What are biometric systems unable to do or safeguard against?

    Requires Free Membership to View

Biometrics security systems are, supposedly, the most secure access management systems around. But just like any other access management system (such as their more mortal counterparts, user IDs and passwords), they can be fooled, tricked and even circumvented. In other words, they're just as susceptible to some of the same vulnerabilities; leaving the systems they are protecting wide open.

How so?
Well first, biometrics systems can't protect against old-fashioned social engineering. These intruders -- social engineers and other con-types -- lie to gain entry into secured areas by posing as legitimate employees. All they have to do is convince the owner of the biometric key, say the person guarding the gate whose fingerprint opens the door, for example, that they need entry. If that person is compromised (fooled) and activates the biometrics system for his erstwhile intruder buddy, the intruder gets in. And, of course, if the two are deliberately colluding, the outcome is obviously the same.

Biometrics can be excellent, often superb, security systems against technical threats but, like other security systems, they wither against human threats. Besides, the serious crook confronted with a biometrics system will just figure out another back door in and won't bother with trying to crack it. Also, biometrics systems currently aren't as finely tuned to detect errors as non-biometric systems, such as smart cards, tokens, and good old user IDs and passwords. Passwords are passwords. They're either typed correctly, or not. But fingerprints can be smudged or distorted by cuts and burns, therefore faking out fingerprint scanners and blocking legitimate users. Face recognition systems can, at times, allow two different people, who may closely resemble each other, to pass. And some illnesses can change the pattern of veins in the user's retina, defeating retinal scanning systems.

Does this mean biometrics systems just aren't ready for enterprise use and shouldn't be considered at this point? Not at all. They are better for physical security, such as guarding the entrance to data centers, than for application security, such as logging onto a Web site. They just shouldn't be seen as the impenetrable magic wall protecting the castle. Strong as they are, they can still be defeated.


More Information
  • Learn various tactics you can employ to protect your network from hackers

  • Visit our biometrics resource center for news, tips and expert advice.


  • This was first published in September 2005

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: