Monday, May 01, 2006
Moving Out
I have officially completed my transfer of this site from Blogger to my own domain. If the idea behind the site is at all interesting, I urge you to give it a try. The site is running on WordPress, which I have found to be a fantastic platform for maintaining and customizing a blog. There's a lot more freedom that just using a Blogger-hosted account, and I get to use whatever web hosting service I want. Of course, that means more maintenance effort as well, but I'm just the kind of geek who enjoys that sort of thing.
Wednesday, August 10, 2005
Biometrics: Protecting Users from...Themselves
There is a tendency for biometric verification to be viewed as The Solution to all authentication problems. We say that the technology authenticates a claimant based on "who he or she is." It is claimed that this makes the technology vastly superior to passwords (what he knows) or tokens (what he has). That sounds like a big win for biometrics on the surface, but it is also much easier to keep a password or token to yourself. I see my coworker's faces on a daily basis, and I take pictures of them frequently with few objections. Of those same coworkers, not one of them would be likely to let me jot down their password.
The point is that biometrics are very secure if we pay someone to watch the collection process. A guard sits by a sensor (or camera) and ensures that everyone presents their own biometrics rather than a picture or mold. In some applications (border control and credit card transactions), this is a reasonable requirement; in others (e-commerce and logical access control), it is not. Of course, all of this assumes that attackers are not able to alter the template database, but I'm trying to keep this discussion simple.
In the context of this shortcoming, I was pondering the purpose of biometrics for logical or physical access control. Without a guard sitting next to each sensor, I can't expect to defend against a determined, well-funded attacker. He might simply create a synthetic biometric designed to match a particular template. He might even circumvent the sensor and feed the matcher "samples" of his own design. With sufficient determination, he can defeat the system. So, who can biometrics defend against? My answer to this is the users themselves.
Users are notoriously bad at protecting their passwords and access tokens. They keep passwords posted on the side of their monitor. Even worse, they often give their password or access token away in order to provide temporary access to another party. If you don't believe me, imagine the following scenario. A salesperson has an email message sitting in his inbox with directions to a customer facility. Knowing the general location, he drives about halfway there before realizing he never printed directions. Not wanting to appear disorganized, he would rather not call the client and ask for last minute directions. Instead, he calls a coworker. "Can you log into my workstation and read me the last half of the directions to Customer X. My password? Sure, it's YYYYYYY." I doubt the story ends with the salesperson changing his workstation password upon return to the office. Similar stories are possible with physical access tokens.
Security-minded individuals are not likely to distribute their password so freely, but the average user will. They will always defeat security in order to achieve a desired result. Security is just one more hassle in the way of getting their work done. On the other hand, that password existed for a good reason. If the salesperson is the only one who knows his password, then only the salesperson can be held accountable for what happens on his workstation. As soon as others know the password, this is not possible. The salesperson may trust his coworker, but assigning such trust and granting access to such a resource is not the salesperson's role. Perhaps the salesperson has confidential documents on his desktop that should not be viewed by his coworker. Perhaps trust in his coworker is diminished a month later. The bottom line is that the decision to grant the coworker access to the salesperson's computer should extend from a more formal decision-making process.
Where do biometrics fit into all this? Biometrics would have made it more difficult for the salesperson to do the "wrong thing." They might not have defended against a determined attacker, but they would certainly provide protection against a snooping coworker. In my mind, that should be the primary motivation for deploying a biometric system. Biometrics ensure that trust is assigned based on an organization's defined procedures and not based on the laziness of individual employees. At this point, biometrics do not ensure that a determined attacker can gain access to the resource they protect.
The point is that biometrics are very secure if we pay someone to watch the collection process. A guard sits by a sensor (or camera) and ensures that everyone presents their own biometrics rather than a picture or mold. In some applications (border control and credit card transactions), this is a reasonable requirement; in others (e-commerce and logical access control), it is not. Of course, all of this assumes that attackers are not able to alter the template database, but I'm trying to keep this discussion simple.
In the context of this shortcoming, I was pondering the purpose of biometrics for logical or physical access control. Without a guard sitting next to each sensor, I can't expect to defend against a determined, well-funded attacker. He might simply create a synthetic biometric designed to match a particular template. He might even circumvent the sensor and feed the matcher "samples" of his own design. With sufficient determination, he can defeat the system. So, who can biometrics defend against? My answer to this is the users themselves.
Users are notoriously bad at protecting their passwords and access tokens. They keep passwords posted on the side of their monitor. Even worse, they often give their password or access token away in order to provide temporary access to another party. If you don't believe me, imagine the following scenario. A salesperson has an email message sitting in his inbox with directions to a customer facility. Knowing the general location, he drives about halfway there before realizing he never printed directions. Not wanting to appear disorganized, he would rather not call the client and ask for last minute directions. Instead, he calls a coworker. "Can you log into my workstation and read me the last half of the directions to Customer X. My password? Sure, it's YYYYYYY." I doubt the story ends with the salesperson changing his workstation password upon return to the office. Similar stories are possible with physical access tokens.
Security-minded individuals are not likely to distribute their password so freely, but the average user will. They will always defeat security in order to achieve a desired result. Security is just one more hassle in the way of getting their work done. On the other hand, that password existed for a good reason. If the salesperson is the only one who knows his password, then only the salesperson can be held accountable for what happens on his workstation. As soon as others know the password, this is not possible. The salesperson may trust his coworker, but assigning such trust and granting access to such a resource is not the salesperson's role. Perhaps the salesperson has confidential documents on his desktop that should not be viewed by his coworker. Perhaps trust in his coworker is diminished a month later. The bottom line is that the decision to grant the coworker access to the salesperson's computer should extend from a more formal decision-making process.
Where do biometrics fit into all this? Biometrics would have made it more difficult for the salesperson to do the "wrong thing." They might not have defended against a determined attacker, but they would certainly provide protection against a snooping coworker. In my mind, that should be the primary motivation for deploying a biometric system. Biometrics ensure that trust is assigned based on an organization's defined procedures and not based on the laziness of individual employees. At this point, biometrics do not ensure that a determined attacker can gain access to the resource they protect.
Friday, August 05, 2005
Starting a new blog
Here it goes. I have been a graduate student in the area of biometrics for the past few years now, and I feel like I have something to say about biometric verification. A lot of what I have to say seems like it would fit well into the blog medium. I won't be posting ground breaking ideas or conclusive results, but just my own thoughts on the benefits (and risks) of using biometric verification as an authentication tool.
My primary work focuses on biometrics for building access control. In particular, I investigate the opportunities presented when multiple biometric verifiers are deployed throughout a building. Clearly, using more verifiers to form a verification decision will reduce error rates, but what else can we get from such a system. I'm convinced that there's quite a bit to be said. If you're interested in my research, take a look at my research page.
My primary work focuses on biometrics for building access control. In particular, I investigate the opportunities presented when multiple biometric verifiers are deployed throughout a building. Clearly, using more verifiers to form a verification decision will reduce error rates, but what else can we get from such a system. I'm convinced that there's quite a bit to be said. If you're interested in my research, take a look at my research page.
