Biometrics: Prepare to be Scanned

npistentis writes "From an article in the Economist: It has been a long time coming. But after years of false starts, security systems based on biometrics--human characteristics such as faces, hand shapes and fingerprints--are finally taking off. Proponents have long argued that because biometrics cannot be forgotten, like a password, or lost or stolen, like a key or an identity card, they are an ideal way to control access to computer networks, airport service-areas and bank vaults. But biometrics have not yet spread beyond such niche markets, for two main reasons. The first is the unease they can inspire among users. Many people would prefer not to have to submit their eyes for scanning in order to withdraw money from a cash dispenser. The second reason is cost: biometric systems are expensive compared with other security measures, such as passwords and personal identification numbers. So while biometrics may provide extra security, the costs currently outweigh the benefits in most cases."

Re:Biometrics are bad because....

[Coventry]

I think you need to look into security principles. As you say, a lone password is easy to compromise, so is a lone biomtric. However, any truely secure system needs to use multiple forms of identification - preferably two or more of the following:
- something intrinsic (a biometric, dna scan, etc)
- somethign known (a password)
- somethign kept (a security card)

By having more than one step involved, the system is much more secure than any individual part. Somesteals your backcard - but do they have your pin? Or, someone sees your pin - but do they have your card or account number? PINs are actually very simple and easy to break (thoeretically), but are pains to break in reality because of the Other required piece of the puzzle, the bankcard, and how false authentications lead to the removal of the card (most ATMs shred your card after a few false PINs are entered).

similarly: Just because someone steals your face, how will they get ahold of your new bankcard?

After that fact comes the fact that most biometrics are hard to fake - fingerprint scanners these days can be made smart enough to check the temperature of the item placed on them - and some are even smart enough to look for normal temperature differences and gradients within the skin surface, and refuse authentication to 'fingers' that are too regularly or irregularly warm. Some very high end systems look for capilary blood flow... Most facial systems are smart enough to refuse a photo held up of your face, and carrying around a stiff 3d mask of someone's face is kind of obvious.

Also, the fact that every type of scanning device on the market practially has a different data format for the biometric data (which is all one-way, you can get the data from a fingerprint, but not the other way around), and spoofing the data becomes more restrictive - a spoof of, say, visa's system wouldn't work against mastercard's (unless they were using the same equipment).

Having said all that, I'd still like it to be pin+card+face/fingerprint rather than card+biomtric. Biometrics should be used to Enhance security, not replace known or kept-item security methods.