Nov
Biometrics are a terrible idea
Posted by jerry as Security
Authentication is something that I’ve given a lot of thought to. I see the world beginning to embrace biometrics as a mainstream method of authentication and it really scares me. We seem to think that a fingerprint, retinal scan, or hand geometry is the holy grail of identifying a person. In fact, the most we can reasonably hope to get out of biometrics is an initial guess at identity.
Let’s take a finger print. It’s a password that you cannot change, ever, yet you leave copies of it everywhere you go. Retinal scans are harder to copy, but hand geometry is likely not hard at all.
The fundamental problem is that someone can easily and economically duplicate nearly any key biometrics that would be used for authentication without the owner or authenticating party knowing. The ultimate in authentication is and will always be possessing something that is reasonably hard to duplicate, such as a pin generating fob. You either have it, and no one else can successfully pose as you, or you don’t and you know that someone may be trying to pretend to be you. Pairing that with a pin that is memorized is an effective combination, but the uniqueness of the device is the most important factor.
Basing authentication on a physical trait, finger prints, retinas, dna, hand geomretry, etc, may have some utility for trivial things like entering Disney World, but for things like legally binding contracts and access to sensitive data or sensitive areas, biometrics are simply too weak.
One comment
Hi Jerry,
I enjoyed reading your analysis and agree – “stand alone biometrics are simply too weak”. Earlier this month (feature article in the November Issue), I co authored an article for Biometric Watch – http://www.biometricwatch.com/BW_35_November_2006/BW_35.htm
with two colleagues specifically on privacy issues in biometrics. We believe that in order for the biometrics market to expand – the owner of any biometric should be in control of its use. The purpose of our article for BW’s reader base – eliminating the “market value” of the biometric identifier in order to protect it from theft is better than any other known protection (firewalls, encryption etc.)
I am a member of a company focused on biometric information security and building OEM products that secures integrity and privacy issues related to biometrics. The name of our company is PISI; please see http://www.recoverablebiometrics.com for more details. PISI’s solutions are designed to protect biometric data “prior” to transmission as well as installing recoverability of a biometric if that data is ever stolen or abused. With a slight shift in biometric deployment methodology, our products enhances any biometric by interweaving complex, non-linear, mathematical and/or mechanical attributes (with biometric data) creating methods of combinational processing of biometric data. The result of which is defined as “identity”. Biometric-based identities possessing two or more attributes or “degrees of uniqueness” are replaceable, also installing complete privacy for the user as well as enhanced security and trust of any biometric.
Thank you,
Andrew J. Polcha
Leave a Comment:
You must be logged in to post a comment.
Categories
Tags
-
