Personally I believe the 3 pillars of authentication are bullshit…
- something you know (pin, password, etc.)
- something you have (token, crypto device, etc.)
- something you are (biometrics)
The premise that biometrics are unequivocally “something you are” is a false obfuscation of the real facts. The real facts are that a biometric scanner is the same as a keyboard or pin pad. It converts analog data to digital data. A keyboard converts the analog action of meat stick poking keys into digital data, just as a biometric scanner converts analog information from the sensor into digital data… but the structure of that digital data is static… it is not a cryptographic challenge… it is simply a digitized representation of the analog data… and the analog data is what is being used as the authentication mechanism… so just as anyone could type your password in with their own meat sticks to impersonate you, anyone could also emulate your biometric data… either by generating a suitable analogue or by tapping the data lines from the sensor to the processor and pushing in stolen or reconstructed biometric data such that the processor believes the data came from the sensor not an interloper.
Understanding that biometric scanners are doing the same job as keyboard and other human input devices, then it stands to reason that there are not 3 pillars of authentication. In reality, there are only two;
- static analog data (biometrics, password, pin codes, etc.)
- digital cryptographic devices (tokens, crypto, vivokey, etc.)
I also believe that the latter should be the primary method of authentication, however the only way to make that practical is with implants. Loss and theft of tokens is all too common to make it a requirement, so it languishes in optional hell.