feeding my own misguided insanity

Biometric Hype: A Risky Proposition for Fingerprint and Iris Scanners

August 3, 2016 Shem Radzikowski No Comments

These days biometric sensors are part of just about every portable device.  Fingerprint scanners are commonplace on laptops, phones and tablets.  And with low cost iris scanners gaining popularity, we are likely to see more biometric tech in consumer-grade equipment.  But for all their convenience, they aren’t as safe and robust as you’re being led to believe.

Sure, passwords are cumbersome and annoying Remembering complex ones isn’t everybody’s idea of a good user experience.  Passwords have gotten a lot of bad press but they are still one of the strongest and most economical forms of protection we have when used appropriately.

Prolific Centralization of Biometric Data

I guess it depends on where you’re travelling, but a vast majority of my overseas trips, particularly in Africa and the Middle East, have required me to scan my fingerprints at immigration.  This means that the country into which I’ve entered has now a record of my biometric data stored on their systems.  It’s something we’ve grown accustomed to but until recently this type of treatment was reserved only for criminals.

If you’re the owner of an e-ID or e-Passport, chances are that the embedded chip contains your biometric modalities, such as fingerprint, photo or iris.  Similarly, if you’ve ever been tagged in a photo on social media, it is more than likely that your facial biometric data is known in the public domain — think Facebook or LinkedIn.

If your password gets compromised, you can always change it. How do you change your iris or fingerprint? #insecure

The Samsung Galaxy Note 7 for example, with its integrated iris scanner, shoots out a beam of infrared light to detect and authenticate the iris. “Samsung says it’s impossible for the sensor to be fooled by high-resolution images of your iris” because the infrared signature would be different.[1] Whether it’s impossible to circumvent or not remains to be seen — no pun intended — time will tell.

Compromized Biometric Data

Now ask yourself, if some organization has access to all of your biometric data, be it Facebook or a Government, how safe is your data? And how confident are you that your biometric data isn’t shared between various parties? While biometric authentication is convenient and quick, it does create a massive security risk for anyone who relies on it as their only means of authentication.

Within PKI, we have the ability to revoke compromized certificates.  Similarly, when a password is lost or stolen, all that’s required to reestablish security is a password reset.  In both these instances the process is relatively simple and well understood.

The question we should be asking is: how does a person revoke or reset their biometric data? At present, this is not possible.  You only have two eyes, ten fingers and one face.  Short of plastic surgery, once compromized, there is no way to reset any of your bio-features.

Conclusion

I’m not a big fan of mass biometric data collection, and the trend is worrying me. Private biometric usage on a private device is perfectly acceptable when paired with secondary authentication method, such as a boot/encryption pin or password.  However, entrusting your biometric data to a commercial entity is just silly.  You’re unlikely to ever know whether (and with whom) your biometric data is being shared.

Furthermore, the fact that your e-ID or e-Passport contains some biometric data, it is fair to say the government (and social media) has access to it too.  Assume that all of your biometric data is already known.  Remember, fingerprints and iris scans can always be taken without your permission or under duress.[2] Good luck trying to pry a password out of my brain.

Footnotes
  1. In addition to its Knox mobile enterprise security software and the fingerprint sensor embedded into the home button, the Note 7 has the world’s first iris scanning sensor. ^
  2. Because the constitutional protection of the Fifth Amendment, which guarantees that “no person shall be compelled in any criminal case to be a witness against himself,” may not apply when it comes to biometric-based fingerprints (things that reflect who we are) as opposed to memory-based passwords and PINs (things we need to know and remember). ^

References

1.
Apple’s Fingerprint ID May Mean You Can’t “Take the Fifth” | Wired Opinion | Wired.com [Internet]. [cited 2013 Sep 15]. Available from: http://www.wired.com/opinion/2013/09/the-unexpected-result-of-fingerprint-authentication-that-you-cant-take-the-fifth/#!
2.
Biometric identification, biometric authentication — Gemalto [Internet]. [cited 2016 Aug 3]. Available from: http://www.gemalto.com/govt/inspired/biometrics
3.
Biometric National Identification Card (eID) Solution for Government [Internet]. M2SYS Technology. [cited 2016 Aug 3]. Available from: http://m2sys.co.uk/biometric-national-identification-card-eid-solution/
4.
Crypto-Gram: August 15, 1998 [Internet]. [cited 2013 Sep 15]. Available from: https://www.schneier.com/crypto-gram-9808.html#biometrics
5.
National ID cards in 2016 [Internet]. [cited 2016 Aug 3]. Available from: http://www.gemalto.com/govt/identity/2016-national-id-card-trends
6.
National ID: eID card and digital ID — Government – Gemalto [Internet]. [cited 2016 Aug 3]. Available from: http://www.gemalto.com/govt/identity
7.
Wong R. Samsung Galaxy Note 7 is classy, powerful and super secure [Internet]. Mashable. [cited 2016 Aug 3]. Available from: http://mashable.com/2016/08/02/samsung-galaxy-note-7-hands-on/
8.
Sealys Security features – Government Program – Gemalto [Internet]. [cited 2016 Aug 3]. Available from: http://www.gemalto.com/govt/security-features

, , , , Security

Leave a Reply