Biometrics – Tales from the Crypto


Biometrics fail to authenticate, once again

Steve Riley points to Mythbusters’ successful attempts to breach biometric security – okay, so it’s not really that the door lock failed to authenticate, it’s that it failed to not authenticate.  Shocking in the extreme is that this test actually demonstrated that even a photocopied fingerprint can fool this “unbreakable” door lock.

I’ll say it again (and again) – because biometrics are a public part of your persona (unless someone has invented a biometric based on the pattern of your haemmorhoids), they are only suitable for use as a claim of identity. They can / should never be used as a proof of identity. (Though it is an interesting thought that using them as such might get around the problem of password and data loss through death of the password owner.)

That’s not to say that biometric door locks have no place – for a relatively low security use, or against unmotivated and unsophisticated attackers, for instance, they may serve a valid purpose. Use one to keep the kids out of the liquour cabinet – but don’t use one to keep the feds out of your filing cabinet.

Prosopagnosia – why face-based password schemes won’t work for all.

I’m frequently here blogging about biometrics and accessibility – too many biometric methods get confused when you don’t have the credential.  Aniridia means you don’t have an iris, a lack of thumbs (congenital or accident-induced) means you don’t have a thumbprint.

Here’s another biometric that’s going to cause problems, and I may have blogged about it before – prosopagnosia. Yeah, it’s a long word, and difficult to type, so I’ll use the common abbreviation, “proso“.

I have a relatively mild, but noticeable, case of proso. I’ll tell a little story about myself, but first there’s a great, short, article in yesterday’s Boston Globe. Read it – I’ll wait.

Okay, so here’s the story of the Starbucks Trinity.

Back when I was a stay-at-home dad, I would frequently trip off to Starbucks, for a drink and a chat, and to work on my laptop away from the Internet and phones.

One of the barristas there was studying Networking at the local college, so I’d chat with her every now and again, but her behaviour confused me – about two times out of three, she’d look at me like I was talking Greek.

After several weeks of this behaviour, I found out why – of course, you’ve guessed by now – they were three different women, each of different heights, weights, and hair colours. But because they all had long hair and wore glasses, I lumped them all in as the same person. This wasn’t a case of simply not bothering to look and pay attention – this (or one of these) was a person with whom I was talking about my field of interest.

One thing I take from the Boston Globe article is that this is more common than previously thought – to some extent maybe up to 1 in 50 people has this condition.

So, when you consider the “biometric” schemes that offer a pile of faces to choose from, and the user has to select the same person every time, bear in mind that one in 50 people will have trouble with that.

Security questions considered dangerous

Keith Brown expresses concern over the security questions people ask themselves for password reset, and suggests that the user not be allowed to write the question, so that sufficiently secure questions can be asked.

Congratulations – you’ve addressed half the problem.

The server can now require that the server asks the user a complex question.

Because the correct answer is determined entirely by the user, though, the answer can be unnervingly simple.

  • What’s your mother’s maiden name?

    • 1111

  • What’s the last four digits of your SSN?

    • 1111

I bet you can guess the last four digits of my driver’s licence, and the city in which I was born, too. 🙂

So, this clearly hasn’t started to solve the problem – the only complexity you’ve enforced is the public portion of the exchange.

Sadly, many of these complex questions raise a further concern – who else knows the answers?

My mother knows her maiden name, and the city in which I was born. My wife knows that, and also has access to documentation for the other keys to the castle. Suppose one day she becomes my ex-wife, and wants to have access to my online banking, my business, my health information – those questions are now the simple key to allowing her in.

Other elements of concern:

  • Privacy

    • I’ve just told my bank what my SSN is, who my mother was, what my driver’s licence is, where I was born, etc – do they need any of that information to do business with me? No. Then they don’t get that information.

  • Accessibility

    • I express it often with biometrics – how does your iris scanner work on a person with aniridia? how does your fingerprint scanner handle a person with no fingerprints? how does your “What is your driver’s licence number” cope with a person who has been banned from driving, or is sufficiently disabled that they cannot drive?

At work, we’re required to create the same sort of “three questions” to reset our password.

I’m tempted to enter the following:

  • What is your name?

