Friday, October 8, 2010

Biometric authentication: You can't misplace your thumb

On October 1st the Babbage blog at the Economist took a look at biometric security measures. I'm a long time opponent of using biometrics for general security. In certain applications they're ok, but the potential problems make them a poor choice for the general public. I agree with the blogs author when he says they are Dubious Security.

What is the problem with biometrics? Well, the upside is that you can't lose, misplace or forget your body. The bad news is, fingers, hands and even eyes can be removed, whether or not you agree to it. But the problems exist whether or not your body parts remain connected:

The downside is that biometric screening can also work without the user’s co-operation or even knowledge. Covert identification may be a boon when screening for terrorists or criminals, but it raises serious concerns for innocent individuals.

Covert identification is a nice way of saying they're secretly comparing scans of body parts - usually faces - with pictures or scans on file. This may seem like a good idea. In theory you can find wanted criminals this way, but I've never heard of them actually catching anyone that way. Meanwhile we don't know if they're keeping copies of the images they scan or if they are, why. But more troubling than that is the possibility of false positives. It can be a real pain to convince the authorities that you were born and raised in Dubuque when their fancy scanner has identified you as Osama bin Ladens second in commmand.

There is even a case of mistaken identity cited in the blog:

The eye-opener was the arrest of Brandon Mayfield, an American attorney practicing family law in Oregon, for the terrorist bombing of the Madrid subway in 2004 that killed 191 people. In the paranoia of the time, Mr Mayfield had become a suspect because he had married a woman of Egyptian descent and had converted to Islam. A court found the fingerprint retrieved from a bag of explosives left at the scene, which the Federal Bureau of Investigation (FBI) had “100% verified” as belonging to Mr Mayfield, to be only a partial match—and then not for the finger in question.

As it turned out, the fingerprint belonged to an Algerian national, as the Spanish authorities had insisted all along. The FBI subsequently issued an apology and paid Mr Mayfield $2m as a settlement for wrongful arrest.

Maybe I need to get misidentified by the FBI. I could use a cool $2m. I'm sure that Mr. Mayfield won't be the last to be wrongully identified by biometric data. It is the nature of biometric data that it cannot give a 100% certain identification. Thus there is always the possibility of false positives, and over time they are going to happen. But biometric data isn't alone in fallibility. ID's can be forged, people fall prey to social engineering. But biometric authentication has an air of infallibility that the others don't, and that is what makes it so dangerous as a means of authentication.