Saturday, December 06, 2003, 9:03 AM

The Problems with Biometrics

The use of biometrics for digital security has multiple problems:

The Technology Problem
The Social Acceptability Problem
The Clonability Problem
The Life and Limb Problem* (added May 2005)

The technology problem is that today's biometric technologies are not yet cost-effective enough for everyday use if you want anywhere close to six-sigma performance at a reasonable price.

The social acceptability problem includes sense of privacy of the public. People, in general, do not want parts of their body duplicated in databases.

The first two problems could potentially be overcome. However, the clonability problem is the one problem which I believe is insurmountable. Biometrics will not work for cyber access to digital systems because biometrics cannot be changed and cannot be kept secret. Biometrics are clonable...

The Clonability Problem

Assertion: Biometrics are like very long passwords that you cannot change.

Question: Do you ever build a security system with the assumption that it is never compromised?

For authentication purposes, the "that you cannot change" characteristic of biometrics is a big problem because if the credentials of any one user is ever compromised, the biometric being measured has to be changed! ... So every once in a while, you'll have to replace fingerprint readers with iris scanners, with DNA testers, etc. Pretty soon, you'll run out of body parts to measure.

Regardless of how hard it is to do so, what do you do if your fingerprint or retina scan is ever compromised?

Furthermore, what if the central repository of biometrics is (ever) compromised? All employees with biometrics in that repository can never (ever) use that biometric any more in the future, any where. This is a serious flaw!

The question you need to answer is should you ever build a security system based on an assumption that it will never be compromised. The answer is clearly "No!".

It is interesting to note that although we are pretty unique physical individuals, if you digitize parts of us, it is possible to reproduce our digital selves like rabbits, only faster.

Biometrics are not Physicalized Credentials

a. Security requires secrets.
b. The best secrets are secrets that are never shared.
c. How secret is a biometric reading?

Because biometrics are not credentials that are strongly physicalized (counter-intuitive, but true), they are prone to all the risks of an unphysicalized authentication system; including: exposure to the entire Internet, automated attacks, compromised servers, etc.

Resources:
'Jello' threat sets security a-wobble (http://news.zdnet.com/2100-1009_22-916135.html)
Why Biometrics Is No Magic Bullet (http://www.businessweek.com/print/technology/content/jul2003/tc20030722_2846_tc125.htm?tc&sub=03privacy)

Update (May 23, 2005):
* A further (very important) problem with biometrics became clear to me with a report by Jonathan Kent, Malaysia car thieves steal finger, on the BBC News. I call this the life and limb problem. The problem with some (not all) biometric metrics is that it is measuring some aspect of a body part that is not painlessly detachable from the rest of the body. When identity theft is to be commited on systems with biometric locks, physical violence is a very real and possibly easiest option for the criminals. Related: The Life and Link Problem.