So I was interested to read Ellen Messmer’s coverage in Network World of the Biometric Consortium conference.  Now granted, I’ll read — and probably enjoy — just about anything that Ellen writes.  But I found this article to be particularly interesting.

I say it’s interesting because I’m a huge fan of biometric technology, but have often wondered why use cases are so limited in actual deployments.  Sure, there are the time clock apps and the Bloomberg terminal, but what about technologies like the iris scanning ATM?  That seemed like a good idea to me, but that was a million years ago and that use case seems to not have left the lab.

Anyway, not to spend too much time on this point or anything, but I’m wondering if biometrics is again a victim of its own early successes.  After all, I remember piloting a iris recognition system a while back — you needed to focus your eye on a series of concentric rings in order for your Iris to be in precise alignment for it to be measured.  Guess what?  It was painful.  I piloted another system back in the day that did retinal scanning.  It shined a (bright) light directly into your eye.  Also painful.

Of course, all these systems were years ago and I’m sure they’re no longer that way now. But I wonder if that is where this perception by users is coming from.  Is it that they have that long a memory?  Or could it be something else?  Maybe it’s perceived threats of physical injury?  Like, it seems like any movie made that has biometrics systems in it has the hero/villain cutting off someone’s body part to get past it.  Could it be that is adding to the fear here?

Anyway, the article is interesting reading, and I highly recommend checking it out.

Since it’s Friday, I wanted to just pass along some interesting reading for folks, and keep the analysis relatively light.

Anyway, I came across an article this week about biometrics, and I’ve been meaning to comment on it but haven’t gotten around to it yet. So sorry about the lack of timeliness on this one, but I did still think it was useful to pass around.

Little known fact, I used to work for a biometrics company way back in the day. Anyway, I’ve been a huge fan of the technology for quite a few years now, so was pleasantly surprised to see an article like this one in the mainstream press.   So interesting reading for those biometrically inclined.

Image Source: redbubble.com

So, I’m continuing the discussion of biometrics that I started the other day about why biometrics aren’t de facto better just because. I won’t argue that biometrics have a theoretical upper bound of being better than a password-based system, or when used as part of a multi-factor. However, I don’t think it’s safe to just say “we use biometrics, ergo our method is superior.”  There are a few reasons for this; as I pointed out the other day, there’s the issue of using public data to authenticate… maybe you don’t consider that to be much of a big deal (some folks do, I’m ambivalent either way).  However there’s also the issue to consider level of confidence in the authentication result.

Image Source: ozguru.mu.nu

What I mean by that is that it’s important to understand that there is a difference between the binary authentication “result” you receive with a non-biometric authentication vehicle and the “approximation within an acceptable threshold” that you receive from a biometric system.  In other words, you can never get to 100 percent confidence in an authentication result with a biometric system.

Never, you ask?  Never, say I… at least until we come up with a different way of doing biometrics. Consider what happens when you type in a password into your computer.  There are two options: you either get it 100 percent right or you get it 100 wrong.  The same is true when you type in the number on a SecurID token: either it is completely correct and you get access, or it is completely wrong and you do not.  Right or wrong, there can be no middle ground.  This is a binary result.

Biometrics do not work this way.  In a biometric scenario, you establish a level of confidence – you set parameters that you are comfortable with.  These tolerance thresholds establish who is authenticated (above the tolerance threshold) vs who is not (below the threshold.)  There is no complete certainty that the authentication is successful.  You can asymptotically approach certainty as you refine and improve the accuracy of the scheme (reader + extraction + comparison), but you never can quite get all the way there.

So is this a practical issue?  It is from a certain point of view.  It means that the user of a biometric system (i.e. you, the practitioner) have a responsibility to understand the parameters you are working within.  You can take any biometric system, no matter how sophisticated, right now and some complete stranger could authenticate as you to the system – not by doing anything fancy, just through random chance.  That’s the reality.  Now, the likelihood of that occurring goes down the better engineered the system is – but it’ll always be possible.  Again, you the user need to understand this if you are going to use the system.  If you are unable or unwilling to make these decisions, think carefully about whether you are ready for biometric adoption.

Note:  this post was pre-authored and scheduled.  Apologies for any comments that are not immediately moderated.

The other day, I made the statement that a biometric system, implemented poorly, can actually be worse than a password system.  I promised I would return to it, and so I shall do so now.  Although my thinking is to do so in stages and cover a couple different musings about biometrics over a period of a few weeks.  I should start by saying first off that I’m a huge fan of biometrics; it’s actually (little known fact) why I got into security in the first place. I’m a huge advocate of biometrics… but it’s important that we understand it rationally and logically in order for them to really be successful in the marketplace.  Part of that rational understanding means analyzing the flaws as well as the features.

