Security Review: Biometrics

By mstie74 at 3:19 pm on January 11, 2008 | 2 Comments

Summary

Biometrics is an authentication mechanism that relies on identification or verification based on unique physiological characteristics.  Biometric devices employ fingerprint recognition, hand geometry, retina scanning, and other methods to identify or verify a person based on stored biometric information.  Biometric devices are becoming more prolific and are now standard on many laptops and computers.

Assets and Security Goals

  • Provide convenient and secure method for authentication, identification, and verification.  Users of biometrics as a singular authentication mechanism would not have to remember passwords or carry smartcards.
  • Provide secure storage of biometrics.  Adversaries  must not be able to obtain stored biometric information.

Potential Adversaries

  • Any person, entity, corporation, group, or agency not authorized for access to the protected system who would want to obtain access for malicious or non-malicious purposes.
  • Anyone interested in obtaining biometric information stored for identification purposes for malicious or non-malicious purposes.

Potential Weaknesses

  • Spoofing and mimicry attacks – An artificial finger made of commercially available silicon or gelatin may deceive a fingerprint biometric sensor.
  • Off-limit power fluctuation or flooding – Flooding a biometric sensor with noise data (i.e. flashing light on an optical sensor, changing the humidity of a fingerprint sensor, or spraying materials on a sensor’s surface) may cause biometric devices to fail.
  • Residual biometric data – The residual biometric characteristic of a previous user on the sensor may be sufficient to allow access to an adversary.
  • System used for storage and control of biometrics and biometric devices may be subject to attack.

Potential Defenses

  • Utilizing biometrics as a complementary form of authentication may increase security and reduce the impact of the potential weaknesses listed above.
  • Consent of use for user’s of biometrics by companies employing biometrics may limit legality concerns around compromised stored biometric information.
  • Auditing and logging should be employed to ensure proper use, maintenance, and control of biometric devices and systems.

Risks

The security risk involved with using biometrics would depend on the information or valuables being protected by the biometrics system.  Serious privacy issues may arise from stolen biometrics information since the biometric information, unlike passwords or keycards, cannot be changed and once compromised, it will always be compromised for the life of the user.

Conclusion

Biometrics can be a valuable security addition as a complementary form of authentication.  By forcing someone to have a password and a biometrics identifier, the authentication mechanism is now two-fold instead of being simply single-layered.  Biometrics should not be used unless the storage of the biometrics data can be secured and monitored effectively.

Filed under: Physical Security,Privacy,Security Reviews2 Comments »

2 Comments

  • 1
    Get your own gravatar for comments by visiting gravatar.com

    Comment by sky

    January 13, 2008 @ 11:06 pm

    I know this is kinda obscure, but what about physically disabled people who are physically unable to use certain biometrics. Someone without control of their hands would need help lifting their fingers to the fingerprint scanner, but it could be even worse than that. Someone might be missing all their fingers/hands/arms and thus not have any fingerprints to scan. Or in the case of something that scans retinas, someone might have lost both eyes in an accident. Terrorists could even cut off part of someone’s body to prevent them from using a certain biometric system. What kind of legal ramifications would we run into if a disabled person that needed to access something could not because of the biometric process that was currently set up. Would the law require the company/government agency to revamp their biometric system to accommodate the disabled? Would they be assigned a physically healthy buddy that is their security clearance? Would any new security vulnerabilities be created by the work around created? Admittedly, this problem is many years away, and even then, still so rare we might never hear about it.

  • 2
    Get your own gravatar for comments by visiting gravatar.com

    Comment by Mike McDonnel

    January 29, 2008 @ 5:06 pm

    I am usually a few years behind the times when it comes to me and technology. However, I got tired of my kids losing the key that I gave them to our house so I bought a keypad. Then, the first thing that they did was tell every kid in the neighborhood the password. I had kids coming in to my garage throughout the day to get popscicles out of our garage freezer. I decided to spring for a biometric liftmaster keypad. It’s served me well and makes me feel at least a little ahead of the times.It is interesting how my opinions on privacy shift when the proverbial shoe is on the other foot.

RSS feed for comments on this post