Government, finance and commercial sectors in different countries around the world are steamrolling ahead to implement and require biometric authentication for a wide range of services. For example, right here in Canada our Federal Government recently mandated the requirement that citizens of countries that are between the ages of 14 and 79 must provide their fingerprints and photo if they want to apply for a Canadian visitor visa, a work or study permit, permanent residence in Canada, or even asylum. The exceptions are for those who are coming from visa-exempt countries or who are just coming to visit Canada as tourists. Immigration, Refugees and Citizenship Canada (IRCC) says of course that they handle all biometric data with the highest level of privacy and security, but they also make clear that they may disclose any biometric data to the other “Five Eyes” countries, namely the United States, the United Kingdom, Australia, and New Zealand.
Now, what could go wrong with that?
Well, for example, the Australian National Audit Office (ANAO) recently issued a report into how well the Australian Criminal Intelligence Commission (ACIC) had been handling the administration of a Biometric Identification Services (BIS) project ACIC awarded to NEC Australia two years ago, and the resulting grade given was deficient in “almost every significant respect” due to reasons such as “poor risk management” and “non-adherence to a detailed implementation plan.” As a result of this ACIC terminated the contract they had entered into with NEC Australia for the BIS project, which was originally planned to replace Australia’s existing National Automated Fingerprint Identification System (NAFIS) system and add facial recognition capabilities to the system.
Feeling a bit worried yet?
Security researchers everywhere have raised doubts about how secure biometric authentication methods can be in the real world. For example, an article in The Hacker News a few years back demonstrated that iris scanners can be fooled if you have a suitable photo showing the person’s eyes. And researchers from New York University and Michigan State University demonstrated that by creating a database of base partial fingerprint patterns a hacker can frequently fool cellphone fingerprint readers. So maybe biometric authentication isn’t as terrific an idea as it’s often touted as being by numerous industry, commerce, and governmental entities around the world.
And many of my IT pro colleagues agree with this assessment.
Erik, who works in Seattle, says that while he doesn’t consider himself an expert on biometrics, he does hold graduate degrees in computer science, engineering, and business, and as far as he’s concerned, “it boils down to this simple fact: biometric datasets are not changeable like an ID/PW pair. They are forever — until the plastic surgeons develop methods. Re-codable? Yes. Encryptable? God, I hope so! Hashable? Yes. But unlike passwords and even other multifactor techniques, they are not resettable. So once in the open, there is an intractable violation of personal data. Where does this leave us for the future?”
And don’t forget the legal angle
Another colleague, named Lance, who holds both CISSP and PCIP certifications, thinks our main concern should be with the legal side of things. “Hacking biometrics has been around since the advent of the solutions,” says Lance, “and as with all authentication, hacks with varying degrees of complexity and rates of success have been spawned. My biggest concern with biometric authentication is a legal problem, not a technical one. If you use biometric technology to lock or unlock something, U.S. law enforcement can legally force you to present your credential because it is something you are [as opposed to something you know]. They cannot force you to divulge a password/passcode/passphrase because it is protected by the Fourth and Fifth Amendments. For this reason alone, something you know should be a foundational part of authenticating yourself to any system capable of accessing high worth assets without regard for what those assets might be.”
Lance adds that he once attended a card issuer convention where security expert Bruce Schneier was speaking. Lance said Bruce had “drawn the ire of many vendors at this conference by stating their card systems don’t solve the authentication problem. Moreover, Bruce said authentication is the most challenging subject in all of security.” That’s because “impersonation is as old as humanity, and despite the best efforts of bright minds over millions of years, it remains the most difficult security problem to address. How do I know you are who you claim to be? Even if we could test DNA directly in real time, someone would find a way to cause Type 1 and Type 2 errors in the system or create a sample-in-the-middle attack.” In conclusion, Lance says you can always “build a system of rules” but “those who do not wish to follow them will immediately focus on finding a way to subvert them. It is truly fundamentally human.”
With biometric authentication, death is so final
David, who had been hospitalized with pulmonary embolus, says his “close call with the Grim Reaper made my manager at work ask the question: What if something happens to you? As the lone IT guy,” says David, “I have a password-protected Word document containing passwords for each website or application I access. But what if they could not get into my computer? Biometrics, especially voice recognition, would paralyze the organization due to lack of access to the stuff I find important. So not a great idea.”
David also noted that his health insurer is “going the same way with biometric voice recognition” and he asks, “How would my survivors access my records? As it stands now, as long as they can get into my email account or some web browser, they can access my information via my Norton Vault account, which fills in my account information and in you go. I understand the need to secure your devices, network, data, and so on, but there has to be a workaround for some of this stuff.” He then ironically adds that he has “discovered that even within the same health organization, with massive amounts of information generated among many different health-care providers, when I go to a different office my insurance card is requested — even if it has been scanned into the system three times in 14 days! And I’m asked all kinds of questions that should be obvious to the person looking at the computer screen. What happened to the portability promised when we went to electronic records for patients? They appear to be so secure as to be unusable!”
What do readers of our site think about biometric authentication? Is it the answer to your organization’s security needs, or does it open a Pandora’s box as far as your privacy is concerned? Share your thoughts with us below using the commenting feature for this article.