So the first musing to tee up about biometrics is the general point that they are, strictly speaking, public data.  Meaning, unless you’re analyzing a part of me that I usually keep covered (whew, let’s hope the industry doesn’t go there), you’re analyzing something that’s visible to whomever should care to look.

Image source: mrtozer.pbworks.com

Some of you might question what significance that has; so what if we are authenticating with public data?  I think, philosophically, it changes the dynamics of the authentication process involved.  In other words, it’s takes the authentication “factor” from “what you are” to “how good is your reader”.

Here’s what I mean by that… We probably all remember the traditional authentication factors, right?  They are “what you have”, “what you know”, and “what you are.”  A password (“what you know”) is the closest to actually being reflected by the language we use to describe the factor.  It is, in fact, “what you know” – or a secret shared between you and the authentication system.

In the “what you have” camp we usually put SecureID… and dongles, and tokens, and smartcards, etc., etc.   But none of this stuff is really “what you have” per se. It’s really “proof of a secret shared with the token” under the hood.  The security of the system relies on the ability of the device to keep that secret.  They all work that way.

Biometrics we classify as “what you are.”  But that’s not really true exactly.  ”What you are” implies some kind of objective truth….  We don’t have that.  More precisely, it’s “measurements of what you appear to be based on a narrow set of criteria that we can read and analyze.”   The biometric authentication process derives security from the fact that it is difficult for someone else to read the same data the same way.  I put my fingerprint everywhere I go; why can’t someone use that to log in?  The truth is, they can… except the reader implements some type of countermeasures to detect if the reading is occurring within “live finger” parameters.

So the barrier is a technological one.  Meaning, the reason (barrier) keeping the bad guys out is how well the system is at making replay and spoofing difficult.  Meaning, it’s a hardware problem under the hood.

Note:  this post was pre-authored and scheduled.  Apologies for any comments that are not immediately moderated.

If you don’t pay attention to this stuff (and let’s face it, why would you), SC just put up some group tests yesterday related to biometric products.  Well, it’s categorized as a “group test” anyway… although it really isn’t one.  Sure, they’re all fingerprint products so in some cases it’s a “group” in that respect.  But the products listed fill a huge swath of different niches (from physical lock type devices, to network authentication software, to an application SDK).

Image Source: canadiandesignresource.ca

So not really a group test at all – more of a “technology showcase” illustrating all the cool things you can do with biometrics.

And all the products score really high marks.  For example, three of the products (Bayometric Griaule Fingerprint SDK 2009, DigitalPersona Pro Enterprise, ACTAtek combination unit) score 5 out of 5 stars in every category. The others two lost some points, but nothing went lower than 3 stars. Overall, a pretty impressive showing I’d say.  Of course, all this begs the question as to why, which they handily sum up in the overview:

The beauty of biometrics is that you are the authentication method. So unless someone cuts off the finger that you use on the fingerprint scanner, you’re good.

So… in addition to giving you the “you’re good” feeling as they claim (aside, of course from the cut off finger which sounds like it kind of sucks), SC goes on to list their perspective on the biometric marketplace including the downsides (cost) and the upsides (everything else, according to them).

So…  what’s my point, you ask?  I’m concerned… concerned because people of all experience levels read SC.  Would someone just starting out in security know enough from these reviews to make an intelligent purchasing decision from this?  Would they know to ask if the products are ISO 19784compliant, what the crossover error rate is, what material the platen is made out of, or what algorithm is being used?  Answer these questions wrong and you have huge – “blow up in your face” kind of huge – engineering and security challenges.  Answer them right and you have (hopefully) a robust authentication system.

SC doesn’t go into all that other than to say “5 stars”.  There’s no analysis of the various security strengths/weaknesses of the security of biometrics as a whole or the individual products themselves.  I’m a believer in biometrics (as I’ve stated before)… but, like much of security, biometrics done well are great… whereas biometrics done poorly are categorically worse than using a password alone (it’s true, and I can back it up… but I’ll spare you the 500 words or so of argument here and save it for a future post).  That’s leaving aside the theoretical discussions about whether using non-secret data (your fingerprint) for authentication is better than a secret value (password) on the whole.

I worked at a biometrics company and at the time I was there, we spoofed user logins.  We did it all the time as part of the development process (as in “hey, try another fingerprint to see if it rejects you… feed it a canned one”).  So SC saying that “biometrics is better” is dangerous and feeds into the “James Bond factor” that they already have.  It’s the kind of data-free assumption that is so particularly detrimental in our field – leading, as it does to a false sense of security.  A measured, reasoned, and disciplined approach to security has no place for “it’s just better because” – it could be better, but that assertion has to be based on something.

