20

Over the years biometrics is the go-to movie authentication mechanism, but in the real world I'm getting conflicting opinions about it. Everything I've learned shows that biometrics are flawed because of two main reasons: they are non-revokable credentials, and they can easily be forged.

So what is the state of the nation when it comes to biometrics usage compared to other mechanisms like smart cards or OTP?

AviD
  • 72,138
  • 22
  • 136
  • 218
Steve
  • 15,155
  • 3
  • 37
  • 66
  • 3
    Oh - and other problems: the false accept and false reject rates and the crossover point mean that if you have a significant number of users it fails badly (imagine a 0.1% error rate in 50,000 users for example); and what happens if your fingerprint/retina is damaged? – Rory Alsop Jan 17 '11 at 16:45
  • "go-to movie authn scheme" - nicely stated! It all depends on your goals and threat model. If "security theater" is your approach, biometrics are great! – nealmcb Jan 17 '11 at 17:44
  • @nealmcb I never considered the real world security theater use, good call. – Steve Jan 17 '11 at 18:30
  • @Rory that's kind of an answer right there, it defines the "state of the nation" pretty well. – AviD Jan 18 '11 at 07:58
  • I'm also seeing many technologies coming up now, that offer biometric *on top of* regular authentication. That is, if you're using passwords *anyway*, here's a nice piece of technology that can help add another layer of protection *on top of your existing authentication*. That said, the concept of biometrics-as-authentication is flawed (for the reasons you state), it's usually used closer to "identification". – AviD Jan 18 '11 at 08:01
  • Flawed is an overstatement. Biometrics can't be easily forged, if used properly (though that's a very significant condition). The question is pretty broad; we might be able to give better answers if you have a more focused question in mind. – D.W. Jan 19 '11 at 07:21

4 Answers4

12

There's a few other reasons:

  • Error rate - false accepts and false rejects are still unacceptably high for many types of biometrics.
  • User acceptance - still not widely trusted by users - the various privacy concerns are still quite high, and the idea that a part of your body is now a security mechanism is somewhat freaky for some folks.

Security best practices these days (like the CISSP certification's baseline for security practices) don't point towards Biometrics being the end-all, be-all for security. The best practice is to build a system with a collection of authentication mechanisms that are appropriate for the system, the information in it, the expected threats and vulnerabilities, and the ways that the system must be used.

I don't know that anyone could say beyond doubt what the "state of the nation" is - that's a pretty broad assertion. But I can say that common best practices don't currently force biometrics as a one size fits all solution. I'd say, at best, they are something that is still under development and treated with a certain amount of dubiousness.

bethlakshmi
  • 11,606
  • 1
  • 27
  • 58
8

Biometrics can also be forged, such as fingerprints. By contrast forging a 1024bit rsa key on a smartcard is much more difficult than a human fingerprint. However every from of authentication you add raises the bar for the attacker (and annoys your users). This is the basis of multi-factor authentication.

The most common form of two factor authentication I see in the corporate world is a Key Fob and a password. This is really good at defending against common attacks, such as obtaining a password hash from a database with sql injection and cracking it. If this where a bank vault, then yeah I would add biometrics as well. It depends what you are trying to protect.

rook
  • 46,916
  • 10
  • 92
  • 181
  • 2
    I think the problem isnt that biometrics can be forged, so much as the fact that you leave this "credential" (i.e. your fingerprint) *all over the place*. It's similar to if you used the same password for all sites - including advertising it on billboards. Or, even crazier - if some form of public national id (say, SSN) were to be considered a secret identifier - even though you have to give it to everyone who asks for it. – AviD Jan 19 '11 at 09:23
  • 1
    @AviD♦ well being able to have the credential is meaningless unless it can be used. To make matters worse it cannot be changed. So its a 3 part problem, but I think we agree. – rook Jan 19 '11 at 16:41
  • @AviD Correct me if I'm wrong, but normally biometrics are used on a device, rather than an account - i.e. someone cannot access my iCloud account over the internet using my fingerprint because they need my phone, whereas if I posted my password all over the internet, they could. – Tim May 29 '17 at 20:12
  • @Tim not necessarily - there are systems that are designed to use your biometrics remotely - but you are right that using it locally on device does make things simpler. I don't think it removes all the risk or problems, but it does change it somewhat. – AviD May 30 '17 at 08:55
3

Exposure surface to the attack

A smart card or OTP may be attacked through internal algorithmic weaknesses (e.g. a PRNG which should only be used for debugging and is inadvertently used in production environnement). These known and unknown weaknesses constitute the attack surface of these authentication technics. I would say that their exposure surface to attack is just algorithmic.

On the other hand, biometric technics have a much larger exposure surface. To take a pretty simple example, the use of fingerprints within a biometric authentication scheme offers 3 paths of attack:

  1. The physical approach

    Offer a clean glass of champagne to the target victim during a social physical event, and manage to recover the glass to get a high definition picture of the target fingerprints.

  2. The storage attack

    All these fingerprints have to be stored either locally or centrally. Steal the Phone5 of the target victim and through physical interfaces get the internal content and attack the stored and crypted fingerprint. If they are stored centrally, since we aren't in the magic space time where 0 probability live, this central storage will get broken sooner or later.

  3. The algorithmic attack

    As any other authentication technic, fingerprint reading, storing and comparing will use algorithms. Hence this authentication is also exposed to algorithmic attacks.

I would say that their exposure surface to attack is 3 sided: physical, storage and algorithmic.

A fingerprint authentication technic is a target 3 times as interesting as an OTP algorithm.

dan
  • 3,033
  • 14
  • 34
2

Adaptability to the attack & to internal weaknesses

One more key difference between biometric authentication and any other authentication technic.

Facing the progress of attack technic, any algorithm can be improved by enlarging the size of the field to attack through brute force. For example algorithms where strength is proportionnal to one key size may be strengthened by publicly announcing that from now on key sizes lower than N bits are prohibited.

Facing the discovery of internal weaknesses within given algorithms, this information can be published and the option to use these weaker algorithms may be officially prohibited.

No such freedom exists with biometric technics.

You can't enlarge the variability of your iris pattern, even with a very large brain and some exceptionnal will.

You can't either change it if you discover that within your family there is a default within your genetic code causing a huge number of similitudes within your iris patterns.

Biometric technics can't adapt to:

  1. progress of the attack
  2. bias in their probability distribution

With such deffects, in a real world, these technics shouldn't survive.

In horror films (minority report) they have a duly deserved success.

dan
  • 3,033
  • 14
  • 34