Biometric Musings Part 1: Authenticating with public data

Posted by Ed in Analysis on Jan 11, 2011

The other day, I made the statement that a biometric system, implemented poorly, can actually be worse than a password system. I promised I would return to it, and so I shall do so now. Although my thinking is to do so in stages and cover a couple different musings about biometrics over a period of a few weeks. I should start by saying first off that I’m a huge fan of biometrics; it’s actually (little known fact) why I got into security in the first place. I’m a huge advocate of biometrics… but it’s important that we understand it rationally and logically in order for them to really be successful in the marketplace. Part of that rational understanding means analyzing the flaws as well as the features.

So the first musing to tee up about biometrics is the general point that they are, strictly speaking, public data. Meaning, unless you’re analyzing a part of me that I usually keep covered (whew, let’s hope the industry doesn’t go there), you’re analyzing something that’s visible to whomever should care to look.

Image source: mrtozer.pbworks.com

Some of you might question what significance that has; so what if we are authenticating with public data? I think, philosophically, it changes the dynamics of the authentication process involved. In other words, it’s takes the authentication “factor” from “what you are” to “how good is your reader”.

Here’s what I mean by that… We probably all remember the traditional authentication factors, right? They are “what you have”, “what you know”, and “what you are.” A password (“what you know”) is the closest to actually being reflected by the language we use to describe the factor. It is, in fact, “what you know” – or a secret shared between you and the authentication system.

In the “what you have” camp we usually put SecureID… and dongles, and tokens, and smartcards, etc., etc. But none of this stuff is really “what you have” per se. It’s really “proof of a secret shared with the token” under the hood. The security of the system relies on the ability of the device to keep that secret. They all work that way.

Biometrics we classify as “what you are.” But that’s not really true exactly. ”What you are” implies some kind of objective truth…. We don’t have that. More precisely, it’s “measurements of what you appear to be based on a narrow set of criteria that we can read and analyze.” The biometric authentication process derives security from the fact that it is difficult for someone else to read the same data the same way. I put my fingerprint everywhere I go; why can’t someone use that to log in? The truth is, they can… except the reader implements some type of countermeasures to detect if the reading is occurring within “live finger” parameters.

So the barrier is a technological one. Meaning, the reason (barrier) keeping the bad guys out is how well the system is at making replay and spoofing difficult. Meaning, it’s a hardware problem under the hood.

Note: this post was pre-authored and scheduled. Apologies for any comments that are not immediately moderated.

Pingback: Biometric Musings Part 2: Approaching Authentication? | SecurityCurve
http://anti-virus-rants.blogspot.com kurt wismer

as it happens, my professional career began in biometrics as well. i have a much poorer regard for the technology, however.

countermeasures, or liveliness tests, are next to impossible if your reader is just a camera. in order for a system to determine that it’s not simply registering a pre-recorded image, physical contact is often required – something that increases the perceived intrusiveness of the biometric significantly (i don’t want want to use an iris scanner that has a liveliness test requiring physical contact).

fingerprint biometrics are perhaps the only mainstream biometric technology where physical contact with the reader is the norm. as such, it benefits from having the option of employing the countermeasures of which you speak, but those countermeasures are not necessarily very sophisticated or reliable.

i’m reminded of an episode of mythbusters where they foiled a fingerprint reader with a photocopy of a fingerprint. the straight photocopy failed on it’s own, however, presumably because the reader had countermeasures (perhaps ones which operate by testing one or more of the electrical properties of the surface contacting it). adam savage bypassed those countermeasures and got the photocopy to work simply by licking it.