Intel now also wants to rely on biometric data as password replacement.
Not only the notorious fingerprint, but also face or speech recognition, iris scan, the personal heart beat or the individual writing rhythm could replace the annoying passwords.
At the first go this sounds good. One would never again have to think of a cryptic password and then also memorize it afterwards. It would also finally be the end of the multiplicity of passwords for each individual service. No wonder that in surveys the majority of the users agreed with biometric data as access control. In a survey conducted by of the BITKOM Association, 50% of the surveyed users aged above 14 years old, declared themselves in favor of biometric data. Particularly older consumers, aged above 50 years old, were enthusiastic about the idea, 75% of them would use the fingerprint, 61% the iris scan.
However, unfortunately, what happens with this idea is exactly the same as with other things in life. If it sounds too good to be true, then it is usually not true. Indeed, all these procedures exist by now, the fingerprint is already used as password by some smartphones. Yet the security is, unfortunately, not so high as one would assume in the first moment. As some White Hat Hackers have already proven, these biometric data are quite easy to steal. This is the easiest with the fingerprint.
Everyone leaves fingerprints everywhere, which can be removed and abused (see, on this, the video of the CCC, in which the fingerprint of the German defense minister has been „recreated“ by means of a newspaper photo). The system cannot determine whether the fingerprint belongs to a living finger. It compares only the samples. In addition, a high resolution photo of the finger is already sufficient, in order to manufacture a usable fake. This is why a face recognition software could also be deceived by a good photo. The iris scan is unfortunately also not really safe. The recognition software could likewise be deceived by an appropriately prepared photo. How difficult is it really to get a language recording of a certain person? However, if the biometric data are stolen for the first time, one has an enormous problem. One can assign a new password relatively fast, but one cannot change his own biometrical data..
They thus fail as access control for the future.
Really secure is only a two-way identification. In the case of this procedure, two things must be available, usually designated as „knowledge“
and „possession“. „Knowledge“ is generally realized through a password, „possession“ through a second factor, like for example a token or the smartphone. In the case of the use of a smartphone, the safety aspects play a role again: How easily can the smartphone be manipulated?
Frighteningly easy. And the system, in which after entering the correct password, a security code is sent to the specified mobile phone number, is not particularly user friendly.
A easier system for the two-way identification is the CosmoKey. It combines comfortable use with the highest security. This involves a hardware token, which has the size of a modern car key. CosmoKey works without any problem with all terminals. Through a click on the CosmoKey, an access authorization is sent to the terminal. No additional software has to be installed on the terminal. The associated software runs on the central computer. Therefore the operating system of the terminal is also unimportant for the function. Of course, a CosmoKey can get lost or stolen. But in this case, it can be locked and replaced by a new one without any problem, unlike a fingerprint or an iris.