For reasons I don’t completely understand, much of the world seems to be in love with biometrics—not only users of expensive smartphones and laptops, but even seasoned security professionals in charge of guiding the world’s future authentication solutions. I was recently in a consortium meeting dedicated to establishing the world’s security standards around future authentication and I was surprised to hear how many of the attendees felt that biometrics were the be-all-and-end-all of secure authentication, when that so isn’t the case.
I’ve never been a fan of biometrics, but now I all-out hate them. Why? Because they are horrible at authenticating people. Here is what I mean:
Biometrics are horribly inaccurate
Most people think that biometrics are incredibly accurate, because that’s the way they are sold. You’re told, “No one else has your fingerprints, retina, hand print” or whatever. While that might be nearly true, the representation of how your biometric attribute is stored is nowhere nearly as detailed and unique as the real and true biometric factor being measured.
While your fingerprint might be (nearly) unique in the world, what is stored and subsequently measured during authentication is not. Your fingerprint (or iris, retina, face, etc.) is not stored and measured as a highly detailed picture. What is stored and evaluated is a measurement of various defining characteristics (“points”) of that biometric identity.
For example, your fingerprints are turned into series of points noting where major “rivers and valleys” and sharp changes happen. These big deviations are marked with points, with the overall fingerprint being stored and evaluated looking much more like a star constellation than a real fingerprint.
The device and software that record the original biometric attribute can only collect so much detail. At some point the reader/scanner cannot see the fine detail without it becoming blurred, but in most cases, they can see far more of the detail than would ever be useful. Everyone’s fingerprint has very tiny “micro-changes”, some perhaps part of the actual fingerprint, but more that are temporary instances of cuts, abrasions and wear patterns.
If a fingerprint reader recorded every bit of fine detail that it could, it’s very likely that tomorrow your stored fingerprint would not match your fingerprint today. The same with your face, iris, retina or any other biometric attribute. Instead, biometric readers and verifiers are forced to “de-tune” themselves to be less accurate than they otherwise could be. In fact, this de-tuning is usually so thoroughly implemented that the purported uniqueness of the real biometric factor ends up getting far more matches with other unrelated stored values.