Problem solve Get help with specific problems with your technologies, process and projects.

Penetrating a biometric security system

In this Ask the Expert Q&A, our identity and access management expert takes a closer look at the strengths and weaknesses of a biometric security system.

What are biometric systems unable to do or safeguard against?
Biometrics security systems are, supposedly, the most secure access management systems around. But just like any other access management system (such as their more mortal counterparts, user IDs and passwords), they can be fooled, tricked and even circumvented. In other words, they're just as susceptible to some of the same vulnerabilities; leaving the systems they are protecting wide open.

How so?
Well first, biometrics systems can't protect against old-fashioned social engineering. These intruders -- social engineers and other con-types -- lie to gain entry into secured areas by posing as legitimate employees. All they have to do is convince the owner of the biometric key, say the person guarding the gate whose fingerprint opens the door, for example, that they need entry. If that person is compromised (fooled) and activates the biometrics system for his erstwhile intruder buddy, the intruder gets in. And, of course, if the two are deliberately colluding, the outcome is obviously the same.

Biometrics can be excellent, often superb, security systems against technical threats but, like other security systems, they wither against human threats. Besides, the serious crook confronted with a biometrics system will just figure out another back door in and won't bother with trying to crack it. Also, biometrics systems currently aren't as finely tuned to detect errors as non-biometric systems, such as smart cards, tokens, and good old user IDs and passwords. Passwords are passwords. They're either typed correctly, or not. But fingerprints can be smudged or distorted by cuts and burns, therefore faking out fingerprint scanners and blocking legitimate users. Face recognition systems can, at times, allow two different people, who may closely resemble each other, to pass. And some illnesses can change the pattern of veins in the user's retina, defeating retinal scanning systems.

Does this mean biometrics systems just aren't ready for enterprise use and shouldn't be considered at this point? Not at all. They are better for physical security, such as guarding the entrance to data centers, than for application security, such as logging onto a Web site. They just shouldn't be seen as the impenetrable magic wall protecting the castle. Strong as they are, they can still be defeated.

More Information
  • Learn various tactics you can employ to protect your network from hackers

  • Visit our biometrics resource center for news, tips and expert advice.

  • This was last published in September 2005

    Dig Deeper on Biometric technology

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.