Biometrics

Biometrics may seem new, but they're the oldest form of identification. Tigers recognize each other's scent; penguins recognize calls. Humans recognize each other by sight from across the room, voices on the phone, signatures on contracts and photographs on driver's licenses. Fingerprints have been used to identify people at crime scenes for more than 100 years.

What is new about biometrics is that computers are now doing the recognizing: thumbprints, retinal scans, voiceprints, and typing patterns. There's a lot of technology involved here, in trying to both limit the number of false positives (someone else being mistakenly recognized as you) and false negatives (you being mistakenly not recognized). Generally, a system can choose to have less of one or the other; less of both is very hard.

Biometrics can vastly improve security, especially when paired with another form of authentication such as passwords. But it's important to understand their limitations as well as their strengths. On the strength side, biometrics are hard to forge. It's hard to affix a fake fingerprint to your finger or make your retina look like someone else's. Some people can mimic voices, and make-up artists can change people's faces, but these are specialized skills.

On the other hand, biometrics are easy to steal. You leave your fingerprints everywhere you touch, your iris scan everywhere you look. Regularly, hackers have copied the prints of officials from objects they've touched, and posted them on the Internet. We haven't yet had an example of a large biometric database being hacked into, but the possibility is there. Biometrics are unique identifiers, but they're not secrets.

And a stolen biometric can fool some systems. It can be as easy as cutting out a signature, pasting it onto a contract, and then faxing the page to someone. The person on the other end doesn't know that the signature isn't valid because he didn't see it fixed onto the page. Remote logins by fingerprint fail in the same way. If there's no way to verify the print came from an actual reader, not from a stored computer file, the system is much less secure.

A more secure system is to use a fingerprint to unlock your mobile phone or computer. Because there is a trusted path from the fingerprint reader to the stored fingerprint the system uses to compare, an attacker can't inject a previously stored print as easily as he can cut and paste a signature. A photo on an ID card works the same way: the verifier can compare the face in front of him with the face on the card.

Fingerprints on ID cards are more problematic, because the attacker can try to fool the fingerprint reader. Researchers have made false fingers out of rubber or glycerin. Manufacturers have responded by building readers that also detect pores or a pulse.

The lesson is that biometrics work best if the system can verify that the biometric came from the person at the time of verification. The biometric identification system at the gates of the CIA headquarters works because there's a guard with a large gun making sure no one is trying to fool the system.

Of course, not all systems need that level of security. At Counterpane, the security company I founded, we installed hand geometry readers at the access doors to the operations center. Hand geometry is a hard biometric to copy, and the system was closed and didn't allow electronic forgeries. It worked very well.

One more problem with biometrics: they don't fail well. Passwords can be changed, but if someone copies your thumbprint, you're out of luck: you can't update your thumb. Passwords can be backed up, but if you alter your thumbprint in an accident, you're stuck. The failures don't have to be this spectacular: a voiceprint reader might not recognize someone with a sore throat, or a fingerprint reader might fail outside in freezing weather. Biometric systems need to be analyzed in light of these possibilities.

Biometrics are easy, convenient, and when used properly, very secure; they're just not a panacea. Understanding how they work and fail is critical to understanding when they improve security and when they don't.

This essay originally appeared in the Guardian, and is an update of an essay I wrote in 1998.

Posted on January 8, 2009 at 12:53 PM • 62 Comments

Comments

ColeJanuary 8, 2009 1:27 PM

I thought voice readers didn't work effectively since the human voice changes due to stress, environment, and so on all the time.

Davi OttenheimerJanuary 8, 2009 2:11 PM

"penguins recognize calls"

Sure, but can they attach a personalized ringtone? And what kind of billing system have they developed?

Nature's got nothing on the Telcos.

YesJanuary 8, 2009 2:23 PM

What about DNA?
Even as we speak, we use DNA as solid "proof" of what we have done. But it can easily be a mistake...

Davi OttenheimerJanuary 8, 2009 2:23 PM

@ Cole

In 1997 Gates said we'd all be using speech, handwriting, gesture, face, etc. already

http://www.microsoft.com/presspass/exec/billg/...

