Maksim Kabakou - Fotolia

Security Think Tank: Use biometric security at the right time and place

How can organisations move to biometric authentication of users without running the risk of exposing sensitive biometric information?

Different biometric kit manufacturers use different algorithms to identify your biometric attributes. A digitised fingerprint on one device cannot simply be copied over to another supplier’s system and used on that instead.

Furthermore, each system – when correctly configured – will add a chunk of unique code to your digital fingerprint, so it cannot be used even on other equipment made by the same supplier.

Therefore, generally speaking, biometric systems are pretty bulletproof from an operational standpoint.

The fun begins when you start taking these things apart. As with anything IT-based, even the most secure operational software system can be ruined by failings in the hardware, firmware and underlying operating system. They are rarely developed by the same team and the chain of trust is always questionable.

The hardware may be made by an independent firm in China, which has translated your design brief into Mandarin. The firmware may be coded by another company, probably in China, using the hardware design brief to take a best guess as to what the biometrics company actually wanted.

The operating system most likely stems from Redmond [Microsoft], or global open source distribution. While the software might have been developed by a top-end reputable biometrics system provider, subject to a strict compliance regime, you’ve got to question what it sits on.

The simplest way to hack a biometric system is to go for the hardware. Fingerprints can be copied from a static fingerprint scanner, due to the oily deposits left behind by last night’s feast of fish and chips. A bit of adhesive tape is sometimes all you need. Stick it on. Peel it off. Put it on another scanner and see if it works.

There are more advanced options available that can copy said fingerprint onto a slice of silicon. A “please clean after every use” sign would work well, with some spray on surgical spirit, but I think the days of static palm or fingerprint scanners might be numbered. It’s a bit like typing your password onto a keyboard, and walking away only to find the key presses that make up your password have all been illuminated.

Other major failings of biometrics came to light in the Stallone Snipes film of 1993, Demolition Man. Why bother trying to hack a retinal scanner when you can just rip someone’s eyeball out and use that instead? Why bother with smart chips embedded under the skin, when hands can be sliced off and waved in front of door entry systems to gain access?

There’s a huge argument, that biometric security suppliers conveniently ignore, that use of biometric systems put staff at risk of physical harm. I’ve known some trade unions to kick back heavily on companies that want to introduce biometrics for that reason alone.

Ultimately, biometrics offers users a super-fast way to authenticate, and (mostly) gets rid of the password problem. You can’t forget a biometric ID and there’s no upper-case, lower-case and hexadecimal code to remember. Biometrics will save companies money in terms of supporting the costs of password resets and physical security staff, but they’re not perfect.

Biometric scanners don’t really bring more problems than they solve, but they must be used at the right time and right place. They need to be monitored, regularly checked for signs of tampering, patched, configured properly and should never leave your sight, otherwise you truly are asking for trouble. 

Tim Holman is CEO at 2-sec security consultancy.

Read more on Identity and access management products