So here are a few musings on the problems that biometrics face (if you pardon the pun).
- Biometrics are to do with authentication of an entity - NOT identity; and the authentication that provides the gateway to whatever identity system you are using. I'm constantly amazed by the amount of security and identity professionals that confuse / mix / interchange these two terms.
- Biometrics if stolen cannot be replaced; which is sort of true, but in reality you leave your fingerprints, face and even DNA everywhere. The issue is a replay attack against devices that have your biometric registered, from the "gummy bear" attack against fingerprint sensors, to the dummy head attack against the iPhone 10.
- Biometrics cannot be revoked; if you are concerned that someone out there is spoofing your biometric information you cannot toss it away and replace it, as you would a password or a credit card. Yes, there are techniques like salting and one-way encryption that reduce the potential damage. But there will always be a poorly designed system with the potential for a leak of biometric credentials, ruining them for all other systems.
- If you rely on a device to validate biometrics then you (as the relying party) must understand the actual model the entity is using to understand;
- the technology behind the biometric match and what exploits can be used against it
- the threshold settings on a biometric match within the device / firmware / software
- the match confidence, or how well the biometric passed validation
- As the end user (and the owner of the biometrics) HOW DO I KNOW where my biometrics are stored? When I register my biometrics, I have no actual idea what happens with my biometrics, and have no (easy) way of validating the vendor assurances of "it is secure and well designed".
I hope that on my fingerprint is stored only on my smartphone, AND in a non-reversible format, AND is not being shipped externally (even on backup). BUT I HAVE NO IDEA; for all I know my registered fingerprint could be stored and shipped externally as a plain image, and when I authenticate it's being manually verified by a bank of humans in a low wage country.
- Biometrics on mobile devices are not the gold standard; many app developers regard the move to biometrics, particularity fingerprint, as far superior to other authentication methods. Unfortunately the fingerprint API (Android) simply says (binary) "biometric authentication passed"; so on a smartphone where your have enrolled fingerprints from yourself, your partner, best mate etc. then opening the banking app, any of those enrolled fingerprint work; however the bank regards that authentication as the current "gold standard" and applies a higher level of "certainty" that it is the account owner using the smartphone!
For the owner of the biometrics; Provable assurance that my biometrics are secure and exclusively under my control. This means;
- The only place my biometric should be stored is on a device under my exclusive control
- That my biometric should not be directly used outside of said device and should only be released as a cryptographic assertion of "sameness"
- That where a device is only partially under my control (say, a smartphone) then biometrics should only unlock a cached assertion of sameness.
For the receiver of the authentication / identity / attributes (and the entity usually taking the majority of the risk in the transaction), if they are to make a good, risk-based, decision then it is critical that they are able to fully understand how well the entity is connected to the digital infrastructure they are using.