-------------

Author's Note: I originally posted this in another venue as a response to a push for biometics. I've updated it a bit to remove references to other things in that venue that are not mine to share.

-------------

Biometrics is one of those technologies that springs out of the minds of science fiction writers and later comes to pass. We've had many great things come to us that way, but not all of them work out quite as planned. In this case, the technology is cool, but moribund.

First, understand that Biometrics is about simply authentication - not authorization. As I've said many times, they are very different things. There are many parts to the authentication piece of the puzzle, but lets focus for a second on just those which claim to be the advantages of biometrics; portability -- its always with you, complexity -- most claims are that biometric data is hard to duplicate, and fidelity -- the belief that there is sufficient uniquieness among the population. Biometrics has long term trouble ahead in all of these areas. I'll compare it to a smart card.

Portability: While it is certainly true that I am never without my biometric data, it is also true that I am rarely in the presence of equipment with which to accurately test that data. The requirement of external testing equipment means that portability is not in fact as big an advantage as you might think. In fact, the device which reads the fingerprint data and sends it to the web, must require software on the workstation to work. That means even carrying it around doesn't help me -- and that's of course just one example. Compare this to a smart card, with it's seemingly random number sequences timed to the main server and changing every 30 seconds. A credit card sized card carries no requirement for additional hardware as the numbers themselves have no value without the card.

Fidelity & Complexity: The tenat that biometric data is sufficiently complex is highly flawed. First, because only a full DNA test is highly enough complex that it would count, and it takes years -- not seconds -- to do one. Anything less is actually less complex and unique than a good mathematical hash. We're talking one in billions, not millions. On top of that, the complexity you achieve with biometics is limited to the fidelity of the reading device, for example, a 7 or 13 point fingerprint is not in fact as truly unique as is a full fingerprint. It works in police work, because the fingerprint need not be unique to the entire population -- only to the narrow list of suspects. Also, what is the fidelity -- the resolution if you want -- of the device. For any input reader, an output writer can be made. If you have a screen that can read retinas at some ungodly resolution, you can be sure that someone else will have a device which can produce an image at that resolution. Add infrared for heat mapping, and someone else makes a heat generating device.

Increased complexity on the input mechanism actually reduces the security of the authentication device. Aside from a negative portability issue, biometric data is almost universally insecure in cases where human supervision is not available. In the case of a web login tool, there is a requirement that the hardware be installed at the pc for login, and there is nothing to prevent someone tampering with the person using it, or the equipment, or the pc itself. If its on someone's desk, what happens if I plug a reader in between the device and the PC to capture the signals from the device to the pc? If the device is permenantly installed, than perhaps the driver on the PC can be encrypted as can the transfer of data between the device and the pc -- but in that case you are in fact relying on the encryption not the biometrics for surity and you're further reducing the portability. I can also tamper with the person -- a threat of some kind, for example.

Lets compare this to a smart card. For those who haven't used them or researched them, a company can purchase a smart card system which includes the smart cards themselves, and a computer program to manage the keys and numbers. Each smart card is serialized with what amounts to a public/private key system. That is to say, the card's serial number is its public key, and its private key is known only to itself and to the server. The card generates a multi-digit number ever 60 seconds and displays it. That's all. That numeric display is typed into any device (a web page for example) along with a user's log in. The server then can look to see what smart card is assigned to the user, and pass to the authentication server a tag saying "smart card id xxxxxx is authenticating a 00:00:00 GMT with a code of yyyyyyyyy". The smart card server will compare that number -- which is unique both to that card, and to that exact moment -- with its encrypted algorythm and private key for validation. That means to authenticate you need the card, and the person's userid (and sometimes a password). There are many variations on this, but you get the picture.

In terms of portability, a credit card sized device (and they're getting smaller, like watch built-ins) is all that is needed. No input device, since the numbers can be keyed in on any keyboard. Similar systems can be used which are radio signals in places where built in hardware makes more sense, or output ports. These devices can be embedded in id badges, car keys, or even under the skin (hope we don't get there).

In terms of protecting the source data -- the digits are useless after 60 seconds so there is no point in capturing them.

In terms of complexity -- all the complexity occurs in the safe "protected" area of the server, not the user. There is no need to attempt to forge a scan, because its just typed digits.

In terms of repudiation -- the cards are serialized, and any card can be made useless at the server with a keystroke by an admin. I know of no way to repudiate dna or other biometric data.

In terms of fidelity -- the cards are limited only by the number and range of digits -- for example a 12 digit case sensitive alphanumeric, with punctuation can be hugely complex, and that fidelity can be increased simply by replacing the inexpensive cards as technology and encryption techniques change. This results in a level of "uniqueness" (hate that word) which is far superior.