Did you know that they can tell if you’ve taken drugs – or if you smoke – from your sweat?  It’s true – they’ve been able to do it for a long time now. And apparently the technology to do this has gotten quite a bit better in the past decade or so.

Today I came across an article about a biometric product that combines fingerprint identification and drug testing over on SecurityPark. The text in the article is interesting and all, but if you really want to dig, the actual page on their site has quite a bit more detail.

The deal is this: they can take a fingerprint and test it in under 15 minutes to determine whether there are drug metabolites in a residual sample of sweat that you leave when you touch a surface.  Right now, they can only do it on glass surfaces – but they’re working on latent prints from other surfaces.  The page doesn’t say this specifically, but given the forensic and profiling use case outlined, one supposes this includes latent prints on a glass surface such as a glass-top desk or window – as well as potentially glass-like surfaces like glazed porcelain (e.g., coffee mug).

They can also look for tobacco metabolites and they’re probably not far away from alcohol metabolites (you can test for this in sweat the traditional way – not sure why it’s not on these folks’ radar yet though.)

Anyway, I’m not usually the kind of guy to freak out about privacy rights or whatever, but I’m not sure this is a good idea…  A fingerprint is public data.  You leave fingerprints everywhere you go.  Currently, as I understand it, law enforcement does not need a warrant or anything to lift your fingerprint from a public location – at least that’s how it always happens on Law & Order.

In the past, testing for drugs has always been implicitly constrained by some degree of consent because obtaining a urine, saliva, or sweat sample has been so intrusive.   Now, they can conduct a drug test without your knowledge or consent.  One supposes that they could actually arrest based on this at some point.

I think the laws we have in place currently will ultimately need to change based on this because of the privacy impact.  For example, what if it was a completely passive test.  Like if they could just wave a wand in public and find out who’s on drugs – and potentially arrest them.  Acceptable?  What if your employer could randomly test you on a periodic basis without your knowledge or consent?  What if your landlady Old Mrs. McCrabtree could test you for drugs without your consent just because she doesn’t like the cut of your jib?

I don’t know, but I think something’s gotta give here.

HelpNet has an article up by Paul Foote and Reena Hora about why biometrics are a “must have” for banks – the title (“Biometric Security for Financial Meltdown Solutions”) seems to imply a link between the crazy stuff going on in the bankerage world and biometrics, but it’s really more about how to prevent fraud by using biometrics. Interestingly, this article got some play over at eWeek as well. If you haven’t done so, it’s an interesting bit of reading.

Now, I’ve been a huge advocate of biometrics. I want to believe… I really do. I started my career at a biometrics company, I’ve tried (in almost every job I’ve had) to push biometrics in all sorts of industries. I was a dedicated follower of HAAPI and the BioAPI. I’ve tried them all: fingerprint (with optical and capacitance readers), iris, voice, signature, etc. And I have consistently obtained no traction on deploying them past a pilot stage. Particularly in a banking context. Historically, it’s been a tough sell.

Foote and Hora tell us:

“To prevent a recurrence of a fraud like this, financial institutions can improve security by adding biometric systems to their ERP systems, or by replacing their legacy systems with SAP and bioLock. Most biometric systems are used for access control. Realtime North America

]]> http://www.securitycurve.com/wordpress/archives/524/feed 1 http://www.securitycurve.com/wordpress/archives/408?utm_source=rss&utm_medium=rss&utm_campaign=iris-scanning-for-sex-offenders http://www.securitycurve.com/wordpress/archives/408#comments Thu, 13 Jul 2006 16:04:34 +0000 Ed http://securitycurve.com/wordpress/?p=408

I am not in the habit of defending sex offenders, and I’m not about to start now. I do, however, have to question whether anybody has seriously thought through the ramifications of North Carolina’s plan to use iris scanning to register sex offenders. I came across this gem via the Biometrics Discussion Email list (what arose out of the ashes from the Biometrics Consortium forums) and did some digging around. Apparently, the system they are planning on using is called SORIS (Sex Offender Registry and Identification System) which positively identifies sex offenders based on their iris.

Granted, identifying sex offenders is important, but for the life of me I can’t figure out why iris scanning helps. Look, the argument is that this iris scanning will help locate sex offenders, right? How exactly are we planning on doing this identification? I can’t remember ever having been asked to have my iris scanned outside of biometrics tradeshows or specific iris-scanning pilot deployments. Where exactly are we going to introduce the iris scanning “checkpoint” to locate these sex offenders? Are we going to start requiring mandatory iris-scanning for people moving in to a new state? Iris scanning at the DMV? Iris scanning as part of standard employment background checks? I hope not. However, it seems that unless there’s a plan for more iris scanning somewhere, that this registry is all but useless. Just some whiz-bang gadgetry that the North Carolina taxpayer has to pay for.

