the future of biometric tech with Vkansee (2016)". TechRadar, video. Retrieved 4 October 2017.

  18. Xu, Yi; Price, True; Frahm, Jan-Michael; Monrose, Fabian. "Virtual U: Defeating Face Liveness Detection by Building Virtual Models from Your Public Photos". 25th USENIX Security Symposium (2016). https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_xu.pdf. ISBN 978-1-931971-32-4
  19. Sharif, Mahmood; Bhagavatula, Sruti; Bauer, Lujo; Reiter, Michael K. "Accessorize to a Crime: Real and Stealthy Attacks on State-of-the-Art Face Recognition". CCS’16 (2016). http://dx.doi.org/10.1145/2976749.2978392.
  20. Koh, Maxwell, "2FAssassin: Bypass 2FA, Stealing Private Keys, And More" filmed September 22 2017 at HITB GSEC Singapore, video. https://www.youtube.com/watch?v=JvQYTiu3ink

  21. "2FAssassin: Bypass 2FA, Stealing Private Keys, And More (2017 slides)". Retrieved 30 October 2017