Jesper's Blog

Obligatory file photo: I am a Senior Security Strategist in the Security Technology Unit at Microsoft. My job is to explain to our customers how to run Microsoft products securely, and to the extent that it is needed, help the product groups figu

Blogs

Biometrics

  • Comments 4
  • Likes
Apart from the obvious issues with biometric authentication (like the fact that revoking them is quite onerous and the fact that they are actually detachable) I have never really been much of a fan of them for other reasons, like the issue that they always seem to be fooled by low-tech means. A recent scientific study seems to validate that. Of course, I think the Chaos Computer Club video is much more fun (it is in German, but you'll get the gist of it even if you do not understand German).
Comments
  • Okay, so morbid curiosity gets the better of me... They "tested cadaver fingers", and those passed 90+% of the time? Well, I'll bet they did, because those cadaver fingers were dead when they got them, so they registered them with the fingerprint device while the fingers were dead, and they're surprised that the dead fingers were recognised by the system that was registered with those same dead fingers. Uh... that's not really a valid test.
    What you need to do is find someone who's going to die, register their fingerprints, test a few times to make sure that they're recognised successfully with a usual error rate, and then after they're dead, borrow their fingers to do the same check.
    Imagine running that request past a scientific research ethics committee. [I suppose you could use felons sentenced for execution]

  • Did you read the study? I'm not sure exactly how they tested it. I think you'd have to go back to the actual paper to find out, although I kind of doubt they started with live fingers and then turned them into cadaver fingers. I think you are right about the issues with getting that past the human subjects committee though. They tend not to like studies with people that start out live and turn out dead; and I think they even frown on turning only part of those people into cadaver parts.

    Honestly though, if the cadaver fingers were recognized at all, that would be a problem. Only live ones are supposed to be recognized.

  • See, that's one of the problems with biometrics - while they are frequently tested against living subjects and cadavers, there's no test that accurately represents that of severing an individual's credentials in order to offer them up as validation.<p>I suggest this new field of research be named "necrometrics". :-)

  • - And what about cold fingers? Low pulse rate (mine is 64 at rest, despite being unfit - what if I get fit and it drops further?), etc...?

    Fans of biometrics often don't spend enough time considering the implications of
    people who don't posess enough of them - missing fingers, worn fingerprints, iris conditions (today's word is "aniridia"), etc.

    Pick a single biometric, and hundreds of people - possibly more - will legitimately be unable to register.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment