Reversing biometrics

Posted  July 30, 2007 By Steve

Someone just studied some common biometric systems and determined that they are easier to reverse than previously thought. People have been able to reconstruct approximate faces from the "template" data captured by scanners; same goes for fingerprints.

Think about what happens when the Bad Guys get hold of your biometric data. Unlike passwords, security questions, social security numbers[1], or yes, even phone numbers, it’s virtually impossible[2] to change your biometric data. Once compromised, it’s gone forever. Think about the pain of convincing the IT department that, no, you can’t actually use your fingerprint for authentication because it was stolen in a massive bulk-phishing attack. Good luck with that.

I’m not saying that biometrics has no place in the security world, of course; in fact, it is probably an improvement to use it as a third factor in an existing two-factor system. In a lot of ways, though, "something you have" is superior to "something you are" as a second factor. This is just one more way.

-Steve

[1] Yes, it’s (theoretically) possible to change your SSN if you can illustrate actual, ongoing harm caused by an identity thief.

[2] Sometimes this impossibility poses a serious unrelated problem; see the prologue to Angels and Demons by Dan Brown for an example.