Since people forget things and lose things, one might contemplate basing an authentication scheme for humans on something that a person is. After all, we recognize people we interact with not because of some password protocol but because of how they look or how they sound — “something they are”. Authentication based on “something you are” will employ behavioral and physiological characteristics of the principal. These characteristics must be easily measured accurately and preferably are things that are difficult to spoof. For example, we might use
- Retinal scan
- Fingerprint reader
- Handprint reader
- Voice print
- Keystroke timing
To implement such a biometric authentication scheme some representation for the characteristic of interest is stored. Subsequently, when authenticating that person, the characteristic is measured and compared with what has been stored. An exact match is not expected, nor should it be because of error rates associated with biometric sensors. (For example, fingerprint readers today normally exhibit error rates upwards of 5%.)
Methods to subvert a fingerprint reader give some indication of the difficulties of deploying unsupervised biometric sensors as the sole means of authenticating humans. Attacks include:
- Steal a finger. Difficult to do without the owner of the finger noticing. Good supervision of the biometric sensor defends against this attack.
- Steal a fingerprint. Lifting a fingerprint is not that hard (at least, according to those TV crime-drama shows). Again, though, good human supervision of the biometric sensor defends against this attack because a guard will notice if somebody is not inserting a naked finger into the reader.
- Replace the biometric sensor. At first glance, this type of attack might seem even more difficult to execute than the two above. Social enginnering might be easier for the attacker to employ, here, though. It suffices that the guard believe that the senor should be changed (maybe because the the old one is “broken”).
There are several well known problems with biometric-based authentication schemes:
- Reliability of the method. Similarity of physical features (faces, hands, or fingerprints) and inaccuracy of measurement may together conspire to create an unacceptably high false acceptance rate (FAR).
- Cost and availability. Currently, some readers cost $40-50 and more. Are end users willing to pay that much for an authentication method that does not work as well as passwords?
- Unwillingness or inability to interact with biometric input devices. Some people are uncomfortable putting a body part into a machine; some are uncomfortable having lasers shined in their eyes for a retinal scans; and some don’t have fingers or eyes to be measured.
- Compromise the biometric database or system. It might be possible to circumvent the system’s biometric sensor and provide an “input” from another source. The sensor is, after all, connected to a system and hijacking that channel might be possible. Knowledge of the stored representation for a characteristic would then allow an attacker to inject the correct characteristic and impersonate anyone.
- Revocation. What does it mean to revoke a fingerprint?
The literature on biometric authentication uses the following vocabulary to characterize what a scheme does and how well it works:
- FAR: (false acceptance rate). This is the probability that the system will fail to reject an impostor (aka FMR: false match rate)
- FRR: (false reject rate). This is the probability that the system will reject a bona fide principal. (aka FNMR: false non-match rate)
- One-to-one matching: Compare live template with a specific stored template in the system. This corresponds to authentication.
- One-to-many matching: Compare live templates with all stored templates in the system. This corresponds to identification.