There are two parts to this question. The first is about the military's implementation of biometric authentication, and the second is about how secure it really is. Let's first take a look at the military implementation, then the security of biometric data -- fingerprints, in particular -- and then tie the two together.
In April, the U.S. Department of Defense announced that the first enlistment military contract had been signed using biometric technology. The "signature" was obtained using a fingerprint reader rather than a traditional signature with a pen, or what the military called a "wet" signature.
From the military's brief announcement, it looks like the biometrics technology is a traditional fingerprint scanner. Fingerprint scanners are the oldest and still -- despite the growth of more esoteric biometrics systems -- most common type of biometric devices in use. Today, not only are there fingerprint scanners, there are voice recognition systems, facial readers, iris scanners and even devices that measure typing characteristics and physiological signals.
Can they be easily defeated? Generally, biometrics devices are harder to crack than passwords, but biometrics can be defeated in two ways.
The first is to duplicate the physical characteristic being measured by the device; in this case, fingerprints. For example, someone could make a mold of a fingerprint using a gelatin-like material that fools a scanner. Some scanners counter this by also checking the temperature of anything put near the reader to check if the person is alive, as opposed to a cold gummy mold. The other is to capture the biometric data itself. Biometric data, when first collected by a reader or device, is analog data. All those fingerprints, scans and iris readings have to be converted into digital data that can be read by a computer. Then the data has to be transmitted to back-end directory services to verify the user's validity before authenticating them.
That means biometric data has to be captured securely, encrypted in transit and stored in hardened, encrypted directory services. Both Active Directory and LDAP now accommodate biometrics data securely in this fashion.
Since the biometrics signature is only one piece of the enlistment process, the military probably has other controls in place for verifying the applicant's identity. This is a textbook example of a multi-layered defense, to say the least.
- What's the difference between biometrics and biostatistics? Security expert Joel Dubin expounds.
- Read more about how to use biometrics in combination with electrophysiological signals for authentication.
This was first published in February 2008