Biometrics

FingerprintDon Burleson over at Burleson Consulting has written an interesting survey of Oracle biometrics applications.

With the inherent problems associated with passwords Oracle security administrators are finding that Oracle biometrics is a more secure and cost-effective solution. Oracle biometrics system offer more secure environments and also remove the need to dedicate a help-desk person to manage changing passwords for hundreds of end-users.

It’s interesting to see what’s out there, but as Zach will always remind us, biometrics will not hold up in the long run. As biometrics become commonplace they will be hacked. What will you do when someone steals your fingerprints (or the digital representation of them.) You can’t change them. Hell, you can’t even keep from leaving them behind just about everywhere you go.

If a lock can be opened, it can be picked; and if your password can be used, it can be forged. The more common biometrics become (Don mentions in his article that fingerprint readers are now less than $31) the more folks will set their sights on hacking them. These devices work on common interfaces and pass their information over networks potentially exposing your personal password to unknown parties.

If biometrics catch on you could be required to provide fingerprint identification to use your credit card at your local convenience store. Do you really trust them, or worse yet, the government (who can’t even keep your SSN secure) with your password to your bank account, business account, desktop computer and medical history?

So if biometrics isn’t the holy grail of electronic security what is?

I don’t know what the future of password management is. The most holistic solution I’ve seen yet is the one that Zach and I proposed last year where users are provided with a “password change authorization code” which they are encouraged to keep with their birth certificate (or in another safe place) which allows them to change their password through a self-service page in the case of password loss.

biometrics, fingerprint, security, hacking, hacks, oracle

5 thoughts on “Biometrics”

  1. It’s interesting that biometrics has been used by the government for decades, and they got around the forgery issue with machines that detect a “live” finger. You cannot “hack” off someones finger and use it for access. . . .

    I wonder if that is where “hacker” originates?

  2. The point is not only that the finger could be hacked (so to speak) but that perhaps the reader or even the software could be hacked or emulated. Where there’s a will there’s a way.

    Look at the evolution of magnetic credit card readers. Twenty years ago it might have been just banks and stores that had them, but a year ago I made one of my own for less than $50.

    I think you’d agree that it would be foolish to say this system could not be hacked. Most would even agree that it’s just a matter of time. Once hacked you can either change reader technology to compensate for the hack or abandon the biometrics. Either solution is expensive.

  3. A successful credential needs to be disposable. If it is somehow compromised there has to be a way to change the credential. Biometrics lack this by definition.

    A recent article out of Clarkson University talks about how something as simple as Play-doh can defeat many fingerprint scanners.

    Obviously technology will improve in response to this, but as 2 cent solutions defeat million dollar research we should question why we’re bothering with such a flawed and expensive plan.

  4. Zach said,

    >> A successful credential needs to be disposable.

    I wonder if someone can elaborate on this. From a database perspective, the immediate security question is verifying the real identity of a specific user, and I would think that the best proof of “who I am” might be persistent attributes such as fingerprint, facial recognition, retina and DNA.

    I don’t understand why security credentials need to be transient and “disposable”. Can you educate me on this?

Leave a Reply

Your email address will not be published. Required fields are marked *