NIST Publication on Digital Identity Guidelines
February 13th, 2017
A simple Google search in the last week of the terms ‘biometrics’ and ‘password’ will result in thousands of hits on articles projecting the death of passwords as we know them in favor of the flavor of the moment biometric modality. Finger, face, iris, palm, vein – the list goes on and on with each modalities champion predicting that they are the nearest term answer to high(est) security and simplest to use. The bottom line is that security, real security, in our online world is never going to be achieved by a single factor of authentication like a password or a biometric.
At a minimum, you need both (that’s called multi-factor authentication) and NIST recently published its updated draft of the Digital Identity Guidelines. Bottom line here is that if you want to securely use a biometric for authentication, you must have a second factor like a password or a PKI Certificate (something you know or something you have). So as much as we all want to get rid of all those passwords in favor of a simple fingerprint or selfie smile, don’t do it no matter how convincing the argument sounds.