Cult of Convenience
New writing "What actually tells ‘probabilistic authenticator’ and ‘deterministic authenticator’ apart? " and "Cult of Convenience" are added at the end of "Negative Security Effect of Biometrics Deployed in Cyberspace"
Cult of Convenience
It is natural for us to be thankful to the people who came up with the means to safely get the job done in one day that used to take weeks or months to do unsafely.
Who could be thankful to the people who come up with the means to unsafely get the job done in 5 seconds that used to take 10 seconds to do safely? If any, we could call them ‘Cult of Convenience’. Such a behavior could be viewed as ‘time-saving obsession syndrome’. Actually, we know there are many of them in the sphere of cybersecurity and identity management.
Putting a finger on a sensor or holding a smartphone in front of our face may look a bit more ‘time-saving’ as compared with feeding numbers and characters, This ‘time-saving’ effect is obtained, however, by taking the risk of a huge inconvenience or time-wasting trouble in case of the leakage of the body feature data.
The cult of convenience would not care. For them, the few seconds thus saved is worth the grave risk of leakage of the privacy data that people can never cancel, change or re-generate for life.
And, alas, all this happens on top of the fact that the use of biometrics brings down security to the level lower than a PIN/password-only login.
What on earth are we doing?
What actually tells ‘probabilistic authenticator’ and ‘deterministic authenticator’ apart?
Some people appear to be led to assume that there are a FAR and an FRR with any means of authentication. I am afraid that they are misguided.
‘Acceptance and Rejection’ of a deterministic tool (Yes or No on remembrance of a correct password and Yes or No on possession of a correct physical token) is one thing, that of a probabilistic tool (biometrics to measure unpredictably variable body features) is another.
As a matter of fact, a password and a physical token can be and are actually used together in a security-enhancing ‘multi-layer’ deployment because these are both deterministic, whereas biometrics and password/token can be and are actually used together only in a security-lowering ‘multi-entrance’ deployment because biometrics is probabilistic. Mixing up those fundamentally different subjects would be very misleading.
The analysis of biometrics being probabilistic leads us to the next observation that 'biometrics-only authentication' could exist only on paper, because the users who get rejected due to the unpredictable false rejection would have only choice of giving up the login altogether. It cannot be allowed in our real life.