In authentication, we generally talk about three “factors” for determining identity. A “factor” is a broad category for establishing that you are who you claim to be. The three types of authentication factor are:
- Something you know (a password, a PIN, the answer to a “security question”, etc.)
- Something you have (an ATM card, a smart card, a one-time-password token, etc.)
- Something you are (your fingerprint, retinal pattern, DNA)
Historically, most people have used the first of these three forms most commonly. Whenever you’ve logged into Facebook, you’re entering something you know: your username and password. If you’ve ever used Google’s two-factor authentication to log in, you probably used a code stored on your smartphone to do so.
One of the less common, but growing, authentication methods are the biometrics. A couple years ago, a major PC manufacturer ran a number of television commercials advertising their laptop models with a fingerprint scanner. The claim was that it was easy and secure to unlock the machine with a swipe of a finger. Similarly, Google introduced a service to unlock an Android smart phone by using facial recognition with the built-in camera.
Pay attention folks, because I’m about to remove the scales from your eyes. Those three factors I listed above? I listed them in decreasing order of security. “But how can that be?” you may ask. “How can my unchangeable physical attributes be less secure than a password? Everyone knows passwords aren’t secure.”
The confusion here is due to subtle but important definitions in the meaning of “security”. Most common passwords these days are considered “insecure” because people tend to use short passwords which by definition have a limited entropy pool (meaning it takes a smaller amount of time to run through all the possible combinations in order to brute-force the password or run through a password dictionary). However, the pure computational complexity of the authentication mechanism is not the only contributor to security.
The second factor above, “something you have” (known as a token), is almost always of significantly higher entropy than anything you would ever use as a password. This is to eliminate the brute-force vulnerability of passwords. But it comes with a significant downside as well: something you have is also something that can be physically removed from you. Where a well-chosen password can only be removed from you by social engineering (tricking you into giving it to an inappropriate recipient), a token might be slipped off your desk while you are at lunch.
Both passwords and tokens have an important side-effect that most people never think about until an intrusion has been caught: remediation. When someone has successfully learned your password or stolen your token, you can call up your helpdesk and immediately ask them to reset the password or disable the cryptographic seed in the token. Your security is now restored and you can choose a new password and have a new token sent to you.
However, this is not the case with a biometric system. By its very nature, it is dependent upon something that you cannot change. Moreover, the nature of its supposed security derives from this very fact. The problem here is that it’s significantly easier to acquire a copy of someone’s fingerprint, retinal scan or even blood for a DNA test than it is to steal a password or token device and in many cases it can even be done without the victim knowing.
Many consumer retinal scanners can be fooled by a simple reasonably-high-resolution photograph of the person’s eye (which is extremely easy to accomplish with today’s cameras). Some of the more expensive models will also require a moving picture, but today’s high-resolution smartphone cameras and displays can defeat many of these mechanisms as well. It’s well-documented that Android’s face-unlock feature can be beaten by a simple photograph.
These are all technological limitations and as such it’s plausible that they can be overcome over time with more sensitive equipment. However, the real problem with biometric security lies with its inability to replace a compromised authentication device. Once someone has a copy of your ten fingerprints, or a drop of your blood from a stolen blood-sugar test or a close-up video of your eye from a scoped video camera, there is no way to change this data out. You can’t ask helpdesk to send you new fingers, an eyeball or DNA. Therefore, I contend that I lied to you above. There is no full third factor for authentication, because, given a sufficient amount of time, any use of biometrics will eventually degenerate into a non-factor.
Given this serious limitation, one should never under any circumstances use biometrics as the sole form of authentication for any purpose whatsoever.
One other thought: have you ever heard the argument that you should never use the same password on multiple websites because if it’s stolen on one, they have access to the others? Well, the same is true of your retina. If someone sticks malware on your cellphone to copy an image of your eye that you were using for “face unlock”, guess what? They can probably use that to get into your lab too.
The moral of the story is this: biometrics are minimally useful, since they are only viable until the first exposure across all sites where they are used. As a result, if you are considering initiating a biometric-based security model, I encourage you to save your money (those scanners are expensive!) and look into a two-factor solution involving passwords and a token of some kind.
Stephen Gallagher's Open-Source Blog 
Agreed, with a caveat — biometric readers can be useful in a supervised-entry environment. You can pay someone minimum wage salary to sit behind a thick glass and make sure that whenever someone uses a retina scan, they actually put their eyes to the scanner instead of whipping out a smartphone.
So that solves things until someone comes up with a way to overlay a retinal photo on your eye using a trick contact lens. This has either already happened but is not yet in the public domain, or will happen soon, I’d bet.
While biometrics won’t work well for a preventative authentication measure, they can still provide a benefit for auditing and tracking compromised systems. Now, whether that’s enough of a perk to justify biometric equipments’ cost is a different issue. There are some targets that would reasonably require as many layers of authentication as possible.
Basically, having “What you are” alongside “What you know” and “What you have” basically adds another dimension to any given security system.
Sure, it adds another dimension and I can see where it might help with auditing and tracking (or at least understanding the depth of the attack). However I think my point was valid: once a biometric factor has been compromised, it is compromised for ALL authentication systems that use it, related or not. You can’t go out and buy new fingers, unless you’re planning to have plastic surgery on a regular basis (in which point, we’re now actually talking about “something you have” rather than “something you are”).
I also neglected to mention the more terrifying side of biometric-only access: someone with an urgent need to break in can compel you physically much more easily than mentally. Holding a gun to your head and making you put your hand on a palm-print scanner (or removing your hand from you and doing it themselves) may require less effort than attempting to compel you to give up your passwords (and has the side-effect that you can’t lie about them).
With all that in mind, I stand by my conclusions (though they are my own opinion) that biometrics introduce more risks than they alleviate and therefore are inappropriate in a security context. Furthermore, given the problems with remediation, investing in biometric sensor development will not yield good returns in the long-term. No matter what, biometrics will *always* be a fuzzy-logic game, and any such system can be gamed.
…or simply bribe the someone who get “minimum wage salary”.
Can I take part of your article to my blog? Thanks,
so much appreciated!
All of my blog entries are licensed under CC-BY-SA 3.0. You may reproduce this article under the terms of that license. Feel free to link back here as well.