Back to Top

Monday, March 26, 2007

Biometrics is not the answer!

Deb Shinder is the resident MVP at Sunbelt Software. One of her posts caught my eye and I felt the urge to post about it: Passwords: A Thing of the Past? In it she advocates to use biometrics as a replacement for passwords. Here are my (not so positive - as you may have guessed) thoughts on it:

  • The big problem (aside from false positives and false negatives) of biometrics is that they can't be changed. As soon as somebody gets your fingerprint, you really don't have any solution for it (you can't change your fingerprint).
  • She also fails to mention in the article that biometrics doesn't give you any additional security unless the endpoint security is assured. Otherwise said: nothing in biometrics prevents an attacker to use a replay attack (because it's not your fingerprint / retina scan which is sent through the network, it's a set of bits generated from them which can be capture - most conveniently at the endpoints - and replayed easily). Compare this with a well-implemented token system where the generated data is specific to the time and the sum transmitted (in case of a bank transaction for example), so capturing and replaying it would be useless.

In conclusion: biometrics is nothing more than a hyped version of the remember my password feature found in all the current browsers. It provides virtually no added protection over passwords and is purely a convenience enabler. (I must mention that there is one situation where it has added value over password: when protecting against the threat of someone watching you as you type your password)


  1. "I must mention that there is one situation where it has added value over password: when protecting against the threat of someone watching you as you type your password"

    unless of course the biometric is a fingerprint reader, because then you could just lift prints off the keypad/keyboard you were spying on...

  2. Anonymous2:20 PM

    This seems to be assuming that it is possible to fool biometrics systems with a mechanism which also passes liveness tests.

    Not to say biometrics are the be all and end all, but "lifting fingerprints" doesn't strike me as a reason to rule out biometrics. Iris scanning is a more useful mechanism anyway.

  3. Anonymous2:21 PM

    Ah, I also wanted to mention - "only a convenience enabler" - at the end of the day, software is about users and data, not about security. As a result, a convenience enabler can be a big deal in the business world.

  4. @anonymous: one interesting test was performed by the Mythbusters (on the Discovery Channel). They were able to fool many, many commercially available fingerprint readers with very simple techniques (like a xerox copy of the finger!)

  5. @anonymous
    iris scanning is not perfect either... i used to work in biometrics and when some folks from iridian came by one day to demo their iris scanning technology one of my colleagues got consistently identified as the previous person to be identified regardless of who that previous person was...

    frankly, having worked in biometrics, i now have very little faith in the security provided by biometrics... at best what it seems to offer is a way to make it somewhat harder to fraudulently pose as someone else - not impossible, mind you, just somewhat harder...

  6. @cdman83
    i remember a spot on mythbusters concerning fingerprint readers, although i only recall them having 2 fingerprint readers in the show i saw (they were trying to get past a variety of security systems like fingerprint readers and thermographic sensors)...

    of note, however, they managed to fool the 'liveliness test' (which was presumably one of those that looked for electrical conductivity) by licking the photocopied fingerprint....