Well first, biometrics systems can't protect against old-fashioned social engineering. These intruders -- social engineers and other con-types -- lie to gain entry into secured areas by posing as legitimate employees. All they have to do is convince the owner of the biometric key, say the person guarding the gate whose fingerprint opens the door, for example, that they need entry. If that person is compromised (fooled) and activates the biometrics system for his erstwhile intruder buddy, the intruder gets in. And, of course, if the two are deliberately colluding, the outcome is obviously the same.
Biometrics can be excellent, often superb, security systems against technical threats but, like other security systems, they wither against human threats. Besides, the serious crook confronted with a biometrics system will just figure out another back door in and won't bother with trying to crack it. Also, biometrics systems currently aren't as finely tuned to detect errors as non-biometric systems, such as smart cards, tokens, and good old user IDs and passwords. Passwords are passwords. They're either typed correctly, or not. But fingerprints can be smudged or distorted by cuts and burns, therefore faking out fingerprint scanners and blocking legitimate users. Face recognition systems can, at times, allow two different people, who may closely resemble each other, to pass. And some illnesses can change the pattern of veins in the user's retina, defeating retinal scanning systems.
Does this mean biometrics systems just aren't ready for enterprise use and shouldn't be considered at this point? Not at all. They are better for physical security, such as guarding the entrance to data centers, than for application security, such as logging onto a Web site. They just shouldn't be seen as the impenetrable magic wall protecting the castle. Strong as they are, they can still be defeated.
This was first published in September 2005