14

I have come across the following question in a Security+ exam guide

You are tasked with creating a high-security authentication system for physical access control to a military installation. Which of the following authentication systems would be most appropriate?

  1. Biometric eye scan
  2. Security badge
  3. Smart card and PIN
  4. Encrypted login and password

The answer at the end of the chapter was:

For high-security installations, biometrics is an extremely secure method to authenticate users based on unique physical characteristics.

My question is

How is it possible the answer was not number 3?

Bad guys will have to steal the smart card and somehow get the PIN from the authorized personal which is TWO jobs

while in a biometric eye scan they have to do ONE job

Ulkoma
  • 8,793
  • 16
  • 65
  • 95
  • 7
    Biometrics are not magical portals to security. They are as good as they are. So far, some of the best and top market leaders in biometrics have repeatedly been defeated by photo copies, licking, blowing. These gizmos aren't based on real science yet. – Jeff-Inventor ChromeOS Aug 16 '14 at 12:50
  • 2
    If you can beat the pin out of them with a lead pipe, why would getting the card require a pipe of different elemental composition? – jjanes Aug 17 '14 at 22:48
  • If he does not have the card on him you'll need more than a pipe, thats where TWO is more secure than ONE – Ulkoma Aug 18 '14 at 11:16
  • 3
    To be honest, this is a poorly-scoped question. Neither is inherently more secure; they simply have *different* security properties. Biometrics can never be revoked, but when paired with a human observer they can be effective. Smart cards are likely a better choice when unobserved, but which technique is best depends upon the types of threats you want to protect against and what other security measures you intend to employ. – Stephen Touset Aug 19 '14 at 23:55
  • 3
    I don't know about you, but bad guys who point a gun at me and demand my smart card and my pin, get it. – ddyer Aug 20 '14 at 00:18
  • The real lesson here is that you need to answer the questions according to the course material. You get no marks for an innovative answer that disagrees with them! – paj28 Aug 22 '14 at 13:51
  • If he does not have the card on his person, where do you suppose he has it? Does he keep it at his grandma's house in Anchorage, and then commute every day from Anchorage to Wichita? Does he keep the card in a special vault, secured by his retina scan? – jjanes Aug 24 '14 at 05:27
  • That's not what I meant. Obviously if someone has the courage to beat you with a pipe they most likely have the nerves to take your eyeball out but when the come to your bedroom I dont suppose you keep your card under your pillow and if they are going to kill you anyway why tell them where you keep your smart card? Also if you are a well trained spy you will not respond to torture but your permission is not required to have your eye extracted – Ulkoma Aug 24 '14 at 09:02

5 Answers5

19

Biometrics can be effective as authentication or as identification, but not both at the same time.

According to Wikipedia, retinal scans are accurate to approximately one in one million, meaning on the earth today there are approximately 7,000 individuals who will be identified as you in a retinal scan. Assuming no further authentication is necessary, these people will be both identified and authenticated as you in a single (mis-)step.

But if coupled with an external identification step, biometric authentication becomes a second factor. Typically identification is accomplished by an identification badge ("something you have") while authentication happens through biometrics ("something you are"). So it does turn out to be true two-factor authentication.

This is inherently better than card-and-pin because of the three available factors, "something you know" is the easiest to fake.

So assuming identification happens using a token of some sort (which is very typical in biometric authentication installations, but not explicitly stated here), then the question is poorly-worded but has at least the right idea. Assuming instead that the eye-scan stands alone as both identification and authentication, then answer 3 would be correct.

Either way, the question could use some clarification. It refers to authentication alone without even a word about identification; but that's an absolutely critical factor in evaluating the security of the system and definitely makes a difference here. It's left to the reader to divine the contents of the question-writer's head, which is poor form in writing standardized tests.

tylerl
  • 82,225
  • 25
  • 148
  • 226
  • Biometrics (something you are) are not authentication, they are only identification. Something you have, on the other hand can be both identification and authentication. – Gudradain Aug 20 '14 at 14:21
  • Something you know is actually a very important thing as it is the hardest to steal. Stealing biometrics can be easy, stealing phone can be easy. Forcing people to reveal something only them know can be very hard. – Gudradain Aug 20 '14 at 14:26
  • 2
    @Gudradain eh, no. Not buying it. Something you know is dramatically easier to steal than something like an iris scan. Fingerprint sensors are exceptional because you leave the traces everywhere, but they're explicitly and intentionally not relevant to this question. But it's easy to trick someone into revealing their password or surreptitiously gathering that information. Surreptitiously gathering an iris scan is significantly less probable, and reproducing it even more so - very nearly zero. Passwords are compromised **far** more often than eye scans. – tylerl Aug 20 '14 at 23:17
  • The problem with biometrics is that you don't even need to trick someone to give it to you. You just need to offer another service that also use iris scan for example. It's not common today but it might change in future. If you are using 10 different services that require iris scan, do you still feel secure? It's like using the same password for 10 different sites. Exactly the type of things that you need to avoid. – Gudradain Aug 20 '14 at 23:22
  • If password are compromised far more often than eye scans it's simply because they are a lot more widespread. Iris scan can be compromised by a camera a few feets away from you. Also, you can trick most commercial iris scanner with an high quality picture (but yes there are way to mitigate that). The fact still stand that you can fake an iris currently. This is the same problem as the magnetic strip on your credit card. Once it's stolen your are screw and you might not even know it. – Gudradain Aug 20 '14 at 23:24
  • http://technet.microsoft.com/en-us/library/cc512578.aspx Great article explaining that biometric is identity and should not be used for authentication. – Gudradain Aug 21 '14 at 20:04
  • 1
    @Gudradain Both the biometrics and the token together establish identity; neither does on its own. The likelihood that both will be stolen is sufficiently low to ensure security. Whether you call the biometric component identification or authentication is immaterial, as it can't do either job on its own. On the backend, biometrics are poor at the job of account selection because they provide a fuzzy match, while other forms are strictly deterministic, hence the authentication/identification distinction as described. But if you want to switch them around, it's largely just semantics. – tylerl Aug 21 '14 at 21:24
  • 2
    Biometric sensors are inherently and catastrophically vulnerable to replay attacks - if you can produce the same inputs the system is expecting, you can spoof the authorized user and gain access. As such, they are only viable as a secondary factor, and should never be used alone. – Stephanie Aug 22 '14 at 04:50
6