I mean – is it me or does this not make any sense? Compare it with fingerprint. Don’t we have fingerprinting already for just about everything nowadays? Get a job, get fingerprinted. Get arrested, get fingerprinted. Go to the DMV, get fingerprinted. We already have fingerprints for every convicted sex offender on file, therefore allowing the creation of a database with no new enrollment and no change to current processes. We also have people actively checking people’s fingerprints occassionally (not commonly, but it’s out there.) Why not use (oh let me think about it) FINGERPRINT to track the legions of roving chesters loose in suburbia? Is it because the iris is supposedly more “unique”? Hype. It is theoretically more unique and maybe more accurate – but I haven’t seen any tests to back this up. Actually, the tests I’ve seen show better performance for fingerprint because fingerprint is easier to use and train people on. Even if iris was marginally better than fingerprint, you’re talking about fractions of a percent. Is that fractional percentage increase in accuracy worth the tremendous extra expense, inconvenience, and use of police resources associated with deploying an entirely new recognition infrastructure?

Oh, and it’s expensive all right – training costs are high as is processing time. At one point in my career, I piloted an iris-scanning system let me tell you – you actually have to *work* to use an iris scanner. It’s not like fingerprint where you roll your finger around in some ink and slap it on a pad. You basically have to stare into this tube at an LED and adjust your eye muscles in such a way that you bring two concentric circles into alignment. It’s hard to do, it takes learning on the part of the scannie to use it properly, and it gives you eyestrain with frequent use. It’s hard to do with a willing participant – which your average perv isn’t likely to be. So, ante up Charlotte residents and when you figure out that you bought the proverbial “alaskan refrigerator” you’ll know who to thank.

]]> http://www.securitycurve.com/wordpress/archives/408/feed 0 http://www.securitycurve.com/wordpress/archives/275?utm_source=rss&utm_medium=rss&utm_campaign=asking-for-whom-the-bell-tolls http://www.securitycurve.com/wordpress/archives/275#comments Tue, 15 Nov 2005 13:31:43 +0000 Ed http://securitycurve.com/wordpress/?p=275

I’ll keep this entry short, since I’m not sure how many of you will care… But, I’ll tell you a secret: I love biometrics. I got my start in security in the biometrics industry, and I’ve tried to be an active voice ever since. I’ve tried to help folks in the community steer their solutions away from things that are doomed to fail (like using them for online banking) and towards things that are more likely to work (using them to enforce licensing schemes the way Bloomberg has done.)

As an interested party, I am a bit saddened by the recent passing of the Biometrics Consortium email list. Apparently, the proverbial bell is tolling for the Biometrics Consortium – and it’s tolling loud. The BC email discussion list was a haven for everything biometric for years, and for anybody who has been keeping up, the list is gone and the community is worse off for it. The quick story is this: a few government employees got together (the BC is a government-funded endeavor) and decided that an email list was too expensive to maintain… so they replaced it with a web forum that nobody uses. Reaction to the move was mixed (but primarily negative) – alternative lists were proposed, but the traffic on those lists is minimal.

I’ve never seen solidarity like what the the BC list represented in any other security discipline: academics, business folks, government, and vendors all participating in a central universal forum – sharing research, sharing insights, and everyone playing nicely together. It really was a haven. All in all, it is a solemn time for biometric innovation.

]]> http://www.securitycurve.com/wordpress/archives/275/feed 0 http://www.securitycurve.com/wordpress/archives/154?utm_source=rss&utm_medium=rss&utm_campaign=content-free-with-a-bogus-ending http://www.securitycurve.com/wordpress/archives/154#comments Tue, 19 Apr 2005 13:40:03 +0000 Ed http://securitycurve.com/wordpress/?p=154

Aritcle about the “state of affairs” in quantum cryptography. While almost completely content-free, the conclusion of this article where Martin Illsley says, “[Quantum cryptography] still needs biometric proof” did sufficiently raise my hackles enough to comment.

Will someone please explain to me how quantum cryptography and biometrics are related? I’m just not seeing it… Unless the photons in question are bouncing off my fingerprint, iris, or retina, I would contend that the two technlogies are completely unrelated…

In addition to being unrelated, I keep going on record, having worked for a biometrics company at one point, that biometrics are in some cases worse than a password or token. Just ask the poor guy who lost his finger for his beamer a few weeks back.

]]> http://www.securitycurve.com/wordpress/archives/154/feed 0