Earlier this week, a Facebook engineer told The Australian that biometric authentication methods are worse than passwords, citing problems with irrefutability. This is not a new argument against biometric technology, but it is a common one, and with biometrics moving further and further into the mainstream consumer markets, it needs to be addressed by the identity management community.
To this effect, the Biometrics Institute issued a media release today, calling for greater education on the subject of biometric authentication in order to address common misconceptions. Specifically it aims to address those misconceptions concerning the topic of biometrics replacing passwords.
The media release explains the difference between spoofing and hacking, emphasizing the that fact that a physical feature can’t be stolen, only imitated. Jumping off from this point, the Biometrics Institute explains the need for robust and effective liveness detection as well as privacy guidelines for organizations to follow.
Readers will recall the recent anti-student biometrics law in Florida. Arguably the result of similar misconceptions, the law prohibits the collection of biometrics in schools in favor of maintaining privacy. It was a very controversial move, and sparked a similar response from the International Biometrics & Identification Association (IBIA).
Rather than paraphrase the content of the Biometrics Institute’s response, the full text is presented below as it appears on its official website.
Biometrics Institute Media Release: Biometrics Institute states that biometrics offer far greater security than passwords. More education about the responsible use is needed to overcome common misconceptions.
12 June 2014
London/ Sydney - The Biometrics Institute, the independent and international impartial body representing the users, vendors and researchers of biometrics stresses the need for a better understanding of biometrics to help build trust into the secure technology and address common misconception.
Recent commentary on the security of biometrics has sparked a new discussion about the role of biometrics in replacing passwords.
Biometrics cannot be stolen unlike passwords because they are physical features of a person. Copies of biometric images (photograph, fingerprint) can be made hence there is a need for effective anti -spoofing and liveness detection in biometric capture devices. Implemented well biometrics offer far greater security, privacy protection and user convenience than single factor password protection or two factor non biometric systems.
“Biometric technologies are extremely valuable but must be deployed with security and privacy front of mind,” says Isabelle Moeller, Chief Executive of the Biometrics Institute. “The Biometrics Institute is taking an active role in promoting the responsible use of biometrics by bringing together the users, vendors, academics and privacy experts to facilitate this important mission.”
The Biometrics Institute has developed a set of Privacy Guidelines to ensure that organisations using biometrics are making the balance right between security, convenience and privacy.
Biometric authentication has the potential to ease the burden of security given its simplicity and usability. All security technologies have flaws, including PINs and passwords, and when subject to a determined attack none will guarantee absolute security. Most biometrics are not “secret” and should be used with a secure second factor. Security relies not only on one factor but on combining them, such as relying on a PIN and fingerprint.
“There are a number of technologies, both software and hardware, that can be used to detect such spoofing attacks”, explains Moeller, “the Biometrics Vulnerability Assessment Expert Group (BVAEG) – a subcommittee of the independent Biometrics Institute consisting of many of the most experienced experts in this area from around the world are addressing the need for vulnerability detection to be included with biometric devices as well as to promote standards, enhance privacy protection, performance measures and testing, and to help facilitate the dissemination of new research or findings in this area.”
Spoofing a biometric requires a number of steps which make an attack like the one on the Apple iPhone 5S difficult under typical usage scenarios.
When we give up a password, provide a biometric or other sensitive personal data it does come down to a question of trust and control. Some people and organisations are regarded as more trustworthy than others.
Governments are typically required to put very robust trust models in place to ensure end-to-end security is provided, through for example government accredited networks, compliance processes for privacy and record keeping legislation, assurance mechanisms involving partnerships and processes around access to data.
Where some organisations are involved that end-to-end security and assurance just might not exist – what happens with your face, your fingerprints in that environment is potentially riskier and requires far more than just a technology solution.
Another question is control and data retention. What happens to that biometric? Who looks after it, at what point in time is it destroyed? After a person leaves school or a particular job? What processes exist for managing any compromise of identity data, for re-establishing confidence in identity, for redress?
“We have seen many successful implementations where biometrics have helped to transform identity management, privacy protection and identity security,” adds Moeller, “like electronic passports facilitating a better and more secure travel experience or large-scale identity management systems such as the Indian Unique Identity (UID) scheme which facilitates the delivery of government’s services to the poor and marginalised.”
The Biometrics Institute members include immigration, customs and defence agencies, police, airlines, banks, university research groups and many other significant users and vendors of biometrics around the world.
The Biometrics Institute is holding the “Biometrics 2014: The future of identity starts here!” on the 21-23 October 2014 in London and the “Showcase Australia 2014” on the 18 November 2014 in Canberra debating the need for close collaboration between public and private sector to build trust and responsible use into biometrics.