September 18, 2006

Mythbusters: When biometrics fail

Every watch MythBusters? Its a great show. I quite enjoy it.

It's not often that they do something that crosses into my realm though. Of course, recently they DID beat a biometric fingerprint door lock:

Biometrics alone is not enough. You need more factors (like an external PIN) so that along with "something you are", there is "something you know".

Absolute security is a myth. With enough time and resources, most systems can be beat. Adam and Jamie showed that.

Posted by SilverStr at September 18, 2006 03:10 PM | TrackBack

I saw that episode and enjoyed every minute. They don't mention the biometric door lock vendor, but I am certain they have a lot of questions to answer.

I completely agree with you. As you point out, that door lock was beat as a result of using *single factor authentication*. As anyone would point out, SFA is weak, regardless of the "factor" used (something you know, have, or are).

Unfortunately, I run into far too many people that think that since some authentication scheme is using the some form of "magical" biometric (fingerprint, hand geometry, etc), that they don't need to employ other factors like a PIN (something you know) along with the biometric (something you are).

Posted by: BioBusted at September 19, 2006 02:04 PM

I've noted this before on several occasions (such as my URL above) - a fingerprint is not something you are, and it's not something you know. It's something you possess, but it's not something you possess uniquely, and it's not something you can't be parted from. As a result, it doesn't pass the tests that you want from an authenticator.
It may be an identifier - a claim of identity, just like your name, or your username - but it's not an authenticator, like a password.
Given the false negative rates on fingerprints, it's not even a very good identifier.

Posted by: Alun Jones at September 24, 2006 08:39 PM