Using a fingerprint or other physical characteristic, called biometric data, for
identity verification seems, at first glance, like a perfect solution to
the problem. Unfortunately, there are some basic problems with using biometric
information that way. If the biometric data can be gathered by others, it no
longer makes such a good identifier.
As part of a political protest against including fingerprints in passports,
the Chaos Computer Club (CCC)
fingerprint of German Home Secretary Wolfgang Schäuble. Schäuble
is a supporter of collecting fingerprint data to combat terrorism. The club not
only published the picture, but also a film that can be placed over a
finger to deceive fingerprint scanners. A club spokesman has usage
recommendations as reported in heise online:
We recommend that you use the film whenever your fingerprint is taken,
such as when you enter the US, stop over at Heathrow, or even when you
touch bottles at your local super market -- just to be on the safe side
It seems unlikely that CCC's distributed finger film will
actually leave the Secretary's print on a glass surface, but more
sophisticated versions of the same basic idea should be able to.
Various folks have shown that using an image of someone's fingerprint can
fool most scanners. Even sophisticated scanners can be spoofed when that
image is placed over a live finger—with body temperature and pulse.
The problem is that while a fingerprint is unique, it isn't secret. CCC
got theirs from a sympathizer who picked it up from a glass used by the Secretary
during a speech.
Bruce Schneier is, as usual, ahead of the curve on this. In an article
from nearly ten years ago, he drives home the point:
The moral is that biometrics work great only if the verifier can verify two
things: one, that the biometric came from the person at the time of
verification, and two, that the biometric matches the master biometric on
file. If the system can't do that, it can't work. Biometrics are unique
identifiers, but they are not secrets. (Repeat that sentence until it sinks
Other forms of biometric identification exist, but are susceptible to the
same kinds of problems. A voiceprint or facial identification scanner
could be fairly easily subverted by secretly recording or photographing the
subject. Retinal scans are trickier, perhaps, but technology to remotely
(and surreptitiously) read them will probably come along. In many cases,
an attacker may not even need to go to that amount of trouble because they
can just extract—or pay to have someone else extract—that
information from some database.
More and more of this kind of information is being gathered and
centralized. The US has started fingerprinting all ten fingers of non-citizens
who enter the country—other countries have started doing it in
retaliation. One could hope the data retention policy for that information
is similar to that of White House emails, but it is probably longer.
Worse yet, it is probably stored with photographs, passport information,
and signature of the subject.
The key to using biometrics correctly is to repeat the Schneier mantra:
Biometrics are powerful and useful, but they are not keys. They are useful
in situations where there is a trusted path from the reader to the
verifier; in those cases all you need is a unique identifier. They are not
useful when you need the characteristics of a key: secrecy, randomness, the
ability to update or destroy. Biometrics are unique identifiers, but they
are not secrets.
Revocation of a biometric identifier is difficult or impossible—if it
is even known to be compromised. One could potentially switch fingers for
fingerprint identification, or even switch eyes—once. Switching
voiceprint, face, or DNA if and when that gets used, will be essentially
impossible. Biometrics suffer from the same failure mode as using the same
password everywhere, unless you can somehow use a different characteristic
for each biometrically "protected" dataset—hard to do with limited
Biometric data does have its uses, but it has limitations as well. It
seems seductively simple that your fingerprint is the same as you, but it
isn't necessarily true. Now we just need to teach the politicians, which
might be something that Schäuble is starting to learn.
to post comments)