"In this 10-year time frame, I believe that we'll not only be using the keyboard and the mouse to interact, but during that time we will have perfected speech recognition and speech output well enough that those will become a standard part of the interface. Perhaps more controversial, we think that the once-promoted and failed handwriting interface approach will also be valuable. And with the digital cameras that we're seeing on these machines, with the software behind them, at a minimum they'll be able to recognize when a user is there, who the user is, what gestures they're making, and have that be part of the interface."

The latest thinking I've seen is that voice can be useful in some markets (limited and technical/specialized dictionary with value to the user like engineering or medicine) but is still far too easy to game for anything left open to it (like security).

@ Bruce

I find it easy to agree, they're not a panacea. What is? :)

Pat CahalanJanuary 8, 2009 2:58 PM

> The biometric identification system at the gates
> of the CIA headquarters works because there's
> a guard with a large gun making sure no one is
> trying to fool the system.

This generally makes many security systems better, although it doesn't scale well :)

As an aside, when you add "armed guards" to the security system, you then (IMO) usually ought to have devices that work more as a check on the guard rather than as the primary security device themselves, reversing what many people think are the actual roles... i.e., the guard isn't really there to prevent people from suborning the fingerprint scanner (that's a secondary function), he or she is there as the primary security blockade, and the scanner serves as a check to the guard's behavior.

In other words, the armed guard becomes the first line of security (as they are there for the behavioral recognition function), and the IT part of the security system is there to make sure the *guard* follows policy -> the guard's recognition shouldn't be able to trump the device.

When you hear about failures in mixed human/IT security designs, it's usually because the human part can overrule the IT part - in this case, the guard could, if empowered, open the door if the scanner fails to authenticate the individual.

The reasoning behind this is simple -> as has been pointed out before, humans can be both the strongest or the weakest link in the security chain. As such, adding a human to a security design gives you additional security only when the presence of the human adds a check without introducing a bypass.

If you therefore consider the human as the first line of defense, the technical parts of the system can then be designed to prevent the human from becoming a bypass. If you consider the human to be an "add-on", you're usually opening as many holes as you close.

There's a subtle but massive difference between "the guard protects the fingerprint scanner" and "the guard protects the building and the fingerprint scanner audits the guard".

SimonJanuary 8, 2009 3:02 PM

If I openly post high quality scans of my fingerprints on Flickr, do I now have plausible deniability if they are ever found at the scene of a crime?

SimonJanuary 8, 2009 3:17 PM

Simon: Just what I was thinking. It would probably depend on the circumstances.

HJohnJanuary 8, 2009 3:30 PM

@Simon: "If I openly post high quality scans of my fingerprints on Flickr, do I now have plausible deniability if they are ever found at the scene of a crime? "

I would imagine, unfortunately. I also suspect that there have been times where someone has reported a credit card stolen to get out of paying for something expensive they actually did buy. Then again,this is just one more risk that has to be either accepted or mitigated in imperfect systems.

SumDumGuyJanuary 8, 2009 3:34 PM

@LarryH - What I would like to know about the case of the Korean woman is whether the tape was simply a way to distort her prints so that they would not match the database, or if the tape was "special" and actually carried an alternate set of prints or something else, like a combination of the two.

Does anyone have a link to a more detailed discussion of the case?

Davi OttenheimerJanuary 8, 2009 3:58 PM

@ SumDumGuy

She had someone else's prints. It's not hard to find more details, not to mention this has been a known exploit for as long as readers have been around. Remember the gummy-bear guy?

You can't just fail a test (i.e. using distortion) and expect to get through a control. You have to get a valid read...

igorJanuary 8, 2009 4:09 PM

Correctly to apply a complex of measures, the above importance of object, the more than various measures, but all complex will be so weak how much poorly its weakest part.

Jeff DayJanuary 8, 2009 4:10 PM

Pat, I'm going to have to respectfully disagree. Security is only useful if you can still use the system, and that's something the IT frequently causes problems with. If you lock it down too much, then the system either becomes unusable or you make enemies of the legitimate users, which can cause even worse security problems than using less strict security. In this case, the director of the CIA could walk up, try to use the fingerprint scanner, and for whatever reason fail. In this case, the guards know that the director should be able to enter, everyone around them knows it, and yet they still can't go in. Training is the solution to human-caused security holes, not IT.

Brandioch ConnerJanuary 8, 2009 4:10 PM

A company I worked for tried the fingerprint route.

