IT PRO: Blogs: Simon Bisson & Mary Branscombe: Biometrics - it's not the technology that's broken

Home

Simon Bisson & Mary Branscombe's Blog

Biometrics - it’s not the technology that’s broken

By Simon Bisson & Mary Branscombe in Editorial

Posted in Identity, Hardware, Security on March 13, 2008 at 10:06 am

When we landed in Los Angeles this trip, I was relieved and disappointed at the same time. We’d been expecting the new ten-finger sensors instead of the left-index-right-index-photograph dance you currently do, but they weren’t installed yet. I’m keen to see these in action, and I don’t expect to be in Boston, Dulles or Atlanta any time soon (they’ll be in all US airports by the end of the year). The current scanners are optical - rather like a bar code scanner in a supermarket. That’s a little slow and could be fooled by a fake finger (unlikely as the TSA agent would spot it).

Scanning ten fingers is good for security - more chances of a match with fingerprints the FBI has found at crime scenes where you’re as likely to get a thumb print as anything else. And if it’s not going to take five times as long, it must be using an active technology like the AuthenTec scanner in my HP 2710p notebook - and I want to see how well it works in a heavy duty situation.

I like the HP scanner because I don’t have to remember passwords any more, so I can make them longer and harder to break. I wish HP would write a driver to let me use it for scrolling and I can’t wait until the promised update compensates for the way the screen moves a little as I scan my finger so I don’t have to brace it with my other hand any more. This is much more about convenience than security, and I think my fingerprints are safe enough in my PC. I’m less happy about government use of biometrics, because the government has a terrible record on data security and a dubious one on protecting privacy.

Motorola didn’t reassure me after they did a pilot for biometric visas for the UK, Austria, Luxembourg, Portugal and Spain and the UK. “From the pilots we’ve been involved with, it’s clear that the biggest challenge is around working practices,” says Gillian Ormiston, senior solutions consultant for Biometric Identity Management and Security Solutions at Motorola. The biometrics worked fine - but switching from a paper visa process to tapping it all in on computer wasn’t always as smooth, and that’s where security problems - or just mistakes - can happen.

A friend of ours is cabin crew with a major UK airline and that meant he ended up in the pilot for the US visa biometrics some years ago. He and a colleague were scanned, photographed and welcomed to America. Next week he was back at the same airport, but his fingerprints didn’t match; turns out they’d switched the scans for him and his colleague.

It should have been obvious from the photo that our friend was the same person. It was, in fact, but there was no way to easily update the record to deal with the mistake. It took months to sort out and even if the TSA is very polite about secondary interviews, it adds at least an hour of sitting around being checked on before you can get into daylight and start adjusting to the time zone.

Security is a process rather than a state; it’s what you do rather than what you are. But the process of how you get to be secure - as an individual or a country - has to be right too. Just putting biometrics into a system doesn’t make it more secure.

Not yet rated

Loading ...

Previous Post | Next Post

Comments

Comment by Jim Kerr - March 13, 2008 on 1:17 pm

Mary - “Just putting biometrics into a system doesn’t make it more secure.” I have to disagree. Biometrics is instant added security. This is because I am passing more complex credentials with a biometric. I am using a 30 character password that I could never remember if I had to type it in myself. But because my fingerprint remembers it for me, I have the added security of a much stronger password. So that is measureably better than an the typical 8 character password that you hope an employe will be able to remember and not have to write down as it changes.

Comment by John Green - March 14, 2008 on 9:10 am

My latest HP laptop also has a fingerprint reader, but it often takes six or seven attempts to log on. With all the possibilities and dangers of badly specified government IT systems (I once worked on oe of the better ones) I would take a lot of convincing that (a) they’ll work and (b) they will be secure. At the moment I am far from convinced, and there is always the risk that data procured for lawful purposes will be transferred to other users (even other governments) and used against the individual. No thanks.

Comment by Simon Bisson & Mary Branscombe - March 16, 2008 on 7:52 am

@Jim
I’m going to disagree back It’s the password that adds the security; the biometric adds the convenience. You could get the same security with a smartcard, authentication token or simple memory. But mainly, if the system you log in to is insecure the biometric doesn’t fix that.

@John
I certainly agree that the private use of biometrics is a different kettle of fish to government data collection and I worry a lot about it. If a national fingerprint registry was compromised, how would the government issue me a new finger?

On the repeated attempts. First, clean the scanner regularly; second, stabilise the lid so it shakes less. And third, watch for the promised update.

