Everyone repeat after me: Biometrics are terrible authenticators.
Way too many people, even security and identity people see biometrics as "magic security dust" for two-factor authentication. It is way past time that we, the security community bust this myth. It is important because, unlike spending on firewalls which is insufficient but necessary, biometric infrastructure will need to be ripped out and thrown away. Any VC that is considering investing in a biometric company is wasting money that could be invested in a company that might make a difference.
This rant is driven by the latest biometric darling, Nym. They are taking pre-orders for a heartbeat-based biometric bracelet that promises to authenticate you to your car, home, coffee shop, work PC, hotel etc, etc. Sadly, they have no technical documentation available so this blog post is about issues with using biometric authenticators in general.
The biggest problem by far is the lack of replaceability. If someone steals a copy of my fingerprint or retina scan or heartbeat, either physically, or more likely, digitally, it cannot be replaced. Imagine this conversation with your bank:
**yells "representative" into IVR system 8 times**:"Yes, I use your fingerprint scanner to login, but I just got a breach notice from my health spa that their fingerprint database was compromised. What can we use now?"
Compare that to a call with your credit card company:
**Credit card company calls you**: "We have noticed that your card number has been stolen. We have sent you a new card with a new number."
Credit cards are great secrets - not because they are secret, they most definitely are not - but because they are easily replaced. Biometrics are a terrible factor for authentication because they cannot be replaced. This example also shows how defense-in-depth works. Credit card companies manage the risk via other mechanisms besides authentication.
When a biometric is scanned, it is converted into a usable digital format called a template. Templates are passed from the scanning device to the authentication server. If the idea is to use the same device, such as the Nym, across multiple services, then you have potential conflicts of interest on template management. Any use where the authentication server is not local requires transmission and potential interception.
But the biggest myth, persisting despite data to the contrary, is that you can't reverse engineer a template to get back the original biometric sample. In fact, researchers have reverse-engineered Iris templates, which are considered to be one of the most complex biometrics. And that was in 2012!
You can argue that template technology will improve to reduce this risk. So will the technology to break it.
$79 is not too much money for something that authenticates you everywhere. But that's just the start. Someone has to pay for the server, the readers (or reader software), the maintenance, etc. There is most likely an inverse relationship between the complexity of the biometric sample and the cost of the reader. The less expensive the reader, the worse the sample.
To get better biometrics requires more invasive technology. I can imagine a person whose fingerprints, heartbeat and retinal scans have all been compromised. What will they sample next? The less invasive the sample, the easier it is to forge and reverse the template.
Biometric systems are much more complex than most other forms of two-factor authentication, making them more likely to suffer from implementation issues. Since this is the case, it is very important to publish your technical details for peer review. (You can download our white paper registration free with all our transactions.) I cannot find any technical details at all from the getnymi.com site. If they are able to take pre-orders, they must have that information, right?
The "lopitoff attack"
Hopefully, the technology has progressed from when car thieves cut off a man's fingers so they could steal his Mercedes.. Fingerprint readers should be capable of feeling for a pulse. This would need to be universally implemented and required. Because the real key here is making sure that THIEVES KNOW THAT BEFORE THEY CUT OFF YOUR FINGER.
Using a heartbeat instead of fingerprints lead Jeff Jarmoc to worry about this:
Two-factor authentication is a key element of any security program. There are no doubt excellent implementations out there. However, to continue to pitch biometrics as the ultimate form of two-factor is a delusional. We need to create new types of easy-to-use, non-invasive forms of authentication as static passwords clearly have exceeded their usefulness. It just should not involve biometrics.
If you still don't believe biometrics have problems, ask the real mythbusters.