But one of our accountants had been a chef before working there. Her fingerprints had been almost completely removed by that job.

She ALWAYS had trouble getting the fingerprint reader to recognize her.

Clive RobinsonJanuary 8, 2009 4:27 PM

@ Davi Ottenheimer

"You can't just fail a test (i.e. using distortion) and expect to get through a control. You have to get a valid read..."

That depends on the control.

Effectivly biometric controls are comparing to a list of known biometrics.

If you have to be on the list to get access then what you say is true. But in the case of barring entry where matching the list prevents access then a simple distortion will unlock the door, unless the software takes distortion into consideration (which most if not all will not).

As there is no "world" database of fingerprints or other biometrics then passport control on biometrics is going to be subject to various failier modes...

SumDumGuyJanuary 8, 2009 4:27 PM

@Davi - I can't find any first sources reporting that the tape contained prints. Just blogs speculating as if it were fact.

As for distortion - I didn't mean fail, I meant distort to produce a set of minutiae that are sufficiently different from what is in the database - hiding short ridges, stretching long ridges so that endings appear to be at different relative locations, that sort of distortion.

Kermit the bogJanuary 8, 2009 4:33 PM

I have big problems with fingerprint readers. None seem to be able to read my prints.

My most recent experience was going through US customs a while back. It took forever for them to process me.

I have read that there is actually quite a large subsection of the population that cannot be effectively recognised by fingerprint readers, so I am not alone. I hope this biometric does not become too popular or I will be in big trouble.

Clive RobinsonJanuary 8, 2009 5:02 PM

@ Kermit the bog,

"I have read that there is actually quite a large subsection of the population that cannot be effectively recognised by fingerprint readers"

Fingerprint readers don't realy read your fingerprints they look for certain features that are then saved relative to each other.

If your fingerprint lacks the features or does not have sufficient of them or spaced a reliable distance apart then yes you are going to have problems as are others.

The problem is not you but the technology.

DaveJanuary 8, 2009 5:05 PM

You leave your retinal scan everywhere you look? In what sense? Your iris can be captured just about anywhere you look (which is not at all the same as leaving your fingerprints to be collected later), but you never leave a retinal scan in any sense that I'm aware of.

billswiftJanuary 8, 2009 5:16 PM

I don't know about readers, but the one time I was fingerprinted with ink in the early 1990s, it took them three tries to get readable prints. They figured it was from wear on my skin from my doing landscaping at the time.

RichardJanuary 8, 2009 5:26 PM

The problem with all these systems is that their workings are opaque to the humans who operate them. (and if the humans can't override them then you are in disaster movie territory - Westworld or Jurassic park)

If the scanning device has been compromised during manufacture (as happened win chip and PIN readers recently) then basically you are stuffed. (at the mercy of the bad guys. )

When the little light lights up to say that the biometrics match all you really know is that the little light has lit up!

aliceJanuary 8, 2009 5:41 PM

Accidentally or intentionally altering a fingerprint only makes it more distinctive.

jeffJanuary 8, 2009 5:42 PM

"A more secure system is to use a fingerprint to unlock your mobile phone or computer."

The protection you need for a mobile device is especially for the case it gets stolen. But I leave my fingerprints all over my laptop or my mobile phone.

Clive RobinsonJanuary 8, 2009 5:51 PM

@ Bruce,

One thing you forgot to mention is that biometrics are not stable they age as we do.

Even the bones in your hand change as you get older as does the amount of flesh around them.

This means that in general they are not suitable as a method of identification where periods of several years may occur between readings.

Rupert H.January 8, 2009 5:52 PM

Chop off Jim's finger, or pluck out Jim's eye - you are Jim, in a biometric world. A sharp knife or garden shears might be enough to let your local crack addict empty your bank account while you're in the emergency room.

Is there any published cryptanalytic analysis of the claimed uniqueness of DNA (as used by the police)?

Stephan EJanuary 8, 2009 5:56 PM

Nice article, but you dont seem to get to the point.

The point being very simple that NO authentication or identification should be possible from biometrics alone as that would leave the system open to faking using stolen biometrics.

Always ensure a secret controlled by the biometrics owner is unalterable involved as it would ensure revokability of keys.

It follows - only Collect and match ON-CARD, i.e. in the control of users. No use of foreigns sensors located at the door etc. But of course this also means that the cards must be trusted by the verifier also.