  • What is your quest?

  • What is your favourite colour?

What I do instead, is to enter:

  • Why don’t you just walk over to the security office, show them your photo identity, and get them to reset your password?


Two-factor authentication – what’s not to like?

Steve Riley always makes me think, sometimes so much that it hurts.  Thanks, Steve.  His latest blog posting is about two-factor authentication, and he’s asking for input on what you (we) want from it.

First, a couple of examples on authentication.

  1. “I am Bill Gates.” – this is not authentication.  It’s identification.  The fact that it’s an untrue claim doesn’t prevent it from being identification.
  2. “I am Bill Gates, this is Steve Ballmer, he’ll vouch for me.” – this is not authentication either.
  3. “I am Bill Gates, you already know Steve Ballmer, well he’ll vouch for me.” – this is weak authentication.
  4. “I am Bill Gates, you already know Steve Ballmer well, he’ll vouch for me.” – this is strong authentication.
  5. “I am Bill Gates – last time we spoke, I told you my favourite colour was red.” – this is authentication with a pre-shared secret.
  6. “I am Bill Gates – see, I still have the signed business card you gave me.” – this is authentication with a token.
  7. “I am Bill Gates – watch as I ignore the $1000 bill you left on the couch.” – this is authentication by ability (only a small number of people can afford to ignore free money).

There’s an old saying that goes something like “You can authenticate with something you are (biometrics), something you know (passwords), something you have (SecurID etc), or something you can do (skills measurement).”  Or, to put it another way, “something you used to be, something you have forgotten, something you lost, or something you can only do when relaxed in a well-lit room.”

The biggest deal we find with two-factor authentication is that the authentication device will be lost, destroyed, mangled, forgotten, given away as a prize at a sales talk, swallowed, or will simply refuse to operate in the Alaska (or Adis Ababa) office.

So, the second-factor (and if you’re replacing passwords with the factor, it’s not two-factor, it’s still one-factor!) has to be rapidly recoverable, re-deliverable, overridable, revokable (and ideally, unrevokable when they find it in their other trouser pocket), etc.  If I lose it, can you get me another one in the five minutes before I give my presentation?  [And if you can override it, what’s to prevent a hacker from doing the same?] n

Then you have to consider the message you send your staff by giving them security devices. “With these, your account is secure.” This means that they will use those skanky, dirty, disgusting computers in “Fly-By-Nite Internet Cafes Incorporated (Under New Management)”, or the clean ones at the airport that scream “definitely legitimate”, to download salary data on your most-valued executives, to view listings of covert agents in life-threatening deployments, to investigate your proctology results, etc.

What about those of us that wear multiple hats?  The consultants, the guys with an extra job?  How many tokens are we going to carry around with us?  One password per job is already fairly complexificated, but now you want us to remember a password _and_ carry around a half-dozen “key fobs”?  Perhaps a SecurID, Smart Card, or similar token should be able to authenticate against multiple servers – servers that don’t trust one another, and will not share keys.

Have I forgotten anything else you expect from a second-factor authentication method?

What you can do with your finger

I was reading an article just the other day about attacks on the Microsoft Fingerprint Reader, that contained the important reminder that this isn’t a security device, it’s a convenience device; that it should not be used as credentials for logging on to a corporate system.

I’ve maintained on several occasions that a fingerprint is a claim of identity, and falls far short of being a proof of identity.  It also has the interesting property that you can’t revoke it and issue a new one if it has been exploited, making it of limited use as a credential.

So, what can you do with a fingerprint?

Well, there are some identity-related uses I can think of.

Suppose you are in a busy hospital, with a number of terminals spread around the place.  Accessing these terminals for private information should require strong credentials.  But what about public information?

Does, say, a nurse occasionally need to verify the usual dosage for Tylenol?  Would a doctor find it convenient to search for phone numbers of specialists whose work he has previously approved of?  I’d say that’s likely – and each person will have their own favoured subset of public information, and starting point(s) for looking at it.

For such public information, of course, it would be great to walk up to a terminal, press your finger against the print reader, and have your chosen view on that information be rapidly displayed.

