Reply to post: Once again ... (how many times do we have to shout this?)

Microsoft promises end-to-end encrypted Teams calls for some, invites you to go passwordless with Azure AD

Mike 137 Silver badge

Once again ... (how many times do we have to shout this?)

"Azure AD users can ditch typed-in passwords altogether, and instead use things like biometrics (facial recognition and fingerprints)"

Biometrics should never be used as authenticators not least because:

[1] an authenticator is some form of shared secret but biometrics by definition are not secret as you carry them around in plain view and leave some of them behind wherever you've been;

[2] an authenticator must be amenable to being rescinded, but you can't rescind a biometric (short of "rubbing out" the party concerned);

[3] a single authenticator should not be used for multiple incompatible purposes, but you'll soon run out of alternatives for different purposes if biometrics are used.

The only valid use of a biometric is as an identifier. Authentication is the second phase after identification and should use something that complies with the above principles.

Quite apart from which, current "biometric authentication" systems don't actually use biometrics despite being tied to them. They use grossly simplified digests of them translated into numeric form. Such systems can be breached in many ways via compromise of the digest.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon