While biometrics themselves are not "revocable", there are multiple technologies that allow creation of revocable tokens from them. Systems that use revocable biometric tokens (biotokens) can then have different representations in each database and when one is compromised it can be revoked and replace. They can have expiration dates and such much like a digital certificate.
(And revoking is similar.. the data still exists it is just no longer used). These are all 2 factor (you at least have to enter an identity to verify against, so they can look up the "transform" data), and have a number of advantages. While password are easy to change, they are also easier to steal/crack.
All the people doing revocable biometric tokens (there are many, ask google) work to ensure one cannot recover data that that matches with the original. Biometrics companies that say the template is sufficient since it is not invertible to the image are technically correct, but misleading. It does not have to be the original, just match with it. Never trust a company that says it, or better yet call them on it publicly.
Of course biometrics can be compromised in other ways and no single-factor "biometric" solution should be viewed as security-- that is a pure convenience thing. When combined with other factors, and done so that neither factor is stored separately, then revocable biometric tokens do add to security.
Full disclosure: I'm leading a startup company in this space (http://www.securics.com/ -- we are looking for some good biometrics and software developers (embedded Linux anyone?). You can complain about these things or try to help make them better them. Complainers need not apply.
While traditional biometrics cannot be change, there are multiple groups that have developed revocable biometric tokens, i.e. one-way or PK type tokens computed from biometrics that CAN be changed and like a digital certificate they can be revoked. Some versions are inherently multi-factor, so a revocable biometric-token + password can be pretty effective. They all break DB linkages. The best ones can be used to prove your you are you, but cannot be used to "search" a DB for you.
That being said, the article missed a very important point on privacy/security. Its not just about the ability to be identified, its about the ability for others to exploit such information, which IT systems make far easier. A DB that is "searchable" with keys that can be linked is a inherent privacy/security timebomb. Traditional biometrics, like the issues with the SSN, will probably make better in the short term and make them much worse in the long term. The article presents no real problem for which, even a DB with revocable biometric tokens, is a justified solution, even if it was a low cost solution, which it is not.
The results are no were near as "positive" as many in the industry would have liked to hear. E.g. the report says "biometrics" as the only factor are not a good choice and recommend a minimum of 4 digit pin in conjunction with a fingerprint. (So biometric-only login is discouraged..)
Don't know the details of their independence, but it was not an "company" study but from "the UK Government Information Assurance Authority". I was trying to provide a place where people could find data. I guess you did not bother to to even look.:-S
Well the fingerprint is not always in the same position, and actually deforms so even if aligned its not exactly the same each time. This is also why you cannot just encrypt the data (or do crypto hash like md5) and then match the encrypted or hashed data. All biometrics require approximate matching, so if encrypted they must be decrypted to match.
There have been some improvements that transform biometrics to improve privacy and security, but the biometrics companies have repeatedly told me they do not see a market demand for them.
My bad should have been Cancelable Biometrics (how IBM used it) or Cancellable Biometrics. E.g. see
url:http://researchweb.watson.ibm.com/ecvg/biom/ca ncel.html
Biometrics are even better if all the communications are encrypted (which some do). With effort they can be as good as very long very random passords. But the real rub is standard biometrics cannot be revoked if it is ever compromised or someone in the company sells the data (like ChoicePoint sold financial data). While many slash-dot postings focus on lifting latent prints, the bigger long term risk is probably hacking into databases and someone that has never even been in the same city as you starts using your prints.
Traditional biometrics are perment, so a database of them starts looking like a high-value
There are technologies that make then even better such as the revocable technologies being developed by http://www.securics.com/ or the distorted biometrics by IBM http://www.research.ibm.com/journal/sj/403/ratha.h tml)
allow your biometric to be different for each application and can cancel one if compromised.
Actually the are number of revocable or cancable biometrics-based technologoies being developed. Securics.com has one and IBM has had many recent press releases on their work. These at least protect against database hacks/insiders so that when (not if) a database is compromised. Also recent work at MSU has show real progress on a fuzzy vault that hides digital keys in a fingerprint.
Securics even has a version that mixes a pin/passcode with the cryptograpically transformed print, but neither is stored separately. This means it cannot be used to search for you.
I'm curious how many of those that responded would be willing to use biometric-base authentication if they could be assured the biometric was converted into what we are calling a Biotope, cryptographically secure token that was non-unique (so you can have different ones for different applications) and which you could revoke like a digital credential? We've developed one and many of the biometric vendors keep saying privacy is not a concern.. This thread shows otherwise.
If the source of the "approach" was open for review so that like PK, technologies could ensure its really secure. (Unlike the many posting here that believe the templates of existing biometrics are secure).
While most store templates, they are still something that can be compied and used to make a fake print. They are not a hash and are not something you can cancel once give. Even worse as someone already posted, FIPS201, the new government standard for biometric ID cards, and the new passorts/Visit use wavelet encoded images stored unencrypted. The governments goal is to maximize inter-operations which means make it well know and standard and easy to use (or abuse).