Make a comment

Tag cloud

Tim Berners-Lee SSD windows 7 hierarchical temporal memory natural interface CPU Numenta Reqall Fire Eagle cracking forensics Internet Hugh Thompson pen computing HTML 5 yahoo Silverlight Barracuda Xen BT Web 2.0 greenplum utilities griffin. microsoft research Ruby Live Mesh Linux Location mobile data tariffs DSL advertising IDF HTC 3G electricity price bandwidth user experience VSSAdmin fibre isp Intel transcoding ADFS 2.0 evernote HR automation isps spam fighting Motorola robot numbers SapphireSteel Mozilla Google IO todo list spam bombe MRDA Enterprise 2.0 WWW benchmark IT automation codec Express Gate automation Ruby On Rails Credentica Ask.com ucsd enterprise architecture thin client OFCOM machine learning security paradox NexT Previous Versions history business technology optimisation Nuance green IT bletchley park Microsoft SBS IBM virtualisation Google Adobe calit2 cisco Opsware wifi mobile Internet Explorer Windows Live virtual desktop National Insurance Girl Geek Dinners open source Facebook phone management christmas Firefox RBL streaming media NAS AMD fingerprint macbook social networking GPU oracle digital signature fire mscape dual display laptop storage battery Windows Server 2008 ruggedized Windows Mobile OQO interoperability power supply telecoms identitity MING support developer hardware Palm EEE TouchSmart wireless USB OpenID mobile working legislation Palladium parallel computing BBC geocaching geneva IIW2008b Vista RSA 2008 office Wyse Asus Volume Shadow Copy geotagging networks RAZR patent HSDPA WPF OEM acquisitions Crossfader accessories firewall Delphi ubuntu MacWorld 2008 lawsuit O'Reilly co-processor iPhone wildfire flash adfs .NET wubi green printing patch Tuesday deperimeterization migration Dopplr active digitiser Mono images power cuts HMT T9 Xobni biometrics IT value spin Tripit Large Hadron Collider open conference data centre MIX08 Toshiba Portege R500 blog disk community UMPC camera Verbatim mysql regulations cables security theatre Mercury Trend Micro business continuity CardSpace hp microsoft research mythbusters LiveID exabytes Apple installer analytics cloud service google online applications bea Embarcadero control panel business intelligence Gears enterprise troubleshooting turing SP1 CTO html media politics power mash-up terabytes exchange DisplayLink NGSCB offload ballmerbot Visual Studio productivity whitelist QWERTY xT9 colossus high performance computing amherst business technology automation hold music Salesforce Nokia case email Bill Gates cosmic rays WinHEC TNT pgp RIA HP mobile Linux conferences 24 hours AskEraser timezones O2 winhec2008 Google Spreadsheets provisioning desktop. PC onboarding eu security AuthenTec geek tourism Corsair quiz Tom Hogan distributed computing Google Sets voice recognition moscow hacking CIO CERN software Jeff Jones accelerator fault gaming Frauenhofer browser SMB 2 privacy performance mobility smartphone bbc iplayer Greasemoneky Internet Explorer 8 Dell identity theft Seagate merger etech Bill Cheswick processors optical interconnects disk space fraud 64-bit CES Hp 2710p EMC beta Secunia user interface Tablet PC Ray Ozzie national museum of computing anti-virus visualisation mobile ofcom network education information network credit crunch server sun information cards SSVAGENT.EXE data upgrade payroll i-mate fingerprint scanner Jeff Hawkins MacBook Air business Trolltech Loki Lenovo Tablet Kiosk Gartner ProCurve licensing regulation vulnerabilities toshiba Trampoline service oriented enterprise management CUDA traffic video GPS Moonlight nvision08 TechEd 2008 NVIDIA TSA IT transformation Netscan LHC Beacon identity metasystem

Highest Rated Blog Posts

Nobody knows what Web 2.0 really is (100%)
Songs of distant satellites (100%)
Log in and lock in (100%)
Mommy, why is there a home server in the office? (100%)
Employees are our most valuable asset (snigger) (100%)
Locking down IT or blocking creativity (100%)
Video opera? What would you do with huge bandwidth and millions of pixels? (100%)
Consumer BlackBerrys are good for business (100%)
HD Trek (100%)
Top tips for speeding up Vista (100%)

Biometrics - it’s not the technology that’s broken

Tag cloud

Archives

Most commented posts

Highest Rated Blog Posts

Advertisement