Back in 2002, biometrics seemed futuristic to say the least. Minority Report was released in that year and I vaguely recall a scene where Tom Cruise trades-in his eyes (yes, his eyes!) to fool, what was supposed to be a retinal scanner.
We’re now in 2015 and biometrics do not seem that sci–fi anymore. Biometrics are insidiously creeping in our lives, via a plethora of services and solutions. But whilst I do passionately follow how widespread biometrics are getting, I still remain very sceptical when it comes to saying that biometrics are the ultimate answer to security.
Let’s take fingerprints for example. Granted, fingerprints are truly efficient when it comes to authentication. They are part of you, and they are unique. Unless I am in serious, serious trouble, I would not be ready to have new fingerprints stitched, were that procedure to be available.
Fingerprints are unique:
A fingerprint is the representation of dermal ridges of a finger. Dermal ridges form a combination of genetic and environmental factors; the genetic code in DNA gives general instructions on the way the skin should form in a developing fetus, but the specific way it forms is the result of random events such as the exact position of the fetus in the womb at a particular moment. This is the reason why even the fingerprints of identical twins are different.[From Encyclopedia of Biometrics, Stan Z.Li, Anil Jain : Fingerprint Recognition, Overview.]
But, this perceived uniqueness is not without some loopholes:
Doddington et al developed a statistical framework based on the matching performance of individual users.[…]. Their work focused on determining user-induced variability. In particular, they identified four categories of users:
(sheep) users who are easily recognized,
(goats) users who are particularly difficult to be recognized,
(lambs) users who are easy to be imitated,
(wolves) users who are particularly successful at imitating others.[From Revisiting Doddington’s Zoo: A Systematic Method to Access User-dependent Variabilities]
Fine then, my fingerprints are supposed to be unique. What if there was a “wolf” out there who knows he can access my biometrically locked services, consciously, not by hacking, but simply by the trick of his finger? I’d be having a “finger twin” (remember Joey in Friends in the hand twin episode), albeit an evil one.
This situation, though infinitesimally probable (and even more improbable when it comes to me, with my abnormally high number of minutiae, but that is another story!), does pose a pertinent question. Should I be able to repudiate a service which was authenticated biometrically?
The straightforward answer would be no. However, there have been, in the past, numerous cases in which innocent people have been wrongly singled out by means of fingerprint evidence.
In 2004, Brandon Mayfield was wrongly linked to the Madrid train bombings by FBI fingerprint experts in the United States.
Shirley McKie, a Scottish police officer, was wrongly accused of having been at a murder scene in 1997 after a print supposedly matching hers was found near the body.[From “Why your fingerprints may not be unique” The Telegraph 21 April 2014]
These cases do prove one thing: An unlucky string of circumstances, though highly unlikely, could be enough to repudiate the alleged non-repudiable: fingerprints.
Mind you, I have not even stepped into the “conventional” debate – Tsutomu Matsumoto, the Japanese guy who made fake fingerprints out of gelatine – nor started a discussion on the challenges facing biometrics – varying physiological aspects in population and environmental effects on both the biometrics to be sensed and the sensor used. And I am miles away from two three-letter acronyms: FAR and FRR.
Mass market biometrics are currently only about convenience, not security. Not having to remember PINs is nice (particularly if you collect bank cards like I do), but relying solely on biometrics is hazardous.
Security is added, or rather implemented, by combining other factors (something you have, something you know), but here is the catch – the more you secure, the less convenient is the solution. Phone + fingerprint + PIN definitely imply that my evil twin finger would have to get hold of my phone, know my PIN to access my services, but would I, as a lazy client, be bothered if I had to have the phone on me, key in a PIN and place my finger on the reader for each access to a service?
But besides this well-known trade-off between convenience and security, there is another crucial aspect in biometrics: sustainability. Unlike “conventional” credentials which can be revoked and changed in case of attack, revoking compromised biometrics is certainly more difficult. Revocable biometric algorithms may be the answer, but I prefer make abstraction of it in this article. In view of ensuring the viable trust of future biometric solutions, emphasis should be laid on zero-flaw in current roll-outs.
L’Observatoire appelle également les acteurs à être vigilants durant les phases d’expérimentation de solutions fondées sur la biométrie, la compromission d’empreintes biométriques utilisées par celles-ci pouvant mettre en cause le déploiement de solutions futures à plus grande échelle.
The panel also calls on players to be vigilant during the experimental phases of solutions based on biometrics. The use of compromised fingerprint may seriously challenge the deployment of future solutions on a larger scale.[From 2014: Rapport annuel de l’observatoire de la sécurité des cartes de paiement]
Trust, once shattered might be hard, impossible even, to rebuild, especially if the same client pool has been compromised. A case in point here is the Mauritian Biometric Identity Card Scheme. The fingerprints enrolled were stored on the chip, which is secure enough, and a not-so-secure centralised database. A couple of years, frenzied passion against biometrics and doubt-instilling database procedure malfunctions, were enough to convince legal authorities to destroy the much controversial biometric database. The Mauritians are paying the high price of a rapid and not sufficiently prepared solution. I’m not sure they’ve gauged the extent of the problem though.
Les empreintes digitales de 947 000 citoyens, collectées pour la nouvelle carte d’identité, ont été supprimées de la base de données. […]Les données biométriques seront désormais sauvegardées uniquement sur la puce insérée dans la carte.
The fingerprints of 947 000 Mauritian citizens previously collected for the new identity card scheme, have been deleted from the database. […] The biometric data shall be saved only on the identity card chip.[From Carte d’identité : Les empreintes digitales de 947000 citoyens détruites” L’express.mu: 1st September 2015]
Were I to be one those 947 000 enrolled, the court’s order to destroy the biometric database, limiting the credential to the chip, would not reassure me at all. There has been a point in time where the database was operational with people behind accessing them. Damage could already have been done, and leaving my fingerprint data on the identity card chip is like having a key in a safe when the duplicate key is either destroyed or lost somewhere.
Our approach to biometrics needs to change rapidly. The stars are getting lined up for biometrics. Demand for new authentication methods, enhanced reliability as well as more affordable price ranges are starting to build up a huge potential for future solution deployments. It is up to us to develop new archictectures. Assessing the expected convenience levels and maintaining the high levels of trust will ensure consistency in the security of biometric solutions.
It’s the convenience and trust, convenience and trust only. Security is the outcome of it.