What can a ‘probabilistic authenticator’ achieve in cyberspace?

A big question is too often missing in the discussions about the deterministic authenticators (passwords and tokens) and probabilistic authenticators (biometrics); Are the users to blame when the login fails?’

When the user fails to feed a correct password and present a correct token, the user would be to blame. Well, when the sensor fails to get the user’s body features and behaviors authenticated, would the user be to blame?

Where the rejected users are solely to blame, their login would be justifiably denied. On the other hand, where the rejected users are not solely to blame, they should be given a fallback measure with which they can access what they must be able to access. In cyberspace, passwords/PINs are the fallback measures for the self-rescue in most cases.

Where biometrics is used together with a default/fallback password/PIN in a ‘two-entrance’ deployment, we will see the security getting brought down to the level lower than a password/PIN-only authentication. It is, as it were, a below-one factor authentication.

This is what the probabilistic biometrics achieves in cyber space. Criminals will benefit.

Click the link for more https://www.linkedin.com/pulse/negative-security-effect-biometrics-deployed-hitoshi-kokumai/

#identity #authentication #password #security #biometrics #ethic #privacy #democracy #emergency #disaster #panic #defense #government #pandemic #teleworking

…………………………………………………………………….

What actually tells ‘probabilistic authenticator’ and ‘deterministic authenticator’ apart?

Some people appear to be led to assume that there are a FAR and an FRR with any means of authentication. I am afraid that they are misguided.

‘Acceptance and Rejection’ of a deterministic tool (Yes or No on remembrance of a correct password and Yes or No on possession of a correct physical token) is one thing, that of a probabilistic tool (biometrics to measure unpredictably variable body features) is another.

As a matter of fact, a password and a physical token can be and are actually used together in a security-enhancing ‘multi-layer’ deployment because these are both deterministic, whereas biometrics and password/token can be and are actually used together only in a security-lowering ‘multi-entrance’ deployment because biometrics is probabilistic. Mixing up those fundamentally different subjects would be very misleading.

The analysis of biometrics being probabilistic leads us to the next observation that ‘biometrics-only authentication’ could exist only on paper, because the users who get rejected due to the unpredictable false rejection would have only choice of giving up the login altogether. It cannot be allowed in our real life.