(Author's note: For the sake of this article, we will consider only finger-printing as a biometric authentication solution.)
In today's world the use
- Password selection: Since the password comes out of a human mind, one issue that arises is when people select weaker passwords. Weak passwords are easily predictable or can be easily broken with the use of technology.
- Input mechanism: With tools like keylogger and attacks like phishing, a password can be stolen while it is being input into the system.
- Transmission channel: After the password is input and transmitted to the server, it goes through the Internet, which is not secure. Anyone can retrieve the passwords using sniffing tools, unless that transmission channel or the password being sent is encrypted.
- Password storage: If people get unauthorized access to the database that contains passwords, then those passwords are vulnerable. Outside attackers can get unauthorized access to the database that stores passwords through a SQL injection attack.
- Social engineering: Attackers can get people to reveal their passwords by pretending to be someone else.
- Password selection: There is no password in biometrics. We have only our fingerprint. That means I have only one password for everything. Weak passwords are eliminated. Problem solved! Now ask yourself, what if someone stole your fingerprint. Can you change your fingerprint like you can change your password if it is stolen?
- Input mechanism: This problem remains the same. Currently, there are tools that log your keystrokes secretly and send them to the attacker. Tomorrow there will be tools that steal your fingerprint while you are scanning and send it secretly to the attacker.
- Transmission channel: This problem also remains. Unless the transmission channel is secure or your fingerprints are encrypted, they are also prone to sniffing attacks and can be stolen.
- Fingerprint storage: This faces the same problem as that of passwords. If malicious people can access the data storage that stores fingerprints, they can steal fingerprints as well.
- Social Engineering: This problem might go away, as people won't give anyone their fingerprints via e-mail or the telephone. But if an attacker were to contact them in person, he could get their fingerprints.
Most importantly, what would scare you more: if your password were stolen or your fingerprints? Remember, fingerprints can be misused in more then one way.
As you can see, biometric authentication gives us more questions than answers. With Bill Gates suggesting that they want to do away with passwords, it would be interesting to see what kind of approach Microsoft takes. Even with all the issues surrounding passwords, I don't think they are going away anytime soon.
About the author: Anurag Agarwal, CISSP, works for a leading software solutions provider where he addresses different aspects of application security. You may e-mail him at firstname.lastname@example.org.
This was first published in April 2006