Sean Convery

Update 9/11/06: Kim Cameron’s blog is picking up the biometrics thread as well.

The topic of biometric authentication is making the rounds in various blogs. Phil Becker writes that he considers biometrics “the only true identity based authentication” with everything else as “an approximation of identity validation to some acceptable degree of risk or certainty.” Dick Hardt takes issue with this:

Someone can lift my fingerprint from the case of my laptop, create a facsimile and use that with the fingerprint reader. A fingerprint can actually less secure in some ways then a password. No authentication technology is 100%, just like nothing can be 100% secure. Adding multiple factors to authentication is how we increase certainty.

Also, at my favorite potpourri blog BoingBoing I read that schools in Georgia are allowing a fingerprint scan to buy lunches which prompted a small debate about the merits and risks of biometric authentication. Here’s a snipped of the original post:

Schools in Rome, Georgia, are implementing a system that lets children “pay” for their school lunches with a fingerprint scan. Previously, students had to enter a personal ID number to access their lunch accounts.

I don’t think Phil’s post was necessarily extolling the virtues of biometrics so much as trying to draw a distinction between the different forms of authentication and how they can be used in a basic case study. However, the virtues of biometrics are worth discussing. Before I sat down to write this, I looked back at the section on biometrics in my book. With the assumed gracious permission of my publisher, here is the relevant copy:

Biometrics incorporates the idea of using “something you are” as a factor in authentication. It can be combined with something you know or something you have. Biometrics can include voice recognition, fingerprints, facial recognition, and iris scans. In terms of enterprise security, fingerprint recognition systems are the most economical biometric technology. The main benefit of biometrics is that users don’t need to remember passwords; they just stick their thumb on a scanner and are granted access to a building, PC, or VPN connection if properly authorized.

Biometrics should not be deployed in this fashion, however. The technology isn’t mature enough, and even if it were, relying on a single factor for authentication leaves you open to holes. One option is to consider biometrics as a replacement for a smart card or an OTP. The user still must combine the biometric authentication with a PIN of some sort.

A significant barrier to biometrics is that it assumes a perfect system. That is, one of the foundations of public key cryptography is that a certificate can be revoked if it is found to be compromised. How, though, do you revoke your thumb? Biometrics also assumes strong security from the reader to the authenticating system. If this is not the case, the biometric information is in danger of compromise as it transits the network. Once this information is compromised, attackers can potentially launch an identity spoofing attack claiming a false identity. (This is one of the main reasons including a second factor in the authentication process is desirable.)

Although this could also be considered a strength from an ease-of-use standpoint, the final problem with biometrics is when the same biometric data is used in disparate systems. If my government, employer, and bank all use fingerprints as a form of identification, a compromise in one of those systems could allow all systems to be compromised. After all, your biometric data is only as secure as the least-secure location where it is stored. For all these reasons, look carefully at the circumstances around any potential biometric solution to an identity problem.

I was curious if I would agree with my statements made back in 2004 when the book was first published. As it turns out I’m willing to cede that biometrics are more mature as a technology today but I’ve not yet read anything which indicates that the core vulnerabilities have been addressed. As listed above, those are:

1. Single-factor deployment is most common
2. Revocation is impossible (Or its corollary, a perfect system is assumed)
3. One piece of biometric data can be used in authentication decisions across multiple autonomous systems (weakest link problem)

I’ve yet to read a paper which convincingly addresses these issues in a way that doesn’t depend on each given deployment doing the right thing. Consider the extent of the security used in Rome, Georgia. Perhaps it is quite significant. However, I wouldn’t be surprised if biometrics was deployed purely as a convenience feature without a lot of regard for security. When that Georgia student goes on to bigger and better things his biometric data can be used again, perhaps to authenticate him to his financial institution or to grant him access to a foreign country. Though I’ll admit biometric attacks aren’t trivial, the impact of the attacks are monumental particularly if they allow an adversary to assume the identity of the victim in multiple systems. Imagine the worth of an entire school system’s biometric data. This could include tomorrow’s potential business and government leaders not to mention your average consumer going about their lives. I’m not trying to be alarmist here, but despite multiple discussions of the risks, people don’t seem to be listening. I’d love to be corrected here as the IT guy in me loves the simplicity of biometrics. For the time being though, I haven’t seen a way to avoid the risks.

Technorati Tags: biometrics, identity

This entry was posted on Wednesday, September 6th, 2006 at 1:43 pm and is filed under General Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.