I would argue that biometrics has design flaws too critical to be used for medium- to high-level assurance authentication within information security.
In my opinion, biometrics don’t follow best practice security principles and therefore fall short in many applications – particularly information security.
To answer the question ‘how can this be?’ I will offer that by-and-large, the heart of biometrics is the algorithm that drives the enrollment and matching process – speed, accuracy, how it’s tuned, etc. In general, building algorithms is an exercise for mathematicians and as a result, most biometric companies haven’t been heavily staffed with security professionals but rather mathematicians. Therefore, the quality of the algorithm can be great, but the application of it is generally left to marketers (not practitioners) who miss the mark in key areas.
Conversely, despite PKI also requiring similar demands of mathematics, vendors generally don’t build their own algorithm, and instead leverage one of standards and focus on building the security layers that map to the application (proper lifecycle, policy execution and controls). The latter is what the biometrics industry has yet to provide proper attention, effort and resources to. Instead, what we experience is high-level statements from marketers that generally haven’t held practitioner roles in order to really understand the implications of what they are advocating.
There is a lack of alignment between biometrics and information security programs that embody some level of maturity and governance.
For example, most security researchers will focus their attack on fooling the sensor so that whatever alternative sample is presented matches the template on record. While this has been achieved, it provides a false narrative to some extent because most algorithms and sensors that govern this process are built differently and many are engineered quite well to resist the attacks.
It surprises me that even the most seasoned pen testers don’t already know that most applications still use a password beyond the client (where the match takes place) because those applications don’t know what a biometric is. In most cases, a password is still flying back to the authentication layer – not the biometric or its response. Therefore, for arguably costing more per user than any other authentication solution, it doesn’t even change security on the back-end. Think about why Apple’s touch ID isn’t used for many of their recovery processes? They recognized that biometrics is a convenience layer (since when a user enrolls in touchID its really binding that fingerprint to the existing password).
What’s more, effective revocation remains elusive to the biometric segment as an inherent design flaw. To clarify, assuming that clients can receive a command to remove the reference template then revocation can occur, however reissuance is the problem as people only have one right-hand index finder. Strong revocation must not only contain effective termination, but also reissuance and management, so that some previous entitlements are severed while others remain (such as key history in the case of encryption).
Also, templates in storage generally aren’t encrypted. Misuse of credentials should always be a concern, therefore proper controls should be in place. In the world of biometrics, encrypting templates in storage is spotty at best. This, combined with the challenge of revocation, should raise concerns with security professionals in medium to high assurance scenarios.
Biometric algorithms are impressively effective, but it’s openly accepted in the vendor community that they are not 100% correct in their interpretation for matching all the time. In fact, best practice for deployment includes having the customer decide whether to tune the algorithm to lean more toward false acceptance or false rejection. The argument from vendors is that the odds of false events are such longshots that risk is minimized; however the odds suggest that it will happen over a certain number of matches. For some applications that have other layers and risk profiles this may be fine, but from an information security perspective, granting access to the wrong person can be disastrous.
When looking to the future, it’s worth noting that biometrics is based on authentication and identification functions. Therefore, as the world increasingly gravitates toward protecting the data itself and the integrity of communications by employing encryption and signing respectively, biometrics aren’t designed to do so.
Biometrics were developed to be a person-to-machine model. The rise of cloud, IoT and the heavy service-based back-ends that drive them require machine-to-machine, service-to-service and machine-to-service authentication and encryption functions that biometrics cannot provide.
As organizations look toward platforms that can be applied for multiple uses (to decrease resources, skillsets and silos), biometrics remains an island of narrow use.
Biometrics were born to address security, applied decades ago with hand geometry in physical access environments. However, when assessed against the current demands of information security, its design has yet to evolve to align with core principles and is therefore unacceptable to most organizations.
Therefore, I would argue that biometrics has design flaws too critical to be used for medium- to high-level assurance authentication within information security.
Biometric algorithms are impressively effective, but it's openly accepted in the vendor community that they are not 100% correct in their interpretation for matching all the time