Biometric solutions operated with a fallback password should be called a “less-than-one”-factor authentication, since it makes the users less safe than a password-only single-factor authentication. The false sense of security is often worse than the lack of security itself. Biometric solutions could be recommended to the people who want convenience but should not be recommended to those who need security in cyber space.

1. False Sense of Security
blind spot in our mind
and
eye-opening experience
18th January, 2016
Mnemonic Security, Inc., Japan/UK

2. Which model do you think is securer?
1/3
< Given information >
Model A is protected by Pincode while Model B is
protected by both Pincode and Fingerprints
Model A Model B

3. Which model do you think is securer?
2/3
< Given information >
Model A can be unlocked by Pincode while Model B
can be unlocked by both Pincode and Fingerprints
Model A Model B

4. Which model do you think is securer?
3/3
< Given information >
Model A can be attacked only by Pincode while Model
B can be attacked by both Pincode and Fingerprints
Model A Model B

5. One Door or Two Doors
(1) (2)
There are two houses – (1) with one door and (2) with two doors in
parallel. Which is safer against burglars?
The answer is (1). It is too obvious for everyone of us.
Similarly (1) the login by a password alone is safer than (2) the login
by a biometric product backed up by a fallback password.

6. (A and B) or (A or B)
Biometrics could help for better security
ONLY WHEN it is operated together with a password by
AND/Conjunction (we need to go through both of the two),
NOT WHEN operated with a password by OR /Disjunction (we need
only to go through either one of the two) as in the cases of most of
the biometric products on the market.
Biometrics and password operated together by OR/Disjunction only
increases the convenience by bringing down the security.
Mixing up the case of OR/Disjunction with that of AND/Conjunction,
we would be trapped in a false sense of security (We wrongly feel
safer when we are actually less safe).

7. More about “OR/Disjunction”
Biometric sensors and monitors, whether static, behavioral or
electromagnetic, can theoretically be operated together with
passwords in two ways, (1) by AND/conjunction or (2) by
OR/disjunction.
The cases of (1) are hardly known in the real world because the
falsely rejected users would have to give up the access altogether
even if they can recall their passwords.
Most of the biometric products are operated by (2) so that the falsely
rejected users can unlock the devices by registered passwords. This
means that the overall vulnerability of the product is the sum of the
vulnerability of biometrics (x) and that of a password (y).
The sum (x + y - xy) is necessarily larger than the vulnerability of a
password (y), say, the devices with biometric sensors are less secure
than the devices protected by a password-only authentication.

8. Recommendations
As such, biometric solutions operated with a fallback password
should be called a “below-one factor authentication”, since it
makes the users less safe than a password-only single-factor
authentication.
The false sense of security is often worse than the lack of security
itself. Biometric solutions could be recommended to the people
who want convenience but should not be recommended to those
who need security in cyber space.
Thank you