Sorry, but every commercially avaible biometric is reversable. They cannot match in encrypted space so even if they talk about encryption somehwere they must decryt and match. Even if they talk about "templates", they are reversable. True a template is not trivial to convert to an image, but there are infinately many images that match the given template so its quite possible to use the template to generate a spoof.
Slashdot Mirror
All the people doing revocable biometric tokens (there are many, ask google) work to ensure one cannot recover data that that matches with the original. Biometrics companies that say the template is sufficient since it is not invertible to the image are technically correct, but misleading. It does not have to be the original, just match with it. Never trust a company that says it, or better yet call them on it publicly.
Of course biometrics can be compromised in other ways and no single-factor "biometric" solution should be viewed as security-- that is a pure convenience thing. When combined with other factors, and done so that neither factor is stored separately, then revocable biometric tokens do add to security.
Full disclosure: I'm leading a startup company in this space (http://www.securics.com/ -- we are looking for some good biometrics and software developers (embedded Linux anyone?). You can complain about these things or try to help make them better them. Complainers need not apply.
While traditional biometrics cannot be change, there are multiple groups that have developed revocable biometric tokens, i.e. one-way or PK type tokens computed from biometrics that CAN be changed and like a digital certificate they can be revoked. Some versions are inherently multi-factor, so a revocable biometric-token + password can be pretty effective. They all break DB linkages. The best ones can be used to prove your you are you, but cannot be used to "search" a DB for you.
That being said, the article missed a very important point on privacy/security. Its not just about the ability to be identified, its about the ability for others to exploit such information, which IT systems make far easier. A DB that is "searchable" with keys that can be linked is a inherent privacy/security timebomb. Traditional biometrics, like the issues with the SSN, will probably make better in the short term and make them much worse in the long term.
The article presents no real problem for which, even a DB with revocable biometric tokens, is a justified solution, even if it was a low cost solution, which it is not.
Don't know the details of their independence, but it was not an "company" study but from "the UK Government Information Assurance Authority". I was trying to provide a place where people could find data. I guess you did not bother to to even look. :-S
Well the fingerprint is not always in the same position, and actually deforms so even if aligned its not exactly the same each time. This is also why you cannot just encrypt the data (or do crypto hash like md5) and then match the encrypted or hashed data. All biometrics require approximate matching, so if encrypted they must be decrypted to match.
There have been some improvements that transform biometrics to improve privacy and security, but the biometrics companies have repeatedly told me they do not see a market demand for them.
My bad should have been Cancelable Biometrics (how IBM used it) or Cancellable Biometrics. E.g. see url:http://researchweb.watson.ibm.com/ecvg/biom/ca ncel.html
Biometrics are even better if all the communications are encrypted (which some do). With effort they can be as good as very long very random passords. But the real rub is standard biometrics cannot be revoked if it is ever compromised or someone in the company sells the data (like ChoicePoint sold financial data). While many slash-dot postings focus on lifting latent prints, the bigger long term risk is probably hacking into databases and someone that has never even been in the same city as you starts using your prints. Traditional biometrics are perment, so a database of them starts looking like a high-value
There are technologies that make then even better such as the revocable technologies being developed by http://www.securics.com/ or the distorted biometrics by IBM http://www.research.ibm.com/journal/sj/403/ratha.h tml)
allow your biometric to be different for each application and can cancel one if compromised.
Actually the are number of revocable or cancable biometrics-based technologoies being developed. Securics.com has one and IBM has had many recent press releases on their work. These at least protect against database hacks/insiders so that when (not if) a database is compromised. Also recent work at MSU has show real progress on a fuzzy vault that hides digital keys in a fingerprint. Securics even has a version that mixes a pin/passcode with the cryptograpically transformed print, but neither is stored separately. This means it cannot be used to search for you.
I'm curious how many of those that responded would be willing to use biometric-base authentication if they could be assured the biometric was converted into what we are calling a Biotope, cryptographically secure token that was non-unique (so you can have different ones for different applications) and which you could revoke like a digital credential? We've developed one and many of the biometric vendors keep saying privacy is not a concern.. This thread shows otherwise. If the source of the "approach" was open for review so that like PK, technologies could ensure its really secure. (Unlike the many posting here that believe the templates of existing biometrics are secure).
While most store templates, they are still something that can be compied and used to make a fake print. They are not a hash and are not something you can cancel once give. Even worse as someone already posted, FIPS201, the new government standard for biometric ID cards, and the new passorts/Visit use wavelet encoded images stored unencrypted. The governments goal is to maximize inter-operations which means make it well know and standard and easy to use (or abuse).
Sorry, but every commercially avaible biometric is reversable. They cannot match in encrypted space so even if they talk about encryption somehwere they must decryt and match. Even if they talk about "templates", they are reversable. True a template is not trivial to convert to an image, but there are infinately many images that match the given template so its quite possible to use the template to generate a spoof.