Something You Were - 3 Factors of Fail (part 4)

   Today we'll continue our discussion on problems in the world of authentication.  Here are links to parts 1, 2 and 3.

   The 3rd form of authentication is typically called Something You Are.  We typically think of this as some kind of biometric indicator like fingerprints.  But this is probably the earliest and most basic form of authentication used in human or animal species.

   Animal species can identify members by sight, but more often scent or sound.   In addition to the traditional 5 senses, some animals have senses that humans do not, like echolocation, to help identify "friend or food".  Here are some interesting articles.

   Human babies can identify their mother by smell and sound.  People have used visual recognition as a primary identification method for most of the existence of the human race.  Of course, visual recognition can be spoofed. And there are other reasons why visual recognition may not be the best identification method.

   There are two main challenges when using some kind of biometric for authentication.  First is false positives.  A false positive is when someone is incorrectly granted rights when they should have been denied, for example the famous Trojan Horse.  It looked OK so was granted access with disastrous results (for the Trojans!).  False positives are bad for security.

   The other challenge is false negatives.  This is when rights are incorrectly denied when they should have been granted.  False negatives are bad for business and user experience, but can also be a security problem if someone who needs to perform a critical security service can't be authenticated.

   There are a number of typical biometrics used for authentication.  Iris scan, retina scan, fingerprint, palm print and palm geometry are probably the most common.  There are also less common choices including voice/voiceprint and typing cadence.  Voice is becoming more popular.  And there are other, more unusual, identifiers.

   Biometrics are probably the best form of authentication for use in movies! :-)

   In addition to the false rates mentioned above, here are other problems with the use of biometrics:

• logistics - when a biometric is used for authentication, first the new value must be registered, such as through providing an initial fingerprint or baseline voice print.  Then subsequent authentications attempts will be matched against that baseline.  But have you ever tried to register and sign to to a laptop with a fingerprint reader?  This is not trivial!  And it has nothing to do with the false rates we've discussed.  One problem is that, in many cases, the readers just aren't that good.  Sometimes it's hardware, but often it's user training... people just aren't used to these methods yet.  Identifier registration problems are measured with the Failure to Enroll rate.  Both of these will get better.  But another major problem is things like oil from skin or lotions that can build up on reader interfaces (at least for hand/finger biometric readers). Which leads to a major issue..

• hygiene - with multiple people using readers, leaving behind oils and germs, these readers can present a hygiene problem.  And let's not even get started on eye biometric readers!  Now, some types of readers do not require actually touching the mechanism, but even then people will touch the reader, perhaps to steady their hand during a palm geometry scan.

• perception - the bottom line is that many people don't like biometrics.  They are messy and invasive.  I once had an IT manager tell me that he had an unfounded fear that if biometrics were used that a crook would want to cut off his arm to use it to authenticate.  I said that many biometrics require a "live" sample to work.  He said, that's fine but that the crook probably wouldn't know that!

• back-end processes - while biometrics can be difficult for some users, other like the method.  After all, you can't forget your fingerprint.  Once entered, the electronic representation of the biometric needs to be sent to an authentication server for comparison.  And in this way, a biometric can have many of the same problems as passwords including man-in-the-middle attacks and authentication database theft (and offline brute force attack).  But...

• You can't change your fingerprints - or other biometrics for that matter.  You can use a different finger, or different biometric, but once it's gone, it's gone.

• Yet sometimes your identifier can change - for instance, if you've ever cut your finger, it can heal in a way that alters your fingerprint.

   This article lists the main types attacks against biometric systems.

   So, what do we do?  I think there are some good uses for biometrics.  There are two primary use cases I like best.  First is physical access.  This should be some kind of hand or finger identifier along with a local authentication server.  The other case I like is the use of voice as an authenticator for automated password reset, instead of secret questions. This would work best in an enterprise setting.

   I don't like fingerprint readers on laptops. A person's laptop is covered with their fingerprints!  I don't know why I haven't heard of this attack, but it would seem that motivated attacker could lift prints off a laptop, then snack on, and authenticate with, gummy bears.

   What are your experiences with biometrics? Do you, or your users, find them intrusive?  Have you experienced high false-postive or -negative rates?  If so, can you share any methods for improving this?