Biometric security could play an important role in securing future computer systems. Biometric security provides identification of users through something the user is; through measurement of physical characteristics such as fingerprints, retinal patterns and even DNA (biometric, Online Computing Dictionary). Authentication can be achieved in a variety of ways. One of the most fundamental and frequently used methods used today are passwords or pin codes. This can be categorised as something the user knows. Another category is something the user has; this method usually involves issuing physical objects such as identity badges or physical key (Pfleeger, 2003) A relatively new method of authenticating is through biometrics. This report will discuss the limitations and strengths of biometric security. Furthermore this report will compare biometrics to the other qualities that authentication mechanisms use; something the user knows and something the user has. It will not delve into the description of the biometric measures instead discussing the benefits and problems with biometric security. When a biometric security system is implemented several things are required. The user is scanned into the system and the main features of the object scanned are then extracted. A compact and expressive digital representation of the user is stored as a template on the database. When a person attempts to enter the system they are scanned and the main features of the object scanned are then extracted and converted into a digital representation. This file is then compared to the templates on the database. If a match is found the user is granted access to the system. (Dunker, 2004). A disadvantage of the template style design which is what most biometric devices use. It allows an attacker to gain entry into the system by intercepting and capturing the template file and then gaining authentication by entering the file into the communications line spoofing the system into being an authorised user.
Another drawback of this design is it requires personal data such as DNA, thumb prints and other sensitive data saved as template files on database computers. Which creates a greater security risk and privacy issues such as, who has access to this data, these questions and other similar questions would have to be covered if biometric system was implemented.
Biometrics allow for error when scanning the user to provide better functionality and usability for its users. A FAR (false acceptance rate, which is the probability of accepting an unauthorised person user) and FRR (false rejection rate which is the probability of incorrectly rejecting a genuine user) are made to avoid the inconvenience of being a genuine user but being denied access. Assuming these rates are set correctly this allows biometric devices to differentiate between an authorised person and an impostor. (Itakura, Tsujii, 2005, October)
Biometric devices could create a more ambiguous and user friendly environment for its users. Lost or stolen cards and passwords can cause major headaches for support desks and its users. This problem is irradiated in biometric security since it is practically impossible for a user to forget or leave their hand or eye at home. Also other forms of identification methods which rely on the user remembering a password or a user carrying an object such as a smart card are easier to compromise compared to biometrics. For example approximately 25% of ATM card users write the PIN on their ATM card thus making the PIN security useless. (Dunker, 2004) Since biometric devices measure unique characteristic of each person, they are more reliable in allowing access to intended people. Resources can then be diverted into other uses, since they are not being wasted on the policing of purchased tickets or resetting passwords. A example from our local area would be the recent upgrade of the Transperth system to smart cards means security guards can focus on keeping people safe instead of checking tickets and issuing fines.
Biometric security is not a new form of security; signatures have provided a means security for decades. But the measuring of human characteristics such as finger prints and iris scanning using computer systems is a new security method. Because this new form of biometrics is in its preliminary stages, common development issues occur. Implementation of biometrics due to expense and lack of testing in real world situations means biometrics can not be used today. Although once these “teething stages” are overcome biometrics could become a powerful method in security. (Dunker, 2004)
Imagine a scenario were you are your own key to everything. Your thumb opens your safe, starts your car and enables access to your account records. This could seem very convenient. However once biometric security is attacked you can’t exactly change what your finger print or change your DNA structure. And since your biometric data is not a secret as such, as you touch objects all day and your iris scan can be collected from anywhere you look. A large security risk is created if someone steals your biometric information as it remains stolen for life. Unlike conventional authentication methods you can not simply ask for a new one. (Schneier, 1999)
Biometrics could become very useful but unless handled properly are not to be used as keys, as keys need to be secret, have ability to be destroyed and renewed, at the present stage biometrics do not have these qualities. Although still in its primitive stages a proposal for biometric authentication based on cryptosystem keys containing biometric data by Yukio itakura and Shigeo Tsujii enables biometric devices to be secure and more reliable when used as a key. This system works by generating a public key from two secret keys, one generated from the hash function of the biometric template data another secret key is created from a random number generator, as seen below (Itakura, Tsujii, 2005, October)
In conclusion biometric devices are defiantly a viable option in the future. But as discussed have several issues that need to be dealt with before real world installation will occur. Biometric devices give its users ambiguity and trouble free authentication but also at present time have certain security loop holes that need to be dealt with.
Itakura, Y., Tsujii, S. (2005, October) Proposal on a multifactor biometric authentication method based on cryptosystem keys containing biometric signatures. International Journal of Information Security. Heidelberg (4)4, 288
Jain, A., Hong, L., Pankanti, S. (2000, Feb). Biometric identification Association for Computing Machinery. Communications of the ACM. New York (43)2, 90
Pfleeger. C. P & Pfleeger, S.L. (2003) Security in Computing 3rd Ed, Upper Saddle River, New Jersey, Prentice Hall Professional Technical
Schneier, B. (1999, Aug) The uses and abuses of biometrics Association for Computing Machinery. Communications of the ACM. New York (42)8, 136
Weinstein, L. (2006, April) Fake ID; batteries not included Association for Computing Machinery. Communications of the ACM. New York: (49)4, 120