When it’s being employed properly, it’s absolutely an important tool, but on-device biometric data stores (e.g. Apple’s secure enclave, or a TPM chip) aren’t the proper implementation. Nor is using biometrics as your primary auth method.
NIST standards for biometrics require the biometric data be stored on a secure remote server, and that the scanner device check against that during auth. Putting the biometric data on the device means that you’re losing a big part of your non-repudiation.
And it’s even worse when you’re using a secondary factor (biometric) as your primary factor (e.g. a phone unlock), that grants access to your other factors like password store and MFA tokens.
Biometrics are never supposed to be a single-factor auth method when used properly, but that’s how most people use them now.
If your phone requires a passcode, a TOTP grant, and a biometric scan, by all means, please do employ biometrics, but if it’s going to be your only factor, DO NOT.
t3rmit3@beehaw.org 1 month ago
When it’s being employed properly, it’s absolutely an important tool, but on-device biometric data stores (e.g. Apple’s secure enclave, or a TPM chip) aren’t the proper implementation. Nor is using biometrics as your primary auth method.
NIST standards for biometrics require the biometric data be stored on a secure remote server, and that the scanner device check against that during auth. Putting the biometric data on the device means that you’re losing a big part of your non-repudiation.
And it’s even worse when you’re using a secondary factor (biometric) as your primary factor (e.g. a phone unlock), that grants access to your other factors like password store and MFA tokens.
Biometrics are never supposed to be a single-factor auth method when used properly, but that’s how most people use them now.
If your phone requires a passcode, a TOTP grant, and a biometric scan, by all means, please do employ biometrics, but if it’s going to be your only factor, DO NOT.