This can be combined with some sort of biometric encryption, but there should be no non-revokable certified biometrics - even in the cards.

Also I think you forgot to mention the simple problem that biometrics is not interoperable. Give us a digital interface to allow for different mechanisms in parallel - not a fakeable and still non-interoeprable interface.

Not AnonymousJanuary 8, 2009 6:12 PM

A photo on an ID card is a bad example IMO, it doesn't work very well, because the attacker can just create himself a card featuring the correct photo. So unless there is a real way for the verifier to verify if the card is acutally genuine, it doesn't help much. So if possible, the photo should better be stored in a trusted database and retrieved from there (would be relatively simple to do for a company or some government agency).

Petréa MitchellJanuary 8, 2009 6:17 PM

The one example that comes readily to my mind of biometric authentication that works well also involves hand geometry.

Walt Disney World sells multi-day tickets where the cost of additional days drops more and more the more days you get. To cancel out the obvious arbitrage opportunity, it's had various systems over the years to make sure every ticket is only used by one person. The current system is a hand geometry check at the turnstiles. The first time a ticket is used, the hand of the person using it is recorded, and subsequent uses are checked against that first geometry.

With the huge number of visitors WDW gets, there are probably tons of people with duplicate measurements, but as long as the odds of you and some random person you sell your partially used ticket to having the same ones is low, it all works great. (Also assuming they weren't so silly as to store the "correct" biometric readings on the ticket itself. I have no idea about the details of the implementation.)

Joe HuffmanJanuary 8, 2009 6:45 PM

The last time I visited the CIA at Langley (2005) there were no biometrics other than government issued photo ID involved.

Retinas change dramatically over time and have not been used for many years. Iris scans are being used and are probably the best biometric for automated systems. They appear to be stable and the rate of false matches (two people with having the same iris patterns) is about once for every 200,000 people.

The friction ridges on fingers ("fingerprints") degrade over time at a rate depending on the type of job you have, your age, and to a certain extent on your race. Older Asian women who spent a lot of time doing manual labor are supposedly the most difficult to get usable fingerprints from.

"Undocumented workers" traversing the U.S./Mexican border frequently soak their fingers in bleach before crossing. This makes it extremely difficult to get good fingerprints for about 24 hours.

Biometrics have their use in user validation but as you push them into the user identification realm you start having problems.

Pat CahalanJanuary 8, 2009 6:45 PM

@ Jeff

> In this case, the guards know that the director
> should be able to enter, everyone around them
> knows it, and yet they still can't go in.

While your observation can be generally true (you need to be careful when you codify security into a technological process, as what do you do when the technology fails), I think you're picking on the wrong example here to prove your point :)

When you're looking at this sort of situation, the guard absolutely should *not* be able to let the person through the door - you're now completely eliminating the fingerprint scanner from your security system - why have it in the first place? If this person is indeed the director, then of course there should be a readily accessible escalation process to getting him access if the fingerprint reader doesn't let him in... but you absolutely do not want the *guard* to be responsible for making this call unilaterally.

Maybe he's not the director anymore, his clearance was revoked three minutes ago. Maybe he's not the director at all, he's just some dude that the guard has been tricked or paid off into acting like he's the director.

The point of a layered security system is that successfully authenticating against one layer is not supposed to allow you to bypass the next layer. At all. Ever. If the next layer forbids entry, at *best* the first layer can engage in a *third* layer to audit the second.

So the guard can pick up the phone and call another guard inside the building to come to the door *after verifying the person suspected to be the director is supposed to be admitted* and then let the director in, but the first guard should not be able to open the door.

Otherwise, the easiest way to suborn the security system is to walk up to the guard and show him a picture of his little girl holding up today's newspaper and say, "Let me in or in ten minutes she's dead". The guard is no longer supplemental to the fingerprint scanner... in fact, the guard is now an engineered hole in the system.

Put another way, disregard whether any particular layer of security is electronic, mechanical, or human. Think of each layer of security simply as a logical gate with two Boolean options -> "yes or no, allow pass to the next layer" and "yes or no, allow appeal to higher authority which has the ability to override one (or more) layers of the security system."

Sure, you want both, in the event that the particular layer fails. But you never want to add in "yes or no, allow pass to the next layer, and then override the next layer if it doesn't let the subject through".

