Solved: DUO Mobile's recommendation towards using biometrics is just bad advice IMHO

kgbvax · ‎08-16-2018

When running DUO mobile on a device that has biometric capability, the self check-up suggest to users that no using this is results in reduced security or the other way round that enabling biometrics increases their security.
This is just bad advice IMHO.

Since biometrics a) can not be changed and b) the quality of the implementation also varies wildy (and has been demonstrated to be breakable with little effort) claiming that for example a shoddy finger print implementation is MORE SECURE than a let’s say 6 digit PIN is just false.

I concede that biometrics may be a good solution for some demographics - especially when the alternative is NO AUTHENTICATION - but again this is about biometrics vs PIN codes.

What do you think, shouldn’t that bit of functionality just be removed?

Taylor_McCaslin · ‎08-16-2018

Howdy,

I’m the product manager for Duo Mobile. I appreciate this feedback.

In general, we believe that mobile biometrics provides a layer of convenience that allows a user to use a more complex passcode strengthening the overall security profile of a device. While we totally agree that not all mobile biometrics are created equal, when paired with device policies (Policy & Control | Duo Security), you can decide your organization’s tolerance level and security profile and enforce those properties at the time of authentication to corporate assets protected behind Duo. There have certainly been some terrible biometric implementations, largely by Android OEMs, but most of today’s modern devices have decent biometric capabilities suitable for the average person’s risk profile, and these solutions are only getting better with time via software and hardware upgrades. As with many security measures, the goal isn’t foolproof security, but instead to increase the complexity, cost, and time required to break into an asset.

By default, we do not require users to enable biometrics, but we do encourage them to enable various security features like screen lock, disk encryption, and an updated operating system. Overall no one set of recommendations will ever cover every person’s risk profile.

We do agree with your point about biometrics vs complex pin codes. Though we have found consistently that users are bad at creating pin codes, and unfortunately, most mobile OSs do not make choosing more complex passcodes super simple, allowing 4 digit passcodes by default. And devices with biometric capabilities usually strongly push users to set up these capabilities. We have also found that with 2FA devices many people use convenience as an objection to security, which goes to the heart of our approach of making security solutions easy to use so that people actually use them. You can read more about our research in our State of the Auth Report we published late last year.

I will also mention that Security checkup can be turned off for an organization. While we don’t recommend this, you can turn it off by visiting the Duo Mobile section of the Settings page in the Duo Admin console.

I also wanted to share some interesting references:

View solution in original post

Taylor_McCaslin · ‎08-16-2018

Howdy,

I’m the product manager for Duo Mobile. I appreciate this feedback.

In general, we believe that mobile biometrics provides a layer of convenience that allows a user to use a more complex passcode strengthening the overall security profile of a device. While we totally agree that not all mobile biometrics are created equal, when paired with device policies (Policy & Control | Duo Security), you can decide your organization’s tolerance level and security profile and enforce those properties at the time of authentication to corporate assets protected behind Duo. There have certainly been some terrible biometric implementations, largely by Android OEMs, but most of today’s modern devices have decent biometric capabilities suitable for the average person’s risk profile, and these solutions are only getting better with time via software and hardware upgrades. As with many security measures, the goal isn’t foolproof security, but instead to increase the complexity, cost, and time required to break into an asset.

By default, we do not require users to enable biometrics, but we do encourage them to enable various security features like screen lock, disk encryption, and an updated operating system. Overall no one set of recommendations will ever cover every person’s risk profile.

We do agree with your point about biometrics vs complex pin codes. Though we have found consistently that users are bad at creating pin codes, and unfortunately, most mobile OSs do not make choosing more complex passcodes super simple, allowing 4 digit passcodes by default. And devices with biometric capabilities usually strongly push users to set up these capabilities. We have also found that with 2FA devices many people use convenience as an objection to security, which goes to the heart of our approach of making security solutions easy to use so that people actually use them. You can read more about our research in our State of the Auth Report we published late last year.

I will also mention that Security checkup can be turned off for an organization. While we don’t recommend this, you can turn it off by visiting the Duo Mobile section of the Settings page in the Duo Admin console.

I also wanted to share some interesting references: