The Problem With Biometric Authentication

NIST is working on new authentication standards, and there are some surprising changes coming out of this effort.  One of the issues that NIST is dealing with is the use of biometrics for authentication.  But there are problems with biometrics.  Here they are from the NIST Special Publication 800-63b.  Emphasis is mine.

“5.2.3. Use of Biometrics

For a variety of reasons, this document supports only limited use of biometrics for authentication. These include:

  • Biometric False Match Rates (FMR) and False Non-Match Rates (FNMR) do not provide confidence in the authentication of the subscriber by themselves. In addition, FMR and FNMR do not account for spoofing attacks.
  • Biometric matching is probabilistic, whereas the other authentication factors are deterministic.
  • Biometric template protection schemes provide a method for revoking biometric credentials that are comparable to other authentication factors (e.g., PKI certificates and passwords). However, the availability of such solutions is limited, and standards for testing these methods are under development.
  • Biometric characteristics do not constitute secrets. They can be obtained online or by taking a picture of someone with a camera phone (e.g., facial images) with or without their knowledge, lifted from through objects someone touches (e.g., latent fingerprints), or captured with high resolution images (e.g., iris patterns). While presentation attack detection (PAD) technologies such as liveness detection can mitigate the risk of these types of attacks, additional trust in the sensor is required to ensure that PAD is operating properly in accordance with the needs of the CSP and the subscriber.”

One of the biggest problems with biometric authentication is that if your biometric signature is successfully spoofed or cloned, I can’t get you a new one.  I cannot get you a new iris pattern, or thumb print.  So once this method of authentication is breached, the only solution is to require a different form of authentication.

This means that biometrics cannot be used alone as authentication, but needs to be paired with another authentication factor.

A recent court case in the Minnesota Court of Appeals also concludes that compelling someone to unlock their smartphone with a fingerprint does not violate the person’s rights against self-incrimination under the Fifth Amendment.  But forcing them to unlock a phone using a secret passcode does.

“The Minnesota Appeals Court has ruled [PDF] that unlocking a phone with a fingerprint is no more “testimonial” than a blood draw, police lineup appearance, or even matching the description of a suspected criminal.”

So while biometrics may seem to be a solution to authentication security, it is turning out to be the weakest of the three modalities, something you know (password), something you have (smartphone authentication app), and something you are (biometrics.)  If you are using biometrics to unlock a phone or laptop, you may want to rethink that decision.

Late breaking news from The Smithsonian – now your heartbeat could be used as a method of biometric authentication.  Yeah – go ahead and get another one of those!

1

About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Comments

  1. Muhammad Faizan  January 9, 2022

    I want to get biometrics, I don’t know about it, please help me be guided a little. Come to WhatsApp if someone does this biometric work. 00966 564982740

    reply

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.