Biometrics is *not* security

There has been a raging debate about the value of biometrics. On the one side are manufacturers and businesses selling technology they hope will make them rich. On the other side are the theorists and analysts saying they are not providing what they are advertized to provide. In the middle, Hollywood and "common knowledge" have been making the technology out to be something from Fantasyland.

Finally, a mainstream reporting source has an article about the actual shortcomings of biometrics in layman's terms:

Another problem with biometrics is that the traits used for identification are not secret, but exposed for all and sundry to see. People leave fingerprints all over the place. Voices are recorded and faces photographed endlessly. Appearance and body language is captured on security cameras at every turn. Replacing misappropriated biometric traits is nowhere near as easy as issuing a replacement for a forgotten password or lost key. In addition, it is not all that difficult for impostors to subvert fingerprint readers and other biometric devices.

... and:

The panel of scientists, engineers and legal experts who carried out the study concludes that biometric recognition is not only “inherently fallible”, but also in dire need of some fundamental research on the biological underpinnings of human distinctiveness.


What is often overlooked is that biometric systems used to regulate access of one form or another do not provide binary yes/no answers like conventional data systems. Instead, by their very nature, they generate results that are “probabilistic”. That is what makes them inherently fallible. The chance of producing an error can be made small but never eliminated. Therefore, confidence in the results has to be tempered by a proper appreciation of the uncertainties in the system.

For a more in-depth read, you might refer to this one. Also, Bruce Schneier's essay. Though it's 10 years old, it's still perfectly relevant.

Add new comment