Problem solve Get help with specific problems with your technologies, process and projects.

Considerations for biometric use

Biometrics are a fine way to do authentication, but they need to handled carefully.

Biometrics are a fine way to do authentication, but they need to be handled carefully. There are situations where biometrics are an excellent way to authenticate, and other situations where using them can cause embarrassment of various sorts.

Here are some considerations:

Biometrics are all probabilistic. Unlike a password or a mathematical system, a biometric is an image of real-world data that is compared to another image to see if they're close enough. When I type my password into Amazon.com, for example, it's either right or wrong. I can't type in some other password and the server will say, "Ummm, close, but sure." Biometrics are always producing an answer of "close enough" or "not close enough" instead of, "You got it!" or "Nope, that's not it."

Intuitively, we know about these situations. There are aphorisms about close being acceptable for horseshoes, hand grenades and so on. This means that the system design has to take that into account. There can be simply "collisions" -- by that I mean people who happen to be close enough.

Here's an anecdote: Several years ago, a colleague and I got a demo of a voiceprint system. The demo was on a laptop that asked users to say, "Open the door." If users were authenticated, a picture of a door on the screen swung open. A red light flashed if the user got it wrong. I tried it a couple of times, getting it wrong. Then my colleague gave it a try, and on his third attempt the door swung open. This is an example of collision, and it is going to happen in any probabilistic system. In this particular case, both the vendor giving the demo and my colleague are Canadians, so we had a lot of jokes about all Canadians sounding alike.

Joking aside, how do you guard against collision? Many systems use an additional PIN as a differentiator. For example, if the person trying to get in types a PIN of 1234, you only have to compare the biometric against ones with the same PIN. If you happen to match another similar reading with a different PIN, you're not even going to compare the two. It's simple, and it works well. But, it does raise another question: If you're going to require a PIN, why even bother with the biometric? There are a number of good answers to this question, especially if price is not an issue. But if it is, a PIN is cheaper.

Before you harumph, go read this article about research done by the German magazine c't on how easy it is to fool a variety of biometric scanners. (It's relatively easy to fool a number of fingerprint scanners by putting Scotch tape on your finger; the scanner reads the warmth of your finger and the residual skin oils from the previous person.) Some of these attacks can be thwarted by something like a PIN, but this article concludes that serious biometric use must be supervised by a human being.

Not everyone has one. There are obvious aspects of this problem. An iris scanner is a great thing to use for letting a pilot onto an airplane, but it doesn't work as well if the door in question might be used by a blind person. Less obviously, a system like a face scanner doesn't work so well with men with facial hair, people with glasses, unusual headdresses including a nun's habit, a Sikh's turban or a Muslim woman's garb (from scarf to veil).

Even less obvious, some people nominally have a biometric, but it isn't usable. For example, a small minority have hands that are too dry or cold for fingerprint scanners to get a detailed reading. This means that either you have to use a different system or just accept the vague reading, which somewhat defeats the purpose of the exercise.

Biometrics should never be used in a network. The huge, gaping danger of a biometric system is what we call a "replay attack." A replay attack is nothing more than sending old data to the identifier. This is reasonably easy to guard against in a definite system, but in a probabilistic system, the attacker can modify captured data that will be accepted.

Let's suppose you have a Web commerce site that accepts credit card information verified with a biometric. How does a Web site differentiate between a hacker with stolen info and the real purchaser?

Loss of a biometric sample is a catastrophe. This is closely related to the previous problem. Let's suppose that someone has a database of credit card numbers and fingerprints that verify them. (If such a thing does not exist, how are you doing biometric verification?) What happens when -- not if, when -- that database is stolen? If it were merely credit cards numbers, we could issue people new ones. It's annoying to do so, but it's much simpler than issuing all our customers new fingerprints and telling them never to use the old ones again. That's going to look great on the front page of The New York Times. It's going to be bad when someone drags up cranky essays like this one on the risks of such a thing. But, it's going to be even worse when the authors of such cranky essays are called as expert witnesses in the quite justifiable lawsuit that follows.

Now, there are innovative ideas on how to mix networks and biometrics. For example, the company Authentify has a voice authentication system that uses your telephone as a key. You give the authentication system a phone number to call you at, their computers call you and verify that you say the digits that they dialed. They can even save a recording for some suitable length of time in case there's a dispute. This is exceedingly clever, but it is far less a biometric system than an automated challenge-response system using voice recognition.

I'm strident on this issue of how bad an idea biometrics in a network can be, but not strident because I think they're a bad idea. I'm strident because I think properly used they're a great idea, but the risks of improper use of biometrics could devastate the entire industry. The problem is that all the obvious cool ideas are the ones with huge risks.

Using biometrics to identify a known person versus an unknown person. By "known" I mean a person who is trained into the system. By "unknown" I mean someone picked out at random. A face scanner that lets employees into a door is a fine system. A face scanner trying to pick bad guys out of a crowd is a whole different problem.

