Welcome to Volume 2, Issue 20 of The Internet Security Conference Newsletter, Insight. Insight provides commentaries and educational columns, authored by some of the best minds in the security community.
Previous issues are posted here.
TISC is about sharing clue. So is the newsletter. We promise to provide something useful each issue. If we don't, flame me.
Enjoy, and be safe,
Dave
In this issue, Peter Lindstrom of the Hurwitz Group offers an update on the state of Biometrics. Peter offers some history, and insight into current trends, standards activities, and the most likely adoption and integration of biometrics into authentication schemes. You may want to re-visit Stephen Kent's column entitled Biometrics: Threat or Menace? published in Insight Volume 1, Issue 2, Dec 17, 1999.
I recently participated in the Biometrics Consortium Conference (http://www.biometrics.org/) held at the National Institute of Standards and Technology (NIST). This consortium brought the biometrics world together to discuss standards and capabilities - current and future - for biometrics solutions. In this column, I share observations made at this conference, covering areas such as standards, existing biometrics capabilities, current and future research, and convergence with other methods of authentication.
Biometric identification and authentication is an area of security that has galvanized strong support as well as opposition. Much of the concern revolves around whether biometrics (the use of distinctive physical or behavioral characteristics as a means of personal identification, i.e., fingerprinting, iris scanning, gait measurement, or voice pattern recognition) can or should be used as a form of authentication. Certainly identification is appropriate - in fact, biometrics may be the only true (or at least best) form of identification in existence.
There are two primary objections to using biometrics for authentication. The first objection is that biometric signatures are not secrets. If they were, no law enforcement agency would ever catch a criminal with DNA samples, blood type matches, fingerprints, or any other form of identification. The second argument, more of a corollary to the first, is that a biometric that is compromised cannot be "changed" or replaced in the same manner as a password. You have these "signatures" for life - that's the point of biometrics. A cursory look at these arguments, especially when combined, can create enough doubt that biometrics may be bypassed in favor of other security measures. But this argument does not hold up under closer scrutiny.
What both of these objections fail to take into account are the individual strengths of each authentication "factor." In the typical case of passwords, the quality that makes the "what you know" factor useful as an authentication method is its secrecy. Since biometric identification is not secret, it can't provide enough security for authentication, and what's worse is that once they are compromised, biometrics cannot be replaced or modified (at least without major surgery). Double jeopardy, game over, right? Wrong! Each authentication factor has its own strengths and weaknesses. The strength of biometrics (the "who you are" factor) is not secrecy, but uniqueness.
A password loses its strength when it is compromised, because it has lost the quality of secrecy. Therefore, after the compromise is identified and security weaknesses addressed, a password must be changed. A biometric was not secret to begin with, but is, and always will be, unique. So, after a biometric compromise, when the weakness is fixed through a patch or enhanced security, the biometric regains its original effectiveness - there is no need to change it (it's not a secret) and the system has been strengthened, so uniqueness is restored. In essence, the fact that biometrics are not secret becomes a strength.
If this argument holds water, then we need to turn to the process of compromising a system. Any exploited vulnerabilities in biometrics systems must be addressed quickly, since the strength of the biometric signature will remain in question until a fix is made.The potentially vulnerable areas are similar to those of passwords. Points of compromise exist at the access point (brute force; spoofing), on the wire (sniffing; man-in-the-middle), or, at the other end of the match - at the data store.
The industry approach to the first point of attack, access point compromises, is to introduce capabilities within the hardware devices - scanners and readers and sensors (oh my!) - that protect against the false introduction of biometric information to authenticate impostors. It is far more difficult to give away biometrics or for an intruder to spoof them at the introduction point than it is for a password to be guessed or attacked through social engineering. When compared to passwords, biometrics are a clear winner; since there is no "human weakness" point.
The second point of attack, on the wire, is frequently cited as a weakness because this is the point at which biometrics are submitted as a bitstream and are no longer directly linked to the individual. Cryptography can be used here to protect against someone creating the digital version of a fingerprint, for example, and somehow inserting it into the matching process (when a presented biometric is compared to the one stored in the database). Again, passwords have a similar problem, and biometrics have the amazing capability (as already described) to "rebound" after compromise and regain effectiveness once the vulnerability is secured.
The most likely avenue of approach for an attacker would be the third method, compromising the biometric store (i.e., the database) and inserting the biometric of an impostor into a user account, then authenticating as that user. In this case, you actually can change the biometric by switching back to the original owner's biometric signature.
During the recent Biometrics Consortium Conference, my colleagues and I identified a number of trends in perceptions, uses, and the near-term future of biometrics.
One of the major hurdles to biometric acceptance is the requirement for physical input devices. Unfortunately, biometrics companies are saddled with this burden and no real solution; the nature of the space forces the need for physical devices. However, companies are working hard to reduce the physical-form factor of these devices. Fingerprint scanners, which marry up well to this miniaturization, are being integrated into a PC card. These scanners will pose a reasonable threat to other strong authentication devices.
There is much talk about iris scanning, facial recognition, hand geometry, and even measuring the human gait for biometrics. But fingerprint identification, originating in the late 19th century, is the granddaddy of biometrics and gets the respect it deserves. Resistance to the technology is low and the form factor is manageable. Also, vendors seem to recognize this, because fingerprint scanners were the most common device displayed during the conference.
The BioAPI Consortium (http://www.bioapi.org/released version 1.0 of its BioAPI, designed to accelerate development using biometrics for authentication. A standards-based approach is essential to the success of biometrics; developers cannot invest the time to write supporting code for multiple biometric interfaces. In addition, to address user discomfort or resistance, providing choices for biometric authentication allows a user to choose his or her own personal, "least invasive" device. Different types of biometrics lend themselves well to certain situations, like facial recognition at an ATM, or fingerprint scanners on a desktop. A standard API provides for this interchangeability among devices and furthers the support opportunities by applications.
Significant vendors in the biometrics space chose to stay away from the activities of the Consortium. While the biometrics market matures, the handful of companies that have strong name recognition and are shipping mature products are reticent to participate in events such as this that have a tendency to balance the "playing field." This lack of participation may be a major impediment to the growth of the market by stalling integration of biometrics authentication into the major computing platforms and limiting the biometrics choices of customers.
Strong consensus appeared in one area - authentication would be strongest with the combination of public key infrastructure, smart cards, and biometrics. It is an assertion that is hard to dispute, but somebody forgot to ask the buyers. In a world where the password is by far the most common form of authentication, it is far-fetched to believe that multiple methods of two- or three-factor authentication will be commonly deployed. Each of these solutions has its own infrastructure requirements (e.g., management server), as well as the deployment issues surrounding physical assets. With combined costs reaching upwards of $250 per user, it is unlikely that three-factor authentication will find itself in any but the most secure installations.
It is clear that biometrics will have a place at the authentication table. What is unclear is whether this place will be a position of prominence or a niche player. The unique challenges of biometrics present several obstacles to overcome to gain general acceptance in the marketplace. In addition, the general wariness of the security community about the unknown questions surrounding authentication, as well as privacy issues, may create enough resistance to limit growth. But when biometrics work, they are easily the most user-friendly techniques for authentication available today.