Then you don't have layered security anymore. The appealed authority needs to be inside :)

Joe the LinguistJanuary 8, 2009 10:59 PM

Voiceprints don't even have to be faked, since they're unreliable pseudoscience. A voiceprint is nothing more than t-f-a (time-frequency-amplitude) spectrograph that provides fairly limited data. The methodology of voiceprint readers seems to be little more than trying to spot similar patterns in spectographs (remember, this is a lucrative money-making scheme, so real linguists aren't invited to examine the supposed research).

There have been advances in forensic phonology and speaker identification (not to be confused with voiceprinting), but the technology just isn't reliable yet. T-f-a spectrographs are useful teaching tools in phonology, but they're not helpful for speaker identification. You're probably no better off consulting a psychic than a so-called "voiceprint" expert.

mehJanuary 8, 2009 11:21 PM

Hand geometry = unhygienic. Some guy just went to the pot and didn't wash his paws. No thanks.

Clive RobinsonJanuary 9, 2009 12:54 AM

@ alice,

"Accidentally or intentionally altering a fingerprint only makes it more distinctive."

That depends on what you mean by distinctive and how you go about it.

Cuts that leave scars are distinctive for identification for a while but will fade with time.

Mild ebrassion due to mechanical or chemical action can change a fingerprint for a short period of time (ie untill the base print grows back). And is to be expected with many types of manual work.

Some people suffer from skin conditions where their skin cracks breaks or flakes and their base fingerprint is obscured most of the time.

Yes these changes are noticeable because they make the base print partialy or fully obscured but more distinctive not realy as the changes will change over a fairly short period of time, and have reasonable explanations as to why they have occured.

Joe in AustraliaJanuary 9, 2009 1:29 AM

Just a small annotation: signatures are not (primarily) a form of biometric identification. The point of a signature is that it's an act of affirmation. Signatures arose in the days before universal literacy (and even literate people would generally employ a scribe for formal documents). How can you distinguish a binding commitment written under Fred Bloggs' authority from a non-binding draft? Well, you need Fred Bloggs to affirm that it is a record of his wishes. Fred Bloggs would do so by signing or sealing it.

This is why a faxed signature has legal significance. It's not because it's hard to forge - even signatures written with ink can be easy enough to forge. It's because it distinguishes this binding document from mere drafts and contemplated agreements that are not meant to have legal weight.

Now, what if the defendant says "Well, that's no proof: anyone can just forge a signature." Yes, the signature may be a forgery, but the presence of the signature shifts the burden of proof: the defendant will need to argue that it is a forgery and the judge will have to consider why the plaintiff would choose to commit a forgery and if it is likely that he or she would do so. If the document were unsigned then the plaintiff would need to argue that the document was meant to be legally binding despite the fact that it was never signed. In each of these cases it can be a heavy burden of proof.

RJanuary 9, 2009 2:56 AM

Offtopic -- National Academy of Sciences reports on export controls on high-tech equipment, finds a lot of them need to be lifted: http://www.nytimes.com/2009/01/09/science/... (report is at http://books.nap.edu/openbook.php?isbn=0309130263 )

The title is: Beyond "Fortress America": National Security Controls on Science and Technology in a Globalized World

They note that a lot of the controls were designed for the Cold War; that the U.S. is no longer the only high-tech research center; and that it actively harms national security to hamper commercial development that we all (even the military) depend on. That's what I'm sayin'!

The remaining crypto restrictions, although minimal, are pretty farcical. Technically, I believe I'm still required to notify some agency before I e-mail Vincent Rijmen a new implementation of AES. Who's gonna break it to them that he already knows how it works?

seejayJanuary 9, 2009 3:04 AM

The Mythbusters team had a go at fingerprint scanners. The particular one they tested failed abysmally. It was fooled by latex and gel copies of the finger. A paper facsimile of the print even worked. To add credence, they also "surreptitiously" lifted the print from a drinking glass.

http://mythbustersresults.com/episode59

GrahamSJanuary 9, 2009 5:38 AM

The issue to me, as noted in the article, is security of the database containing the biometric data.

