Using Biometrics to Replace Passwords

I was recently asked this question…

I’m working on a project right now where my team wants to substitute passwords and usernames for biometric authentication.  I have expressed my multiple concerns for the security of such a system, but the idea has now come up that we could use a system with at least 2 factors of biometric authentication, such as facial and voice recognition.  While such a system is definitely better than one form of biometric authentication only, I still believe it is more insecure than using passwords. And even if it were not, I believe it is concerning from a privacy standpoint and makes our database a prime target for hackers.

To which I replied…   When evaluating any authentication solution you should consider the FAR, FRR, and CER.

FAR = False Acceptance Rate or when someone who is not an authorized user is granted access. 
FRR = False Reject Rate or when a authorized user is rejected. 
CER = Crossover Error Rate which is the point at which the FAR and FRR meet. 

You want your FAR and FRR to both be very low. If your FAR was 1 in every 100 unique authorizations; meaning that one time in every 100 authorizations an unauthorized person was granted access, that would be 1%. Is that acceptable given the number of people using the system?

You should try to account in your design for a FAR event (unauthorized user with access) and have some other protection in place; so that leads to a MFA (multi factor authorization) scheme.

FRR is what will truly frustrate your authorized users because they will be turned away and unable to access the system. That drives up the cost of operating the system since some additional person will have to be standing by to allow the rejected but authorized person access.

The CER or crossover rate is a way of detecting if either the FAR or the FRR is low.  If either is a low number it will result in a lower CER.  If you want to make sure that unauthorized users DO NOT have access and that your authorized users are not being turned away; you want to maximize your CER. 

Understanding the Traffic Light Protocol (TLP)

The Traffic Light Protocol (TLP) takes something that most people know and applies it to a new problem.  In this case the simple concept of roadway traffic lights applied to information sharing.   As defined by FIRST, an organization formed by cyber first responders; the Traffic Light Protocol is “a set of designations used to ensure that sensitive information is shared with the appropriate audience”.

According to the TLP when sharing information between two parties (a source and a recipient) the traffic light colors instruct the party receiving the information (the recipient) what the party sending the information expects regarding how the information will be used.

The key to understanding TLP is its simplicity.  Traffic lights or signals are something used and seen by drivers and passengers on roadways around the world.

It’s important that each person in an organization handling information understand and use TLP all the time and the same way.  Successful implementation of TLP in an organization is when everyone uses the protocol to process information the same way.

While most roadway traffic signals have either two or three lights; the protocol defines 4 conditions.

TLP:Red – information classified as RED when the party sharing the information intends that it will not be disclosed.  The use of this information should be restricted to participants only.  I tell people that when information classified as TLP:Red is shared with you; that information should stay with you.

TLP:Amber –  Information classified as AMBER is intended for limited disclosure.  That means you should only share this information with people in your organization.  If you work for a company in the Information Security department when you receive information classified as TLP:Amber you can share it with others in your Information security department.  Some organizations stretch this to be interpreted as within the company.  Specific company policies and procedures should clarify this.

TLP:Green – Information classified as GREEN is also limited disclosure, however disclosure should be limited to the community; people in your organization and other organizations  whom you regularly work with.  Like TLP:Amber your organizations policies and procedures should define the community.

TLP:White –  Information classified as TLP:White carries minimal or no foreseeable risk of misuse” and can be shared broadly.  It’s important to note that information classified as TLP:White is still subject to other organizational information classification (such as Secret, Top Secret , or NoForn and copyrights should be observed.