The problem(s) with using biometrics

When talking to people about Identity, usually at some point in the conversation, people say "so the future is biometrics?".  And my response is "maybe".....

So here are a few musings on the problems that biometrics face (if you pardon the pun).
  1. Biometrics are to do with authentication of an entity - NOT identity; and the authentication that provides the gateway to whatever identity system you are using. I'm constantly amazed by the amount of security and identity professionals that confuse / mix / interchange these two terms.
     
  2. Biometrics if stolen cannot be replaced; which is sort of true, but in reality you leave your fingerprints, face and even DNA everywhere. The issue is a replay attack against devices that have your biometric registered, from the "gummy bear" attack against fingerprint sensors, to the dummy head attack against the iPhone 10.
     
  3. Biometrics cannot be revoked; if you are concerned that someone out there is spoofing your biometric information you cannot toss it away and replace it, as you would a password or a credit card. Yes, there are techniques like salting and one-way encryption that reduce the potential damage. But there will always be a poorly designed system with the potential for a leak of biometric credentials, ruining them for all other systems.
     
  4. If you rely on a device to validate biometrics then you (as the relying party) must understand the actual model the entity is using to understand;
    • the technology behind the biometric match and what exploits can be used against it
    • the threshold settings on a biometric match within the device / firmware / software
    • the match confidence, or how well the biometric passed validation
        
  5. As the end user (and the owner of the biometrics) HOW DO I KNOW where my biometrics are stored? When I register my biometrics, I have no actual idea what happens with my biometrics, and have no (easy) way of validating the vendor assurances of "it is secure and well designed".
    I hope that on my fingerprint is stored only on my smartphone, AND in a non-reversible format, AND is not being shipped externally (even on backup).  BUT I HAVE NO IDEA; for all I know my registered fingerprint could be stored and shipped externally as a plain image, and when I authenticate it's being manually verified by a bank of humans in a low wage country.
     
  6. Biometrics on mobile devices are not the gold standard; many app developers regard the move to biometrics, particularity fingerprint, as far superior to other authentication methods.  Unfortunately the fingerprint API (Android) simply says (binary) "biometric authentication passed"; so on a smartphone where your have enrolled fingerprints from yourself, your partner, best mate etc. then opening the banking app, any of those enrolled fingerprint work; however the bank regards that authentication as the current "gold standard" and applies a higher level of "certainty" that it is the account owner using the smartphone!
So what SHOULD this look like?

For the owner of the biometrics; Provable assurance that my biometrics are secure and exclusively under my control. This means;

  • The only place my biometric should be stored is on a device under my exclusive control
  • That my biometric should not be directly used outside of said device and should only be released as a cryptographic assertion of "sameness"
  • That where a device is only partially under my control (say, a smartphone) then biometrics should only unlock a cached assertion of sameness.

For the receiver of the authentication / identity / attributes (and the entity usually taking the majority of the risk in the transaction), if they are to make a good, risk-based, decision then it is critical that they are able to fully understand how well the entity is connected to the digital infrastructure they are using.

The Right to Privacy in the Digital Age?



In December 2013, the United Nations General Assembly adopted resolution 68/167[1], which expressed deep concern at the negative impact that surveillance and interception of communications may have on human rights. The General Assembly affirmed that the rights held by people offline must also be protected online, and it called upon all States to respect and protect the right to privacy in digital communication.

As the previous High Commissioner cautioned in past statements [September 2013 and February 2014], such surveillance threatens individual rights – including to privacy and to freedom of expression and association – and inhibits the free functioning of a vibrant civil society[2].
 

Yet this week we have headlines that “Facebook encryption threatens public safety[3]” from the UK Home Secretary and her US and Australian counterparts.

Now while I’m not Facebook's greatest fan (I won’t install it on my Smartphone), history tells me that the moment I hear politicians talk about encryption coupled with the words “paedophiles and terrorists” as their headline justification I start to worry; as it usually means there is little valid argument; but they would like to trample on people’s Human Rights on a wave of moral outrage!

Existing laws allow for orders for wire taps of products like WhatsApp and can get some data, (IP addresses, phone numbers, contact lists, avatar photos etc.); and while you cannot get encrypted messages and attachments, you use this and other evidence to apply to a court and convince a judge that you have sufficient grounds for a warrant to arrest and seize their end-point device!

Having worked with the police in the 1990s to get the solid evidence so that they could arrest one of our employees for accessing indecent images of children, I know first hand that our existing laws were more than adequate to get an arrest warrant.

There are a number of root-cause problems here that have been rehashed over the many, many years I’ve been listening to this debate as it continually rears its head.

The first is the Phil Zimmerman[4] quote[5] “If privacy is outlawed, only outlaws will have privacy.” Which is often misquoted as “If encryption is outlawed, only outlaws will have encryption”. This probably applied double to those terrorist organisations who are well funded enough to write their own encryption products and even use steganography[6] to hide it in plain sight.

The second is the “our government wants a back-door into your encryption”. – The problem here (especially for International tech companies) is “which government is entitled to have a back door key?” – because if the US demands it, then other countries will also demand it, usually as a condition of doing business in their jurisdiction – so it rapidly becomes “any legitimate government” – but legitimate does not equate to benign, or even non-repressive towards certain sections of it citizens.

The third is that international business needs to be able to ensure that its business communications are secure; I can remember the time in the 90s when France would not allow secure encryption of our corporate WAN links into the country – this can negatively affect business investment decisions if you can not ensure the security of your business (physical or digital) in that country.

History is littered with failed and flawed attempts to get back-doors into encryption; so I would recommend that any politician who actually wants to make this suggestion goes and talks to the (white-hat) hackers at Blackhat and Defcon, or those of us who have been implementing security in large corporates for many years, and they will tell you that the encryption genie escaped the bottle a long time ago and the only person you will actually harm are the 99% plus of citizens who are law abiding; and the companies and organisations that need MORE strong encryption to protect us from the evils on the Internet.

In our work on Identity we have identified the need not only for strong encryption, but also for it to be open source and peer reviewed so all parties can assure themselves that there are no back doors – this builds trust in both the identity and digital ecosystem; then this must be coupled with 100% anonymity at the root of an entity’s identity, which ensures privacy and delivers primacy and agency.

It may seem counterintuitive, but by doing this you end up with a more accountable, more trustworthy digital ecosystem.