My children's school have introduced a fingerprint system for using the library. When they move to senior school the finrgerprint data should follow them to their new school.
When I asked whether the database was protected in any form they couldn't provide any answers (I asked for handing procedures / encryption / access security etc).
As far as I can see given UK government IT record within a few years databases of fingerprints will be available easily from the harddrives of decommisioned machines from elementary/primary schools.

I refused to sign the permission slips for the kids to use the system so instead they don't get to borrow books from the school library :(

oldamiJanuary 9, 2009 6:11 AM

Dave's speculation above is correct. You do not leave your retina information everywhere. In order to scan a retina, a very bright light, ususally a laser, is shined through the pupil to illuminate the retina. The the pattern of blood vessels is mapped out to produce the biometric. Retina scans are seldon used anymore since people do not like having a laser shined into their eye.
An iris is possible to duplicate with a good quality photo.
Bruce is correct about hand geometry. It is very difficult to spoof. Retina is even harder to spoof. Iris is not difficult once you know the trick required to fool the reader's "live iris" checks. Fingerprints are trivial to spoof.
I have worked in the biometrics field for ten years and the best system we have produced uses fingerprints and an armed guard. We are moving to iris due to the difficulty reading some people's prints. Ever see what the prints of a 40 year old bricklayer look like? They basically don't have any.

AnonymousJanuary 9, 2009 8:01 AM

@Pat Cahalan "When you're looking at this sort of situation, the guard absolutely should *not* be able to let the person through the door - you're now completely eliminating the fingerprint scanner from your security system - why have it in the first place? If this person is indeed the director, then of course there should be a readily accessible escalation process to getting him access if the fingerprint reader doesn't let him in... but you absolutely do not want the *guard* to be responsible for making this call unilaterally."

Two points

1. All this does is move the target of subversion from the guard to the little factory in South China where the magic box is manufactured.

2. If the false negative rate is too high then the system will become a complete pain and WILL be re-engineered so the guard can override it.

DanJanuary 9, 2009 8:46 AM

I think you miss an important point. As I understand it you cannot be compelled to divulge a password but you can be compelled to provide a fingerprint.

BillyJanuary 9, 2009 9:12 AM

Obligatory Mythbusters reference where a fingerprint reader is defeated by licked paper.
http://www.youtube.com/watch?v=LA4Xx5Noxyo

As for the security of biometric databases that are used for "security purposes", surely there's ways to store proof of biometric without needing to store the biometric itself. Password systems haven't needed to store plain text passwords for ages, although there's still systems today that do :)

Seth BreidbartJanuary 9, 2009 9:34 AM

If the guard is there only to ensure that you use your real finger and not a gummy fingerprint, suborning him will let you use a gummy fingerprint hence breaking the system.

GrahamSJanuary 9, 2009 9:39 AM

"As for the security of biometric databases that are used for "security purposes", surely there's ways to store proof of biometric without needing to store the biometric itself. Password systems haven't needed to store plain text passwords for ages, although there's still systems today that do :)"

Agreed, but in the sample I'm thinking of I have great doubts of a govmt sponsored piece of software being so well thought out....

Right GuardJanuary 9, 2009 10:32 AM

"Tigers recognize each other's scent."

How come this hasn't been used more in human systems? (Smellometric?) I'm being serious here: Is it hard to develop a system to distinguish scent?

Petréa MitchellJanuary 9, 2009 11:36 AM

@meh:

Indeed, the most questions about the hand scanners at Disney World-- in the fan groups where I circulate, anyway-- come from people worrying about hygiene, rather than security or privacy.

(The second biggest issue appears to be people thinking the scanners are doing a detailed scan of the entire hand and recording all their fingerprints, and getting worried about that information being protected.)

Petréa MitchellJanuary 9, 2009 11:43 AM

@Right Guard:

"I'm being serious here: Is it hard to develop a system to distinguish scent?"

Yes. You know how you learned in school that the sense of taste has four or five components, depending on how long ago you were in school? The sense of smell has... well, I think there's still debate about how many, but *lot* more. Tigers (and all the cat family) don't even just use their noses, but also an auxilliary smell analyzer called the Jacobsen's organ.

The problem is of trying to analyze the level and exact composition of a bunch of complex chemicals very quickly. It's hard.

Pat CahalanJanuary 9, 2009 12:13 PM

@ Anonymous

> 1. All this does is move the target of subversion from the guard to
> the little factory in South China where the magic box is manufactured.

