In authentication, biometrics constitute the category that is seen as both the strongest and least accepted form of access control. However, due to the way biometrics are implemented, they are commonly degraded to fancy passwords. Even worse, by nature, one cannot revoke these passwords, which makes stolen keys even more problematic.

The most well-known forms of biometric authentication probably are fingerprint recognition and iris scanning. Besides those two, there are many other forms, such as hand geometry and face recognition. All these methods have in common that a physical attribute of a person is scanned and compared to the known features in order to authenticate this person.

So, What Happens in the Scanner?
Now, imagine you put your finger on a fingerprint scanner. The machine will create an image of your finger and process this to collect the distinguishing features – e.g. the intersections of the lines in your fingerprint. At this point, to authenticate you successfully, the system has to compare the scanned results with known samples in order to decide if the presented finger is indeed yours.

Due to the need to compare the scanned biometric features to known samples, the fingerprint becomes a – very strong – password that has to be verified. Of course, in practice, checking a password is much easier than a biometric token, but it remains a comparison. For this reason, after the scanner, biometrics become mere passwords.

A major problem with getting a biometric token stolen is the fact that they are irrevocable. Simply put, one cannot get a new iris or a new hand. For this reason, biometric systems that are not designed in a sufficiently secure manner pose a severe risk.

Securing the Communication Between Scanning and Checking
An important issue in designing biometric authentication systems is the communication between the scanner and the verification of the scanned sample. If this is done in an insecure manner, the scanner may be bypassed, which effectively makes the system a password-based authentication mechanism. Especially in systems where the verification happens remotely, while the scanning happens locally, this is a major issue.

To give an example, imagine one wants to use biometrics to authenticate a person on a computer somewhere. This computer may scan the biometric features and send them over, enabling us to verify them. However, in this example, the physical features become a password, as we are merely checking a sequence of bytes we received against known samples. Therefore, we need to ensure these features are collected using a biometric scanner – e.g. by using a trusted device issued by us and encrypted communication with it.

Do Not Get Fooled: Biometrics are Not as Superior as Thought
To summarise, it is important to remind ourselves that biometric authentication systems are not as fantastic as they are commonly thought to be. Especially in networked implementations, fingerprint recognition system easily become fancy passwords, albeit very strong passwords. Therefore, a well-designed implementation is mandatory and a good amount of scepticism is recommended.

3 Responses to Biometrics: Just Fancy Passwords

  1. John Trader says:

    It’s great that you are writing about this topic, using biometrics for identification is definitely something that people should become more aware of.

    I do have to comment that although iris recognition is becoming more prevalent, I would not classify it as one of the most “well known” of all biometric modalities. Also, it should be pointed out that almost all biometric matching algorithms do not produce an image at all – instead what is produced is a series of data points plotted to help create a unique identification template for each individual enrolled in a system. It is extremely unlikely (but possible) for a hacker/criminal to reverse engineer a biometric template and create an image, but once they have, what will they do with it? All biometric systems are proprietary in nature meaning that one template stolen does not mean it will automatically work in another capacity.

    Although it’s important to educate about a topic, it’s also important to tell the complete story and get the facts straight.

    Thanks again for covering this topic.

    • Dear Mr. Trader,

      I am very grateful to receive some comments from the industry.

      If I may ask, which biometric modalities do you most often come across in the field? In my personal experience, the majority of the applications concerns fingerprints.

      It is indeed true that systems commonly match on extracted data points. I actually once worked on a toy example that matches on the points where the lines in a fingerprint intersect. Knowing this, a fingerprint authentication system that matches completely different features and, thus, stores different data points, is nothing like this system.

      Nevertheless, if two systems use the same data points, one could use the a sample of the first system on the second system. Of course, this would probably require educating oneself on the internals of both system and converting the data format. Following the principle of Shannon, i.e. the attacker knows the system, this is a viable attack, although it is one that requires determination – then again, one would not put biometric authentication on uninteresting assets.

  2. Biometrics is cool. I love its existence and the advantages and benefits it brings. Thanks to modern technology!

Leave a Reply

Your email address will not be published. Required fields are marked *