What other uses can you think of, where a false match would not reveal sensitive or private information, or provide privileged access to systems, but where a relatively good rate of true matches makes a system easier and quicker to use?

What is a fingerprint?

Okay, so we should all be well aware as to what a fingerprint is – it’s the pattern of ridges on most people’s fingers that get left in smudges on glass doors.

What can it be used for?

The question arises as I look at my Microsoft Fingerprint Reader, and try to explain why a fingerprint reader is purposely disabled from authenticating an account to a domain.

Let’s first get into what is needed to log on to a system.  In computer science terms, you need a claim of identity, and you need one or more pieces of evidence, that together will suffice as proof of identity.

Think of the bank ATM as an example – your debit card is the claim of identity (because it contains your account number), and it’s also a piece of evidence (because you cannot use the ATM without the card).  Your PIN is a second form of evidence; with the card and your PIN, you claim and prove your identity for the purposes of the ATM’s operations.

Logging on to a domain is similar – you provide a username, which is a claim of identity, and you provide a password, which is the evidence used as proof of identity.

What differentiates a claim of identity from a proof of identity?  That’s a little subtle.

A claim of identity is any information that uniquely identifies a person, or a role, or an identity, such that it can be used by the computer to look up that identity.  Your ATM card is a claim of identity, because it contains the account number(s) to which you are allowed access, in a form that the ATM can use to supply as your identifier to your bank.

A proof of identity is made up of one or more pieces of evidence that can be relied on to demonstrate that the claimed identity is matched by the person or process presenting themselves for identification.  It’s “something you are, something you have, or something you know.”  The evidence should consist of items which, in conjunction with one another, can only be presented by the authorised user(s) whose identity is being claimed.

So, what is a fingerprint?

Is it a proof of identity?

Not as far as the Microsoft Fingerprint Reader (or any other low-resolution fingerprint reader) is concerned.  Give me a couple of warm gummy bears, a freezer, five minutes, and the use of your finger, and I can produce a replica “finger” that will authenticate to the reader.  What’s more, if someone can give me a glass door you’ve pushed open, or a cup or glass that you’ve held, within a couple of hours I can make as many gummy fingers as I need, that will all authenticate as you on any low-resolution reader.  [I won’t go into the process here].  In more grisly methods, I don’t even have to go to all that effort.

Higher-quality fingerprint readers will look for a finger’s warmth (yeah, a warm gummy bear will beat you there), or pulse, translucency, capillary patterns, or other features that are supposedly only going to be present in a real finger attached to a live human, but those are expensive.

So, because this fingerprint reader is a basic one, to it, a fingerprint alone is not evidence sufficient for a proof of identity – combined with a guard manning the station, trained to check for gummy bears and severed fingers, and who can deny suspicious attempts, it may be enough, but that’s not its designed method of operation.

Is a fingerprint, then, a claim of identity?

Not in general, no.  The fingerprint can be matched against stored fingerprints to see how closely it matches, but the fingerprint alone is not capable of generating the user ID, which is what you’d want.  The fingerprint has to be almost exhaustively matched – this is why cops on TV seem to spend days getting a fingerprint match.  It is very quick to say “here are two fingerprints, do they match” (which would be evidence of identity), but extremely slow to say “here’s a fingerprint, whose is it?”

Then there’s the issue of uniqueness.

I’ve searched and I’ve searched, and I’m surprised to find that there are as many as zero good scientific reviews of large fingerprint databases to check for uniqueness.  So, when a “fingerprint expert” testifies that the fingerprint found at a crime scene matches the defendant, and the defendant only, they’re relying on a guess that hasn’t been reliably tested, and which has been proven false (or at least, badly collected and analysed) on some celebrated occasions:

[Note that these are culled from a very quick search of only one news agency’s recent output.]

Obviously, a fingerprint can be used to refute identity, in much the same way as “the suspect had red hair” will refute the identity of a suspect who does not have red hair, but there’s still significant doubt in my mind as to whether it can be relied upon in any way to prove identity – not without extra layers of evidence to increase the reliability.

Use other, more reliable, measurable, and provable means to protect your networks.  Passwords – strong passwords – will serve you far better than a low-resolution fingerprint reader.