Biometrics don't mix well with stronger systems, like cryptographic systems. This is because these systems are definite, not probabilistic. Let me give you an example. I have a great little widget -- a USB flash memory disk drive with a fingerprint pad on it. You put your finger on the pad, and if it's you, the disk mounts. Even better, the manufacturer claims that the flash memory is encrypted. (No, they don't say how.) On first blush, this sounds like a great system to put sensitive files on. It does, even on second blush, but there are subtleties in it. There have to be.

Let's just think about the system. In it, it's going to have three major components: the fingerprint reader, the flash drive and the encryption. The subtle interaction is that the fingerprint reader must have some way to tell the encryption system that it is okay to decrypt. Being a probabilistic system, it can't derive the encryption key from the fingerprint. The encryption system has to store that key in some safe place.

Fair enough, but how would you attack it? Well, I'd figure out where the little "close enough" wire is. There must be some wire where the fingerprint system tells the encryption system (and the disk system) that it's okay to proceed. If I can find that wire, I can bypass the whole system. So, we don't need to attack the crypto or the fingerprint scanner. We just need to find that wire.

I estimate that this would be a fun weekend project for an electrical engineering student or an honors high school student.

Does this mean that my widget is useless? No. It's a great bit of added security. But if you get one of those and you want to put sensitive business data on it, I recommend you do what I did -- put a PGP (pretty good privacy) disk on the thing as well.

I hope my answer gives you some better insight into what I mean by a "host of problems." To sum up again, I don't think biometrics are a bad tool. I think they're good, but you just have to use them correctly. The problem is that the first things we think of are often the incorrect uses, not the correct ones.

This was last published in June 2003

Start the conversation

Send me notifications when other members comment.

SearchCloudSecurity

• Comparing SASE vs. traditional network security architectures

Today's dispersed environments need stronger networking and security architectures. Enter cloud-based Secure Access Service Edge ...

• Defining and evaluating SOC as a service

As cloud use increases, many enterprises outsource some security operations center functions. Evaluate if SOCaaS is the best ...

• Get to know the elements of Secure Access Service Edge

Cloud services use cases continue to expand, but implementation challenges remain. Discover Secure Access Service Edge, or SASE, ...

SearchNetworking

• Tech users weigh in on upcoming approval of more Wi-Fi 6 spectrum

Technology users say the pending Federal Communications approval of additional spectrum for Wi-Fi 6 should bring much higher ...

• CloudGenix-Palo Alto buy combines SD-WAN with cloud security

The CloudGenix-Palo Alto Networks acquisition will combine the Prisma cloud security suite with CloudGenix's software-defined WAN.

• A deep dive into the differences between 5G and Wi-Fi 6

While the latest cellular and Wi-Fi technology generations -- 5G and Wi-Fi 6, respectively -- have been pitted against one ...

SearchCIO

• C-suite executives offer advice on working remotely during pandemic

C-level execs in industries from biotech and telecom to accounting and marketing are making sure their employees have the proper ...

• How IT can build an agile business partnership

Gene Kim, award-winning researcher, author and founder of IT Revolution, discusses why IT leaders need to involve their ...

• Former Cisco CEO offers C-suite leadership tips in time of crisis

COVID-19 is forcing enterprises to make tough decisions. There is no one-size-fits-all roadmap, but those who've survived earlier...

SearchEnterpriseDesktop

• Compare UEM capabilities of Citrix Workspace vs. VMware Workspace One

Digital workspaces go beyond the capabilities of UEM. Compare the management features of two major digital workspace platforms ...

• VMware Workspace One feature speeds remote onboarding

Several new features for VMware Workspace One are now generally available -- including an option to accelerate remote onboarding.

• Discover how Catchpoint helps end-user experience monitoring

The Catchpoint end-user experience monitoring tool supports several notable integrations with enterprise software and monitoring ...

SearchCloudComputing

• 5 tips that can lead to Azure cloud management success

Many factors go into managing Azure resources, and they vary based on a company's needs. Explore five pieces to the larger cloud ...

• AWS security options grow with Amazon Detective

AWS has released Amazon Detective, a managed threat hunting service that generates visualizations out of log data from native ...

• Explore the pros and cons of cloud computing

Familiarize yourself with the basics of computing in the cloud, how the market has changed over the years, and the advantages and...

ComputerWeekly.com

• Coronavirus: Video calling, collaboration applications usage rise steeply in UK homes

A survey from EY finds Covid-19 outbreak is already causing a shift in UK households’ digital activity, with many people trying ...

• Covid-19 apps pose threat to digital privacy on a global scale

Digital security firm Sharksurf has reviewed a number of apps aimed at tackling the spread of coronavirus, and found that many ...

• Business data science teams need to be multi-disciplined, says Trainline

Sam Taylor, head of data science at Trainline, says four years of team building points to a need to be multi-disciplinary in ...

Close