Monday, January 26, 2009

Biometric Security

Biometrics are the oldest form of identification. Fingerprints have been used to identify people at crime scenes for more than 100 years.

What is new about biometrics is that computers are now doing the analyzing: thumbprints, retinal scans, voiceprints, and typing patterns. There's a lot of technology involved, in trying to both limit the number of false positives (someone else being mistakenly recognized as you) and false negatives (you being mistakenly not recognized). Generally, a system can choose to have less of one or the other; less of both is very hard.

Biometrics can vastly improve security, especially when paired with another form of authentication such as passwords. But it's important to understand their limitations as well as their strengths. On the strength side, biometrics are hard to forge. 

On the negative side, biometrics are easy to steal. You leave your fingerprints everywhere you touch, your iris scan everywhere you look. Regularly, hackers copy prints from objects touched, and posted them on the Internet.

Passwords can be changed; Passwords can be backed up but if someone copies your thumbprint or you alter your thumbprint in an accident, you're stuck. Biometric systems need to be analyzed in light of these possibilities. 

Biometrics are unique identifiers, but they're not secrets.

A stolen biometric can fool some systems. Remote logins by fingerprint fail, if there's no way to verify the print came from an actual reader, not from a stored computer file.

A more secure system is to use a fingerprint to unlock your mobile phone or computer. Because there is a trusted path from the fingerprint reader to the stored fingerprint the system uses to compare, an attacker can't inject a previously stored print. 

However, researchers have made false fingers out of rubber or glycerin. Manufacturers have responded by building readers that also detect pores or a pulse. The lesson is that biometrics work best if the system can verify that the biometric came from the person at the time of verification. 

Biometrics are easy, convenient, and when used properly, very secure. Understanding how they work, and fail is critical to understanding when they improve security and when they don't.

I wish You Great Success.