Wednesday, November 13, 2013

Bio-metrics, why are we still chasing a dead end?

The following article on the BBC caught my eye today;
http://www.bbc.co.uk/news/business-24898367

It amazes me that there is still research into an area that has more security flaws than any other system already presented.  Currently the trusted third party Kerberos and 2 Factor auth are in most cases still the strongest method we have to date, until a human leaks the most essential part of the system.  Which at this point we should note that any weakness in any security system is the users and the people responsible for them.  We only need look at certain government agencies around the world to know this, and they have their own tests that claim these people are "trustworthy". Again another topic for another day.

Although in most circumstances bio-metrics seem like a great idea, they are at the end of the day something that Hollywood has created to make films look good, but in reality unless they have a backup system (which is essential) you could be wiped off the face of the earth and unrecognised in the space of seconds.

The saying "make sure you've got clean underpants on as you might be hit by a bus" springs to mind here.

Bio-metrics assumes that everyone is a healthy human being, that they don't grow or change and that they will never develop an illness that will disfigure them in anyway or form.  At this point I could stop as you now already understand why this as a security mechanism is not safe, but I won't I'll add some more weight behind this to let those in the Bio industry understand why they should only develop these systems with an immediate backup, which in reality should be what is the primary system as it would be better (as yet to be discovered).

So the flaws in Bio-metrics;
1. Fingerprints have been used on laptops, phones and many other devices.  Although I joke earlier about Hollywood they have proven the point that it is easy to obtain someones finger print, and the police have been doing it for years. Ah, but ... I hear you say.  No, no but.  Even with a heat detector to make sure that the person is alive can be fooled with a warm heat source at the right temperature.  Further buts.  Well OK, lets check for a pulse, ok next point.
2. The heart beat was one of the interesting ones recently announced, to state that the heart has a unique signature. True it does, but have we really done exhaustive tests?  Pacemakers have a similar signature, so already we've failed our security test.  Have we checked a persons heart after a heart attack or stroke to see if the rhythm remains the same?  Still this is not secure enough, and we only need a recording device to generate the relevant beat.
3. As for the voice and the BBC link saying that there is no recording equipment that does uncompressed recording, well I'm sorry I don't need to record you over the phone I can do it face to face and get full uncompressed audio direct from you, so no voice is not a safe mechanism and can easily be recorded and used to fool these systems.
4. Retinal scans.  Eyes can change too, even the unique pattern at the back.  Blood clots, cataracts, and more, not to mention losing them.

So I beg you stop trying to link humans up to machines, or trying to find parts of the body to use as a security mechanisms as the body is a fragile thing and fragile things can be broken and broken things won't allow users back into a system.

At the end of the day and as was done in the old days, if someone wants something bad they will get it and they will always find a way.  The safest way to deal with things in today's hi-tech world is to do it face to face.  I believe that too many places have tried to make things too convenient, and it appears with convenience comes higher risk.

No comments:

Post a Comment