I see you as having two questions here:

  1. Is the answer provided by the study guide technically correct?
  2. Is it possible this sample question doesn't have a clear answer and is a bad question?

With regards to your first question I think you have a valid argument that smart card / PIN offers at least equivalent security to a biometric authenticator. But part of this depends on how both systems are implemented.

Is the smart card simply storing a static value that is presented, along with the PIN, to the authenticating system? Or does it contain a protected private key that signs a one-time challenge and will only do so when it directly receives the proper PIN (meaning the auth system never knows the PIN)? Does the "eye scan" (retina, iris or other?) capture enough data points from the image to represent a significantly large number of possible patterns? Has the eye biometric system been configured with an appropriate accuracy to reject close, but not exact, readings (false acceptance rate)?

But the exam guide provides none of that information and thus expects you to make a fairly uninformed decision about which one is best. And that brings us to the second question.

I'm not sure if this is your first technical certification or not, but expect to be frustrated. In an attempt to assess your knowledge of a wide variety of topics you will run across questions like this on real exams that do not have a single clear answer. They may rely on your knowledge of the exam creator's specific guidance on the subject, which might be published in their official study guide or supporting material.

But you may just be left trying to reverse engineer the question writer's undocumented perceptions that led them to choose one answer over another. In other words, even if you don't agree yourself, is there an answer that from one point of view might be the obvious one?

Some testing organizations put a good deal of time and effort into making sure their questions are both well founded in industry consensus and psychometrically sound. But our industry also has a lot of questions that require answers to start with "well, it depends..." A few testing organizations try to simplify this complexity for the sake of expanding their repository of questions and do us a disservice in pretending there is a clear answer.

My experience taking and passing the Security+ exam some 7+ years ago was that they were included in this latter group. So, good luck to you and try not to get too frustrated in the process!

PwdRsch
  • 8,341
  • 1
  • 28
  • 35
6

I think that there's an unstated assumption in the question: that the military installation will have a guard at the entry. Every attack on a biometric system I'm aware of assumes an unprotected or compromised scanner. If there's a guard standing there at the gate making sure that you're using your eyeball (not a gouged-out one, not a photograph, not a dummy scanner connected in place of the real one, and so on), a biometric eye scan is a reasonable technique.

In such a situation, a smart card can be stolen and a PIN can be beaten out of the victim, but there's no way you're going to be able to trick the guard into letting you use someone else's eyeball.

Mark
  • 34,390
  • 9
  • 85
  • 134
1

Some sources out there will disagree with the following statement but it has to be said.

Biometrics are NOT authentication. Biometrics are IDENTIFICATION.

Do NOT use biometric for authentication, but you can use them for identification just fine!

There is 3 important concepts for security :

  • Identification : Who you are
  • Authentication : How you prove who you are
  • Authorization : What access you get based on who you are

The big problem with biometric is that you are not able to change them. If you are not able to change them, what happen when they get stolen?

For identification, you can reuse the same username or biometric everywhere. It doesn't matter that you reuse the same thing since it's who you are. It's also not a problem if it cannot change since who you are will never change.

For authentication on the other hand, you need to be able to change things in case they get stolen. You are able to change what you know, passwords, and you are able to change what you have, phone/token device/email address. But, you are not able to change what you are, bimotric.

Hence, biometric is the worst pick for authentication as it's really identification.

The good part

This does not mean that biometrics are useless. In fact, they can provide very good identification as it will be harder for an attacker to steal the biometric of one person than to simply write his public user name.

But, it's just identication. You still need authentication and yes multi-factor authentication is better than single authentication.

There are 3 things you can use for identication / authentication.

  • Something you know : password
  • Something you have : phone, token device, email address
  • Something you are : biometrics, username

If you want the best security, you need to combine them this way :

  • Identification : Something you are + Something you have
  • Authentication : Something you know + Something you have

Something you have is the only thing that can be use as both identification and authentication since it's assumed that you are the only one with it.

