Why Biometric Security CANNOT secure a Corporate Environment
Biometric Security is being billed as the next savior of personal and corporate security, a superior solution to our Identity and Access management problems. Solutions are often exotic and include voice for unlocking rooms housing servers or for reseting passwords. There are already systems in place for retinal scan for more secure access. The key to a door is always with you, and the key is YOU. Think about it, unlike passwords which can be guessed or read from that yellow sticky hanging on a monitor screen, it is hard to forge them. Someone can’t replicate your fingerprint or your iris scan. Sure some artists can mimic other people’s voices but getting past a security system is a whole different ball game.
So, if Biometrics is all this good, why it cannot secure a Corporate Environment?
Lets start of with what is the biggest strength of Biometric Security. It tells an authentication system that you are who you tell you are … because unlike usernames or passwords or even Smart cards or tokens, they cannot be lost or stolen, because your identity is unique to you and only you.
Now, Biometric security secures both your Authentication and Data privacy. Let us assume that a corporation is implementing Biometric access through a fingerprint reader on a Laptop. Typical authentication in a corporation involves verifying your credentials to those in the Active Directory or any other central “source of truth” in a corporation. Here, let us use a finger print as the biometric authentication input. A thumb is scanned on a laptop fingerprint scanner and travels over the network verifying with a master biometric on file. If everything matches, you are in or <bleep> incorrect password.
A Biometric signature is unique to you and it is the biggest strength of this form of authentication. However, while they are unique they are not secrets. You leave your fingerprints everywhere.. on the keyboard, on your car door everywhere. Now if you lose your password, your corporations help desk will issue you a new one or give you the option to set a new one. If you are using digital certificates or Smart Cards using PKI for authentication, your corporations CA can issue you a new one. What happens if someone steals your digital BioID file? This is your thumbprint signature and you have only two.
The fact is if someone steals your Biometric ID, is remains stolen for life.
Security folks are always telling people that you should have multiple passwords for different authentication systems/websites etc and you should try to change your password atleast once, every 6 months. Now, if down the line, we use our Biometric ID, the same one to unlock my Apt door, my server room, my Laptop, my Bank site etc what would happen if i lost my BioID or worse its stolen. If someone had an expensive car, would theives just cut of the owners thumb?
Why Biometric security cannot secure a Corporate Environment?
Most corporations require passwords to be atleast 7-8 characters long, include a number, a special character and/or combination of upper and lower case alphabets. However a password of say Passw0rD! is not secure but would still be accepted as a password. While users can choose weak passwords, your Biometric ID would be strong.
a. Your Biometric ID is nothing but a large mathematical number derived from your unique biological characteristics, say your fingerprint to make up as your password or authentication. This subjects it to the same kind of replay attacks as a password.
b. They are very expensive to implement. Think of all the fingerprint scanners on every machine in a corporation, the fingerprint scanners on the main doors, the cost of securing those Biometric ID’s, taking those biometric IDs in the first place, the $$$ keep adding up.
c. False positives and false negatives: No biometric ID would be 100% accurate inspite of the advances we made in Biometric technology. So for corporate security guys, are they will be deal with the problem of the occasional user disallowed entry into the building or their computer(false negative) or an invalid user ocassionally allowed(false positive)
d. Moreover, the nightware involved in losing a hard drive of Biometric ID’s of a corporation is beyond what is acceptable for most security folks. If a company loses a laptop containing sensitive information, they are required by law to report that publicly as well as to all the people who might be affected by this loss. Now, how do you tell someone that their Biometric ID has been lost and can’t be restored securely ever again.
Algorithms keep getting better and maybe down the line, your Biometric ID would be scrambled or additional hash added so that even if your BioID is decrypted, it would not reflect yours. This combination could then be part of a three factor authentication which could be your say a Smart card/userID (something you have) and a pin/password(something you know) and finally a scrambled Biometric ID(something you have).
Technology is the Biometric arena is getting better and maybe one day it will become affordable for corporations on a tight budget to implement this kind of a three factor authentication.