No. You have two targets of subversion now; the guard and the little factory in South China. While this may not be substantively more difficult (for a particular attacker) than subverting the one target (in this particular case), it's definitely not equivalent.

> 2. If the false negative rate is too high then the system will become
> a complete pain and WILL be re-engineered so the guard can override it.

This is exactly my point. If the false negative rate for any security check (again, mechanical, electronic, or human) is "too high", of course you want an escalation process. DON'T give it directly to the guard, who is the first layer of security, or you might as well get rid of the second layer entirely.

@ Seth

> If the guard is there only to ensure that you use your real finger
> and not a gummy fingerprint, suborning him will let you use a
> gummy fingerprint hence breaking the system.

Also sort of my point. If you consider the guard's purpose as a simple audit control on the fingerprint scanner, you're not adding an actual layer of security, you're just making your existing layer (the scanner) more complex. You're most likely hiring a cheap guard. You've fooled yourself into thinking you have two layers of security, when you really only have one.

On the other hand, if you consider the guard to be the primary security layer and the fingerprint scanner to be the check, you hire and train good guards. You also assume that *if* the guard is suborned, the electronic/mechanical design of the scanner system *needs to take that into account*, or the scanner system is nearly worthless.

So you either buy a fingerprint scanner which has additional biometric functions (like the pulse/humidity functionality described), and is tamper evident with an engineered ability to fail closed, or you don't bother getting a scanner system and you pick something else. :)

paulJanuary 9, 2009 12:38 PM

I think there's an important typo in this sentence about unlocking cellphones and laptops:

"Because there is a trusted path from the fingerprint reader to the stored fingerprint the system uses to compare, an attacker can't inject a previously stored print as easily as he can cut and paste a signature."

Shouldn't that be "If there is a trusted path..."?

Fred PJanuary 9, 2009 12:45 PM

"Hand geometry is a hard biometric to copy, and the system was closed and didn't allow electronic forgeries. It worked very well."

I'm under-convinced that it's hard to copy (wouldn't a few pictures and anything appropriately moldable work?), but hopefully you're also taken into account the problems with changed hand geometry (due to injury, a cast, disease,...).

TerryBJanuary 9, 2009 6:12 PM

Biometrics are not as simple as passwords.. you cannot just hash them and still expect them to match.. they are only approximately the same and 1 bit different and the hash will not match. There are new techniques coming out with various names like called "revocable biometric tokens", "cancelable biometrics", and Fuzzy Extractors that address this. (Google can provide you more details).

Lifting prints and acquiring biometrics is trick and riskier, and probably less profitable, than hacking into a Biometric DB will lots of records. I believe DBs are the real threat for biometrics. We don't know if any have been hacked, probably because, no law requires disclosures of them if they are hacked.. they are not considered personal/confidential information.

In terms of spoofing hand geometry, check out http://www.biometrics.org/bc2005/Presentations/...
where they show how to make cardboard cutouts..

John CairnsJanuary 12, 2009 1:09 PM

Many biometrics are implemented in parallel with traditional authentication protocols. For example, a laptop with a password and fingerprint reader or a security desk with a hand print reader that accepts photo id if you forget your pin.

Far from increasing security, these parallel implementations create twice as many opportunities to defeat the security. Moreover, backup channels such as asking the guy at the desk, tend to be far easier to compromise.

The chain is only as strong as its weakest link.

neillJanuary 12, 2009 11:46 PM

watch Gattaca (1997,uma thurman, ethan hawke) - well done movie!
10 years back they realized the problems, even with DNA tests

ladybug225November 3, 2009 6:24 AM

a lot of people say fingerprint readers don't fail well, even though a lot of people would say they work well! Fingerprint readers in particular are a lot more secure than a lot of technology on the market; however with a finger vein reader there is no need to worry that someone could steal your biometric and impersonate you.

FranklyJanuary 28, 2010 11:50 AM

RE: "It's hard to affix a fake fingerprint..."

Not any more it isn't!

Prints on tape trick biometric entry ID system

Wednesday, Jan. 27, 2010

YOKOHAMA (Kyodo) Police have arrested two South Korean women on suspicion of illegally entering Japan by using tape bearing the fingerprints of other people to evade the biometric identification system.
http://search.japantimes.co.jp/cgi-bin/...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..