Something you are cannot be used as authentication as it cannot change

Something you know cannot be used as identification as you cannot reveal it

The answer

If you really have to pick only one then #3 (smart card + pin) should be the answer.

If you can pick more than one then #1 (iris scan) + #3 (smart card + pin) provide the best security

Some sources

http://technet.microsoft.com/en-us/library/cc512578.aspx (great article on the subject)

Proper biometrics are identity only and will be accompanied, like all good identifiers, by a secret of some kind -- a PIN, a private key on a smart card, or, yes, even a password.

http://en.wikipedia.org/wiki/Multi-factor_authentication

http://www.chakraborty.ch/best-practices/why-biometric-authentication-is-frequently-a-bad-idea/

http://psoug.org/blogs/mike/2010/04/13/biometric-ids-a-really-really-bad-idea/

Gudradain
  • 6,921
  • 2
  • 26
  • 43
  • 1
    Care to comment your downvote? – Gudradain Aug 20 '14 at 15:26
  • 1
    I wasn't responsible for the downvote, but I strongly disagree with your comment that "biometrics are not authentication". You don't get to arbitrarily rewrite several decades of consensus in our industry because you don't agree with it. Biometrics certainly do have weaknesses, but they can also be used to effectively **authenticate** users. The same way that passwords have weaknesses and are used to authenticate. Can they offer better security when combined, sure, but that doesn't mean the use of any one factor by itself is invalid. Your logic isn't consistent in comparing factors. – PwdRsch Aug 21 '14 at 20:08
  • @PwdRsch Biometric = public, Password = private, Biometric = Can't be changed, Password = Can be changed, Biometric = Identification, Password = Authentication. To have a secure system, you need both identication and authentication. I don't rewrite anything, I simply resume what people before me have thought and I provide the sources. You can also find many others if you google it. – Gudradain Aug 21 '14 at 20:15
  • 1
    I was one of the downvotes and @PwdRsch is right. The definition of authentication is "the process of verifying identity." The claim that authentication necessarily requires mutability is bizarre, and that biometric factors cannot be used as authenticators is just wrong. Yes, using only a biometric factor as both an identifer and an authenticator is bad. That doesn't mean that it doesn't or can't happen. If that were true, single factor systems based on a biometric couldn't exist, by your definition. One unrelated point, a username is "something you know" not "something you are." – Xander Aug 21 '14 at 20:29
  • 1
    @Gudradain Biometrics are not guaranteed to be public. Some types can be observed or captured given the right circumstances, and that is indeed one of their weaknesses. But my biometric data isn't sitting out on the Internet in a public database. An attacker has to take steps to collect it, some of which will be more difficult than others. Good biometric product vendors also typically implement 'liveness' checks that attempt to detect and reject copies of biometric data, which either thwarts this type of attack or raises the cost of carrying out a successful attack. – PwdRsch Aug 21 '14 at 20:57
  • @PwdRsch You are partially right that biometrics are not public. You can probably consider your biometrics private if you have never use a biometric identification system before. But, do you still consider it private when you use 10 different biometric systems made by various company (some might be malicious)? You only have 1 biometric of a certain type and you can't change it. To every system asking for biometric you will give the same result, hence it's public. – Gudradain Aug 21 '14 at 21:43
  • @Xander You just said it yourself... Authentication is "the process of verifying identify", hence to authenticate you first need to provide identity. First source in my answer explain it clearly. The defense of biometric system is that they are hard to copy. But, is being hard to copy stopped people from copying the magnetic strip on credit card or to create false money? No. Don't assume that someone can't copy your biometric. – Gudradain Aug 21 '14 at 21:49
  • 1
    @Gudradain Resistance to disclosure and duplication are properties of authenticators, and their success at accomplishing this does definitely depend on which one you're discussing. I am worried that widespread biometric use would increase the risk of accidental or malicious disclosure that leads to someone impersonating me. But that still doesn't make them any more public than you giving the same credit card number to multiple companies. And, back to the original point, that doesn't invalidate them for authentication. – PwdRsch Aug 21 '14 at 22:05
  • @PwdRsch If by "giving the same credit card number to multiple companies" you mean buying things online and entering that number on a lot of different website, then I will say that I'm indeed very worried about this practice... Back on topic, something you can't change, is relatively public and can be copied can't be used as an authenticator only for identification. – Gudradain Aug 21 '14 at 22:54
-1

It would be easier to defeat a smartcard and pin -- all you would have to do is use a pinhole camera to record your mark entering the pin and then steal their smartcard. Defeating a retinal scan requires fabricating some kind of device that can pass for a real human eye.

Now think which would look more odd to a bored security guard watching the video feeds -- someone inserting a smartcard and entering a pin like everyone else, or someone holding up an odd contraption to the retinal scanner? It's certainly a lot harder to look inconspicuous when you're trying to defeat a biometric device (unless it's el-cheapo fingerprint kind).

mricon
  • 6,238
  • 22
  • 27