Science fiction writers have been obsessed with the Biometric Future for over seventy years, but it wasn’t until 1999 that a paper titled “Biometrics Personal Identification in Networked Society” started to make that dream a reality. In the paper, authors Jain, Bolle, and Pankanti determine seven factors that would need to be considered for Biometric Security: Universality, Uniqueness, Permanence, Measurability, Performance, Acceptability, and Circumvention.
Biometric data can be physiological or behavioral. Physiological data involves parts of the human body such as palmprints, fingerprints, facial features, and iris maps. Behavioral data involves patterns of movement such as gait, diet, and language use. While fascinating as an intellectual study, Biometric Security should be abandoned for mobile devices such as cell phones, tablets, and laptops. The seventh factor, Circumvention, clearly predicts that Biometric Security will put users at great and permanent risk.
What happens when you lose or compromise your password for eTrade.com or FaceBook? You click their “forgot user id or password” link and a reset form is sent to your e-mail inbox. What happens when you lose or compromise your password for your e-mail inbox? You are asked several predetermined security questions, such as identification of “Mother’s Maiden Name”, “First Pet”, or “Favorite Teacher”. Once you’ve been cleared, you must reset your password. Did you notice the end of each process? Reset! So, it doesn’t take a genius to realize the danger with a compromised Biometric data indicator. If a hacker gains your fingerprint data, you cannot reset it. It’s your fingerprint, you’ll have it forever, and you can’t get a new one. A lost phone can turn into a permanent data breach for the rest of your life!
The rolling Fingerprint Verification Competition accepts submissions for “Matching Algorithms” aimed at breaching Biometric data security. Their competition labels say it all: REJENROLL (Number of rejected fingerprints during enrollment), REJNGRA (Number of rejected fingerprints during genuine matches), REJNIRA (Number of rejected fingerprints during impostor matches). Clearly, the algorithms are not secure, nor are they reliable. When you enter your fingerprint data into an iPhone or iPad, you are giving a permanent part of yourself to that device. In 2015, we must realize that most security is insecure, and you can make mistakes that are unfixable. Please, stop using fingerprint security in your mobile devices, and save that for your bank security box, garage door opener, or other wired or isolated access.
Further reading:
- http://gizmodo.com/hackers-iphone-5s-fingerprint-security-is-not-secure-1367817697
- https://en.wikipedia.org/wiki/Fingerprint_Verification_Competition