Claims about biometrics accuracy raise questions but get repeated
A LinkedIn post by a security awareness professional has raised eyebrows in biometrics circles, some of them indirectly, suggesting that the technology comes with several problems.
Roger Grimes writes that biometric authentication can be good if well implemented, but still comes with concerns.
His article was picked up by Computer World Columnist Evan Schuman, who argues that biometric authentication systems, “as currently implemented, are little more than convenience.” At least one more publication has since picked up the thread.
Grimes identifies accuracy, hacking, stolen images or templates, the germs that go along with touch-based systems, privacy and surveillance, and bias as potential problems with using biometrics. He also provides advice for addressing several of these concerns.
Schuman seems to discuss authentication security largely via reference to phone-unlocking applications.
In both cases, the wording appears to be causing confusion in some quarters, if not all around.
Grimes asks “How can any system that relies on my fingerprints truly know that who is submitting them is me?” The potential of ‘liveness detection’ as an answer is not discussed. Grimes notes the usefulness of a second authentication factor
Curiously, he writes that NIST reports show the most accurate biometric solutions tested have error rates of 1.9 percent, but links to the FRVT and a test of fingerprint solutions from 2014, which appears to be where the statistic is drawn from.
Do not buy any biometric solution from 2014 if you are highly concerned about security.
Further, most biometrics experts will point out that accuracy is not properly expressed as a single number.
Acuity Market Intelligence Principal Analyst and Chief Strategist Maxine Most responded on LinkedIn with direct responses to four criticisms from Schuman. Most points out that there are ways to preserve privacy while using the cloud, and that templates can be revoked or canceled, among methods of mitigating biometric data theft.
“This POST perpetuates a series of debunked #biometric myths,” Most writes. “Like every other #security #technology, it’s not the failure of the technology but the failure of the implementation that is at issue. . Poor implementations of biometrics work poorly Good implementations of biometrics work well.”
“There are plenty of ways of deploying biometrics securely,” Schuman acknowledges.
If the core argument is that single-factor authentication without presentation attack detection is not highly secure, the day is won. If the argument is that there is an approach that organizations should be using instead of biometrics for better security, we are still waiting for the big reveal.
Article Topics
accuracy | Acuity | biometric authentication | biometrics | data protection
Comments