|
Biometrics security systems are, supposedly, the most secure access management systems around. But just like any other access management system (such as their more mortal counterparts, user IDs and passwords), they can be fooled, tricked and even circumvented. In other words, they're just as susceptible to some of the same vulnerabilities; leaving the systems they are protecting wide open.
How so?
Well first, biometrics systems can't protect against old-fashioned social engineering. These intruders -- social engineers and other con-types -- lie to gain entry into secured areas by posing as legitimate employees. All they have to do is convince the owner of the biometric key, say the person guarding the gate whose fingerprint opens the door, for example, that they need entry. If that person is compromised (fooled) and activates the biometrics system for his erstwhile intruder buddy, the intruder gets in. And, of course, if the two are deliberately colluding, the outcome is obviously the same.
Biometrics can be excellent, often superb, security systems against technical threats but, like other security systems, they wither against human threats. Besides, the serious crook confronted with a biometrics system will just figure out another back door in and won't bother with trying to crack it. Also, biometrics systems currently aren't as finely tuned to detect errors as non-biometric systems, such as smart cards, tokens, and good old user IDs and passwords. Passwords are passwords. They're either typed correctly, or not. But fingerprints can be smudged or distorted by cuts and burns, therefore faking out fingerprint scanners and blocking legitimate users. Face recognition systems can, at times, allow two different people, who may closely resemble each other, to pass. And some illnesses can change the pattern of veins in the user's retina, defeating retinal scanning systems.
Does this mean biometrics systems just aren't ready for enterprise use and shouldn't be considered at this point? Not at all. They are better for physical security, such as guarding the entrance to data centers, than for application security, such as logging onto a Web site. They just shouldn't be seen as the impenetrable magic wall protecting the castle. Strong as they are, they can still be defeated.
More Information
Learn various tactics you can employ to protect your network from hackers
Visit our biometrics resource center for news, tips and expert advice.
|
