A fingerprint is forever

It's official: biometric technologies have emerged as the new front-runner in the race to become the security industry's next big thing. As manufacturing costs fall, a variety of affordable fingerprint scanners, retina/iris scanners and voice/face recognition systems are finding their way onto the market. Fueled by visions of impregnable for tresses, many are eager to leap on the bandwagon.

Don't get me wrong; biometrics techniques are a valuable addition to the security practitioner's toolbox and can create significant obstacles to a would-be attacker. They provide a way around the "breakable-password" dilemma by replacing the word with a relatively complex, unique identifier that the end user cannot forget or misplace.

Unfortunately, because historically they have been so expensive and exotic, biometric tools tend to elicit a dangerously excessive degree of trust. No matter what marketing claims vendors may make, biometric authentication systems are vulnerable to attack. As any student of spy stories can attest, there are several ways to forge a fingerprint, some surprisingly simple. For example, a number of low-end optical fingerprint scanners can be fooled with nothing more than a photocopy of the relevant finger. More sophisticated scanners can be much more difficult to trick, but keep in mind that the hacking community is just beginning to investigate techniques for breaking those tools.

A less intuitive but much simpler attack approach is to forge a "minutiae" file—the digitally stored data describing relevant physical characteristics. While a fingerprint, iris pattern or voice signature may contain enormous amounts of unique information, biometric scanners capture and store only a relatively small portion. Some fingerprint scanners may capture as little as four bits of random data. For the typical desktop computer, guessing the content of such a file is a trivial matter— in many cases, it's easier than guessing a traditional password.

More complex minutiae files may be vulnerable to theft. If the files are transmitted over a network, they can be intercepted, particularly if poorly encrypted. Templates of minutiae files also must be stored somewhere so the system has something to compare incoming scans against. If improperly secured, those databases present a tempting target.

A cracked or stolen biometric system presents a difficult problem. Unlike passwords or smart cards, which can be changed or reissued, absent serious medical intervention, a fingerprint or iris is forever. Once an attacker has successfully forged those characteristics, the end user must be excluded from the system entirely, raising the possibility of enormous security risks and/or reimplementation costs.

Granted, that is a worst-case scenario. I'm not suggesting that you completely rule out biometrics, but make sure you know what you're getting yourself into, and never ever place blind trust in the technology.