23 January 2009

Limitations of Biometrics for Authentication

Steve Riley's Technet article Why Identity and Authentication Must Remain Distinct explains the limitations of using biometrics, which identify a person, for authentication that the person is who they claim to be.

Here is an excerpt
Problems arise when systems begin using biometrics for authentication. Say that all you need to do is swipe your finger to log on, with no additional factors. Your fingerprint is now serving both to identify you and to prove that you are you. How can such a system be compromised? Very easily, it turns out, without a secret accompanying your fingerprint. Numerous research reports have shown that biometric systems can be spoofed (the most notorious of which involves the assistance of a Gummi Bear; see http://cryptome.org/gummy.htm andhttp://www.schneier.com/crypto-gram-0205.html#5).
Another sobering example: “Police in Malaysia are hunting for the members of a violent gang who chopped off a car owner’s finger to get round the vehicle’s hi-tech security system” (http://news.bbc.co.uk/2/hi/asia-pacific/4396831.stm). Again, because no secret accompanies the finger, all you need is the finger and you can possess the car. Here the security countermeasure moves the risk from the car to the driver! This is when security becomes unsafe.
Revocation presents another challenge. If a system relies only on a biometric for both identity and authentication, how do you revoke that factor? Forgotten passwords can be changed; lost smartcards can be revoked and replaced. How do you revoke a finger?

No comments: