At first glance, biometrics sounds like the ideal authentication solution, says Ron Segal, business development manager of Baycorp ID Services.
The problem is that in practice your body characteristics cannot be presented directly, rather it is the data that is generated by a biological sensor that represents your identity, and this data can be stolen.
If passwords are stolen you can easily revoke and replace them; if your biometric data is stolen the situation is not so easily dealt with.
Consequently, Segal says, a person’s biometric data must always be kept secret. This means that if it is sent across a network or is stored anywhere the data must be encrypted. The data storage centre must also be secure.
“When you provide your biometric data to an organisation it could be compromised if the organisation that you provided it to did not protect it adequately,” he says. This is potentially a far worse situation than providing your credit card number, which at least can be revoked, he says. “There is no obvious way to revoke biometric data. Also a person has a limited number of biometric features that he can afford to become compromised,” he warns, such as 10 fingers and two eyes.
Segal says biometrics is most likely to be used for authentication in corporate LANs, of which very few feature strong security. Individuals might want to think twice before trusting their biometric reference data to a company LAN, particularly as the majority of security breaches are known to occur internally.
A relatively secure use of an individual’s biometric data is where the reference data is incorporated into a secure cryptographic authentication token (such as a smartcard or a hardware device that plugs into the USB port), which itself features an integrated or closely coupled biometric sensor. The sensor data is compared with your biometric reference data and if there is a match the token is activated. This removes the requirement to store biometric reference data anywhere other than in the token. The biometric sensor is used to activate the device in place of a PIN or password, he says.
But even with this technique, Segal says there are some security issues.
“Firstly, the biometric reference data has to somehow be securely incorporated into the token and associated with your identity, possibly by a trusted third party. Secondly, the physical and electronic security of the device itself must be high. There is potentially greater incentive to crack a device containing irrevocable biometric data than say a revocable digital certificate,” he says.
Segal is cautious but optimistic about biometrics in some situtations. “Biometric authentication is not the authentication silver bullet that it is held out to be, but has the potential to be used to powerful effect to replace passwords in existing authentication technologies. Existing cryptographic authentication tokens that use passwords can easily be ‘loaned’ to other people, whereas with biometrics the owner would have to be physically present to activate the device.”
One further problem for biometrics is that there are no standards, adds RSA Security business development manager Mark Pullen. Some 450 companies in Silicon Valley alone are working on biometrics, he says. This is far too many and the real problem is getting the technology out to the masses, he says.