The Problem With Biometric Authentication

NIST is working on new authentication standards, and there are some surprising changes coming out of this effort.  One of the issues that NIST is dealing with is the use of biometrics for authentication.  But there are problems with biometrics.  Here they are from the NIST Special Publication 800-63b.  Emphasis is mine.

“5.2.3. Use of Biometrics

For a variety of reasons, this document supports only limited use of biometrics for authentication. These include:

  • Biometric False Match Rates (FMR) and False Non-Match Rates (FNMR) do not provide confidence in the authentication of the subscriber by themselves. In addition, FMR and FNMR do not account for spoofing attacks.
  • Biometric matching is probabilistic, whereas the other authentication factors are deterministic.
  • Biometric template protection schemes provide a method for revoking biometric credentials that are comparable to other authentication factors (e.g., PKI certificates and passwords). However, the availability of such solutions is limited, and standards for testing these methods are under development.
  • Biometric characteristics do not constitute secrets. They can be obtained online or by taking a picture of someone with a camera phone (e.g., facial images) with or without their knowledge, lifted from through objects someone touches (e.g., latent fingerprints), or captured with high resolution images (e.g., iris patterns). While presentation attack detection (PAD) technologies such as liveness detection can mitigate the risk of these types of attacks, additional trust in the sensor is required to ensure that PAD is operating properly in accordance with the needs of the CSP and the subscriber.”

One of the biggest problems with biometric authentication is that if your biometric signature is successfully spoofed or cloned, I can’t get you a new one.  I cannot get you a new iris pattern, or thumb print.  So once this method of authentication is breached, the only solution is to require a different form of authentication.

This means that biometrics cannot be used alone as authentication, but needs to be paired with another authentication factor.

A recent court case in the Minnesota Court of Appeals also concludes that compelling someone to unlock their smartphone with a fingerprint does not violate the person’s rights against self-incrimination under the Fifth Amendment.  But forcing them to unlock a phone using a secret passcode does.

“The Minnesota Appeals Court has ruled [PDF] that unlocking a phone with a fingerprint is no more “testimonial” than a blood draw, police lineup appearance, or even matching the description of a suspected criminal.”

So while biometrics may seem to be a solution to authentication security, it is turning out to be the weakest of the three modalities, something you know (password), something you have (smartphone authentication app), and something you are (biometrics.)  If you are using biometrics to unlock a phone or laptop, you may want to rethink that decision.

Late breaking news from The Smithsonian – now your heartbeat could be used as a method of biometric authentication.  Yeah – go ahead and get another one of those!


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.