Two related pieces of commentary on biometrics may put the security and development community at odds.
The first is that mobile developers like biometrics; an Evans Data study released last month and reported upon this week at eWeek says that developers’ preferred approach to security is biometrics. It was favored in the Evans survey by 36 percent of developer respondents. On-device hardware encryption followed at 25 percent, near field communications (NFC) at 18 percent, and on-device software encryption at 14 percent.
The problem with biometrics is simply that it isn’t seen as the most effective option; the second piece of commentary is in a piece at BetaNews pointing to significant security issues and concerns with the biometrics technique.
Biometrics, the story says, “will be easier to hack than passwords.” The other issues are a bit more subtle. For instance, a stolen or hacked password can simply be invalidated. A biometric marker can’t be changed. The cracker thus can continue to try to use it in dark and devious ways. The bottom line is that biometrics are far from a panacea. Despite their popularity with developers, their personal nature will put them under continued scrutiny:
In the coming years, we expect an intensified arms race between consumer products companies and hackers for supremacy in the space of biometric technology. Each new attack will undoubtedly cause companies and users to reflect on their willingness to trade off security for convenience.
An interesting piece at SecureIDNews appears to favor biometrics. In doing so, however, it creates a pretty good case against biometrics. The piece makes the fair point that the public largely doesn’t understand biometrics. Writer Zack Martin points out that a bank doesn’t actually have a map of a customer’s fingerprints, as many consumers intuitively believe. It has a numerical representation that either succeeds or fails to adequately match what the customer (or thief) sends.
That’s fair. However, it doesn’t logically prove that the procedure is safe. If the data the bank has is enough to deny or permit access, wouldn’t it pose as big a danger as a full image of the fingerprint, if stolen?
The more important point is a discussion of various hacks that are occurring. Martin writes that hackers have fooled some facial recognition systems by using 3D modeling software on publicly available photographs of the target.
True security requires layers. But acknowledging that biometrics approaches can indeed be hacked, combined with the fears expressed at BetaNews – essentially, that a hacked biometric marker inherently is more serious than a hacked password – makes the approach seem less attractive.
Carl Weinschenk covers telecom for IT Business Edge. He writes about wireless technology, disaster recovery/business continuity, cellular services, the Internet of Things, machine-to-machine communications and other emerging technologies and platforms. He also covers net neutrality and related regulatory issues. Weinschenk has written about the phone companies, cable operators and related companies for decades and is senior editor of Broadband Technology Report. He can be reached at firstname.lastname@example.org and via twitter at @DailyMusicBrk.