Thursday, March 3, 2011



Biometric Authentication has been heralded as the future of security systems, a verification system that not only drastically reduces the risks of the systems security being compromised but also eliminates the need for much of the traditional security overhead. In recent years biometric authentication systems have become more prolific as numerous manufacturers of biometric sensing devices and middle-ware providers have entered the market. Having met with particular success in restricting physical access in high-security environments it is curious to note that this success has not been echoed where network authentication is concerned. It is with this in mind that we look at the pros and cons of biometric authentication for networks and investigate whether this slowness of uptake is an indication of things to come or whether biometric authentication is the next big thing, worthy of all the claims of it's biggest proponents.

Each form of biometric authentication has it's own strengths and weaknesses, but before going into specifics it is necessary to discuss biometrics as a whole and whether biometric authentication is a practical concept or subject to any one of a number of design flaws. The following paragraphs shall loosely be devoted to the pros and cons in that order with arguments for being given in the paragraph discussing the pros along with any counter-arguments aimed at specific points, the converse is true for cons.

Arguments in favour of adopting biometric authentication for network access are many and varied but the core arguments revolve around three key areas. The first of these is the uniqueness of biometric attributes. The uniqueness of biometric attributes makes them an ideal candidate authenticating users. The fact that fingerprints have been used as a method of identification since as early as 1858, Scotland Yards Central Fingerprinting Bureau being established in 1901 is a testament to its longevity. What better way to verify a users identity than by something that is inherent and unique to that user. The second argument in favour of biometrics in principle is one of the least disputed, with the user now unable to forget and share passwords, password administration and overhead is reduced while network security as a whole is increased. This in fact could be considered the driving argument behind the biometric authentication movement. The third argument is again that of security, it is thought to be much more difficult to replicate a biometric feature at the data acquisition stage than it is to replicate someone's user ID or password and as opposed to tokens a biometric characteristic cannot be lost or stolen.

Arguments against the introduction of biometric authentication are far more numerous. The current cost of Biometric authentication measures are, while falling, still very expensive. Not only does the hardware and software need to be acquired but it must also be integrated with the current network. The price return ratio is not as of yet satisfactory; while biometric authentication may reduce administration overheads the cost of introducing the system is still far too high. Also it must be borne in mind that as it stands, biometric authentication is only suited to simplistic networks at best. The high price couple with the fact that biometric authentication is an all or nothing technology is another argument against. By all or nothing it is meant that there is no point in having biometric authentication at every desktop on your network if someone using a laptop can remotely login in with no biometric authentication as this would completely undermine the system. While it can be argued that storing the biometric data (data of a more personal nature than a username and password) is an invasion of the users privacy proponents of biometric authentication counter that it is not the data it self which is stored but a representation of that data from which the original cannot be constructed, that said it would still need to be ensured that the data was not misused and kept secure. Given the tendency of successful technologies to spread there is a danger that the same biometric data could be used in to authenticate the user in a variety of different applications this could mean that were someone’s biometric data to be compromised it might not only compromise network security but also their bank account, their car etc. This issue is often brushed aside stating that as it stands there are so many independent incompatible vendors and products that the chances of the same biometric data being used for multiple applications are negligibly low, but with the emergence of standards as is necessary for any technology seeking global acceptance this is sure to change.

It has been mentioned that biometric data has not got the necessary attributes of a key, i.e.: secrecy, randomness and the ability to update and destroy (Schneier). Not only are your biometrics unique, but they are also unary. If your biometric data is compromised it is not simply an issue of issuing you a new password. There are also a number of other minor objections to it's use as network authentication: people's comfort level with the new technology which is always a factor, that fact that not all people are able to enrol to any one particular system, statistically between .5 and 10% of users will not be able to enrol on a given system due to features which the system is unable to extract reference point from, and the worry that a system may not recognise a valid user. This last is particularly worrying in cases where the biometric used to identify the user is one in which change is not unlikely, such as a cold for vocal analysis, any fallback authentication also compromised the integrity of the system. It should also be noted that no two reads from biometric data reader are exactly the same and while a user name and password are binary i.e. either you have access to the system or you don't, biometric authentication gives a likelihood of a match, though access can be set to be granted to those of very high likely hood, there is still an element of uncertainty which results in a not entirely secure system.

A number of other issues exist such as ensuring the measured biometric is live, but after this most of the issues are those that apply to the majority of networks today. It must be remembered that after data acquisition the biometric data is represented they same way as any other authentication measure and as such is vulnerable to the same attacks. It should also be mentioned that although storage is getting cheaper the biometric data template could take up a lot more space than regular user/password combinations.

The pros and cons associated with specific devices are highlighted below:

Fingerprint readers

Pros: Not much storage space is required for the biometric template
Cons:  Has traditionally been associated with criminal activities and thus users could be reluctant to adopt this for of biometric authentication

Iris Scans:

1-  Non-intrusive, camera can be up to 12" away
2-  High accuracy in identifying users
3-  Low data storage requirements for template