There Are Only Two Ways to Authenticate

Why Biometrics Are Not Valid Authenticators

5 min readApr 3, 2020

Most security courses teach there are three ways to authenticate: “What you know,” “What you have,” and “What you are.” However, authenticators must be revocable and deterministic. Biometrics (“What you are”) are probabilistic and non-revocable. Thus, biometrics cannot serve as a means of authentication.

Authentication Basics

Historically, the standard security mantra has always been that there are three ways to authenticate:

What you know (e.g., passphrase)
What you have (e.g., security tokens)
What you are (i.e., biometrics)

At one time, when all authentication was person-to-person, this was probably a more-or-less correct definition of how a person could be authenticated. However, in today’s environment, where authentication seldom involves two humans interacting, this scheme breaks down. Let’s examine why.

But first, let’s define two terms as they relate to authentication and access control:

Identification: A claim to be a given entity
Authentication: Validation of an identity claim

Authentication today involves more than just the authentication of people: software, hardware, and data must be authenticatable as well. And, there are two different security contexts which also must be considered:

Personal devices: Where individuals define and maintain their personal devices’ authentication credentials.
Everything else: Where a trusted third party controls who or what can authenticate, and their respective authentication credentials.

The problem with the historical definition of authenticators occurs when considering how to revoke authentication credentials that become compromised, especially in non-personal environments.

With personal devices, the owner controls its authentication credentials. So, if, for example, someone discovers where you wrote down your password (shame, shame!) and gains access to your device, then you can simply change the device’s password. If you have two-factor authentication enabled, and your second authentication means gets lost or is hacked, you can always revoke that authenticator and establish a new one.

But, how about biometrics, such as fingerprint or facial recognition? How do you revoke and replace that? Short of serious surgery, such biometrics are irreplaceable if revoked.

Authenticators must also be deterministic. That is, given the same inputs, the authentication process will always produce the exact same results. For example, a password is always either correct or wrong; there is no “in-between” or “maybe” state where some algorithm is left to make a judgement as to the password’s correctness beyond “absolutely correct” and “absolutely incorrect.”

However, biometrics are probabilistic. That is, there is a “judgement algorithm” that makes its “best guess” as to whether inputs received probably match the baseline results for the given biometric characteristic. That’s why sometimes a fingerprint reader will fail to recognize your finger, or a face scanner will fail to recognize your face. Or, worse, will accept someone else’s fingerprint or face as being yours! Authenticators must be absolute! That’s why biometrics are not valid authenticators.

Authentication Under Third-Party Control

With everything other than personal devices, a third party controls all authentication. A user may establish her own password, but everything other than the password itself is controlled by a trusted third party (e.g., an IAM administrator). So, passwords (better, passphrases!), second authentication factors, and so forth are outside of the user’s control.

Passwords are clearly revocable by the authentication administrator, as are other authentication means, such as: security tokens, digital certificates, and two-factor authentication app registrations. If the authenticator becomes compromised, it can be revoked, and replacement credentials can be created.

But what about biometrics? How do you revoke and replace that?

So, to restate the problem: How do you revoke and replace a biometric authenticator?

Well, clearly, you can’t.

Personal Device Authentication

In a personal device environment, it is up to the device’s owner to assess the risk. And, the risk of compromise may be somewhat different than in a corporate environment, where, for example, facial recognition is used to gain access to a controlled area within a building.

With a personal device, using biometric authentication is a tradeoff between convenience and risk. If you have facial recognition enabled on your device, then a thief (or law enforcement!) can simply hold the device up to your face and unlock it, giving them full access to the device in an instant. However, using a complex password complicates access, as the thief would have to force you to enter the password, a delay which could substantially increase the thief’s chance of being caught in the middle of the robbery. In the United States, it is not settled law (at the time of this writing), but most likely, law enforcement cannot compel you to disclose a password, but they can compel you to give a fingerprint or have your picture taken.

So, with a personal device, you can choose to use biometrics to authenticate, and if your biometrics become compromised, you can simply disable their use.

If Not Authenticators, What Are Biometrics?

In any environment where biometrics are incorrectly attempted to be used for authentication, the reality is that the biometrics are not being used as authenticators, rather they are being used as identifiers. As previously stated, since a biometric cannot be revoked, it is not a valid authenticator. An unrevocable authenticator is an alternate means of identification, and nothing more!

Thus, since you cannot revoke your identity, your biometrics are an alternate means of identification.

In fact, NIST basically agrees with this assessment. In its latest digital authentication guidance, NIST requires that any use of biometrics related to identification and authentication must also include a “What you have” authentication factor. That is, NIST is relegating biometrics to a means of identification, and the “What you have” is the means of authenticating the identity provided by biometrics. [See note 1.]

Thus, there are only two means of authentication: “What you know” and “What you have.” “What you are” is only a means of identification, not authentication.

Summary

For something to be an authenticator, it must be deterministic and revocable. When an authenticator becomes compromised, it must be replaceable with a new authenticator of the same means. And, any attempt to authenticate must always return identical results for a given input.

Biometrics are not revocable, therefore they are not valid authenticators. [2]

Thus, there are only two valid means of authentication:

What you know
What you have

This is just another case where a decades-old security mantra is out-of-date and needs to be updated to reflect today’s reality.

Notes

Quoting NIST SP 800–63B Authentication and Lifecycle Management (June, 2017), Section 5.2.3 “Use of Biometrics,” pg. 26, “Biometrics SHALL be used only as part of multi-factor authentication with a physical authenticator (something you have).” The entire series of NIST SP 800–63–3 documents are worth reading. However, if you are considering using biometrics, the above-referenced section is required reading.
As NIST points out in the document referenced in [1], there are many other issues with biometrics other than not being revocable and replaceable. The most significant arguments NIST makes about biometrics use for authentication, are that biometrics do not constitute secrets, and biometrics are probabilistic (whereas authentication factors must be deterministic). Either issue alone disqualifies biometrics as authentication factors.

Please check out my Blog Introduction and Index to find other postings about what we are doing wrong in security and how we need to fix it.

About The Blogger