Does it protect our privacy as well as it protects our devices’ security?
· https://pecb.com/conferences/speaker/dragan-pleskonjic/
· https://pecb.com/conferences/panelists/
Biometric credentials belong to so called "what user has" authentication factors. There are plenty of them, like: fingerprints, eye / face recognition, written signatures, sound bytes, biomechanical movements, and alike. None of them have reached a public, industrial, or government agencies wide recognition comparable to passwords despite many years and resources invested into that. There are numerous reasons for each particular type of biometric credentials - there is a whole science around that. Several frequent objections are as follows: insufficient level of false positive and/or false negative authentication errors, security and privacy issues in setting, resetting, authorizing and using credentials, people reluctance to use those types of credentials for religious, privacy, security and other reasons. Biometric authentication typically belong to patented and/or industrial customized software, so that cost issue plays a negative role as well. The only seemingly successful biometric technology is a mass face recognition. However, despite some obvious ease and efficiency of such mass authentication, there are numerous legal, security, and privacy questions in using this technique. It is an obvious encroachment on people security and privacy without people consent, that could be eventually contested. Who can provide any warranty that this technology and/or access to the identified pictures database won't turned out to be in 'wrong hands'?
Dear Dragan Pleskonjic
Think about veins biometric, it is a very interesting field to go through.
regards
Mustafa Sabah Taha
Vein authentication, a biometric authentication security method that use scanners to scans the veins under your palm has been cracked - hackers made a fake wax hand to fool vein authentication security in 2018. It could be expected that since that time the hacking technique was much improved.
Len Leonid Mizrah
Thanks for telling that .
can you please send the paper who claimed that ?
regards
MOTHERBOARD
The Verge
Hackers used a fake hand to fool vein authentication security
By Don Porter on December 31,2018
Jan Krissler and Julian Albrecht demonstrated how they were able bypass scanners made by Fujitsu and Hitachi (near 95% of industrial vein scanners) during Germany's annual Chaos Communication Congress
I just want to remind you of what happened in 2013 or 2014 (can't remember which) just after the FBI changed to biometric authentication.
One of their agents lost his laptop (or had it stolen), which enabled a hacker to access the FBI database, and download the contents. The database also contained biometric data on a couple of hundred CIA operatives, which made them less than happy.
Even though they quickly switched back to username/password, they still had a situation where their agents could be identified by any foreign government which had bought the database - for ever, since fingerprints are pretty tough to change.
I feel quite close to this incident, since my company tried to bid for the authentication system and, having failed, advised the FBI to not install biometrics.
Mark Sitkowski ,
I have some doubts about this story. What's the reason for any traveling agent to have biometric information or a network access to for hundreds agents on one's own laptop. There are local system admins always available online that take a secure handling of credentials' info. Such data even for a much less secretive organizations are stored in protected databases located in protected facilities. But what is more important - biometric information that is actually used for a remote authentication never use row biometric credentials, but their encrypted signatures that are mapped eventually to the row biometric data. Any other implementation creates numerous security vulnerabilities in credentials storing, resetting, and using biometric credentials, and cannot be considered as professional ones. IF STOLEN, ROW CREDENTIALS AREN'T RESETTABLE ANY MORE! No organization can afford this to happen, especially an intelligence one!!
All it took was one set of valid login credentials in the wrong hands.
Privilege escalation is nothing new.
The original question is whether biometrics protect privacy as well as protect devices. So how well do biometrics protect devices? Fingerprints and face recognition are both commonly used for authentication of phones and laptops. Both fingerprinting and facial recognition can be broken with 3D printers, at a fairly reasonable low cost:
https://www.wired.com/story/cheap-3d-printer-trick-smartphone-fingerprint-locks/
https://www.forbes.com/sites/thomasbrewster/2018/12/13/we-broke-into-a-bunch-of-android-phones-with-a-3d-printed-head/#7c83f2f11330
Cost is important, as the expense of trying to break something has to be in the ball park of what you are trying to get. Someone (don't have the source) asked how good can a biometric method be if what you use to authenticate is something that you leave everywhere, like fingerprints and facial images? Sometimes both are left around in one spot, like in this breach of biometric data described here:
https://www.forbes.com/sites/zakdoffman/2019/08/14/new-data-breach-has-exposed-millions-of-fingerprint-and-facial-recognition-records-report/
We can conclude that biometrics don't protect devices that well. Len Leonid Mizrah already described how biometrics can be used to abuse privacy. To answer the original question, it's fair to say that both are pretty bad at protecting devices and protecting privacy. Are biometrics equally bad at both or is one a little worse than the other? That would be hard to quantify, but not sure the value of doing so given the drawbacks of biometrics in both areas.
Dear Jeff Sedayao ,
..." Are biometrics equally bad at both or is one a little worse than the other? That would be hard to quantify, but not sure the value of doing so given the drawbacks of biometrics in both areas."
_____
Biometrics as a stand alone authentication technology to protect high value, high importance, and high security things, even disregarding privacy issues, cannot be considered secure enough, if a single false negative or false positive errors can escalate dramatic losses. Also, the optimized combination of three key requirements to any authentication technology (security, usability, and a total cost of ownership) are not in favor of a biometric technology. Nevertheless, biometrics authentication may appear to be useful as a part of a multifactor authentication solution (say a password and a face recognition), or being a one authentication factor in a two channel layered authentication scheme (say a user authenticated to a laptop through a face recognition and concurrently to a one's smartphone through drawing a personal pattern).
One important note about audio-visual capabilities of smartphones and computers - mass video conferencing, especially during the current pandemic, turned out to be highly valued by business and private citizens as well. However, the very same capabilities can be used for spying, that is an extreme and illegal privacy and security breach. Businesses say to their employees - you signed an agreement to follow our internal policies and it's our equipment, network, and software - so that one cannot complain if want to keep the job. In a case of private citizens' locations and a private equipment and software, it's illegal, but who will control it's not happening? The laws are quite fuzzy yet in that regard.
Just for fun, try this as an alternative:
Article In Defence of the Humble Password
- Badges
- Science topic
- Similar topics
- Mathematical Sciences
- Statistics
- Statistical Software
- SPSS