Thursday, December 07, 2006

MythBusted - Biometric Security and the Myth of the Perfect Security System


With the recent events in the press and the publicity surrounding the "Mythbusters test" regarding the Defeat of a Biometric Security Systems (Again), I felt it was important to discuss the events surrounding these successful attempt to defeat specific biometric products.

For those of you that don't know,
Mythbusters is a television program on the Discovery Channel that features a couple of intrepid Hollywood special effects gurus that "take on" current myths of the day and try to prove or disprove the basis of the myth. I must say that as an avid fan of the MythBusters television show, I was intrigued by the very thought of Biometric Technology being tested by these two.

Over the years there have been several media reports, studies and other documentaries about "The Defeat of Biometrics" and I have some very well known opinions about this premise. You can read an article that I wrote in June of 2002 that discussed the topic of
"Biometrics in the Real World" where I clearly state my opinions on the subject and offer some advise on implementing a Biometric Security System.

These same theories that I espoused over 4 years ago still hold true today and I am happy to say that YES I am glad that Adam Savage and Jamie Hyneman have brought some sense of reality to this industry that has for too long said "my product can't be broken or my biometric system can't be defeated". It's time for sanity to prevail in this argument about security systems and how easy it is or is not to break a biometric system.

There is even an entry in the modern cultural lexicon, Wikipedia discussing this topic. Wikipedia.org is a collectively updated and verified web encyclopedia.

"Recently the television program Mythbusters attempted to break into a commercial security door equipped with biometric authentication as well as a personal laptop so equipped. The results were shocking as they were able to easily defeat the technology with not one, but all of the different techniques they used. The most eye-opening was their quick success with a simple photocopy of a fingerprint. That the technology was so easily undermined strongly suggests that biometrics, in its present form, cannot yet be considered a strong form of authentication. (Wikipedia.org)"OK, now with that out of the way, let's discuss WHY this happened and WHY there is no such thing as a perfect security system.

  • Rule Number One - There is no impervious security system on the planet. There never will be.
  • Rule Number Two - When a vendor tells you that there system is completely unbreakable - they lie. Nothing is unbreakable.
  • When All Else Fails - See Rule Number ONE.

Security System Types (Factors) -

  • Biometric - Biometry Based (Who you are)
  • Password or Pin - Knowledge Based (What you know)
  • Keys or Tokens - Possession Based (What you have)

Biometric Systems -

  • Single Factor Authentication (SFA) - asks the question and grants access based upon "who is this person?". A SINGLE form of authentication is used to grant access based upon IDENTIFICATION.
  • Multi-Factor Authentication (MFA) - asks the question and grants access based upon "is this person whom they claim to be?" By using a statement of user identity (Card, PIN, Password or other token) and then authenticating access based upon VERIFICATION of this identity.

Single Factor Authentication (SFA) is considered weak security no matter what the factor.

Several unscrupulous biometrics vendors (mostly off-shore in origin) are vigorously promoting their single factor systems as unbreakable, live sensing, blah, blah, blah...

There is no system on the planet that cannot be beaten. Passwords can be guessed, tokens can be stolen, and yes Virginia, while there is a Santa Claus, there is no free ride in the security world. Biometrics can be spoofed. Any time you trust something important to a single factor authentication system, the risks should reflect the security level and never use this as your only line of security.

  • Are SFA biometric systems more secure than a password? - most often times yes.
  • Are SFA biometric systems more secure than a key based system that can be readily copied, shared or lost? - Again a resounding YES.
  • Are MFA (VERIFICATION) systems more reliable than SFA (IDENTIFICATION) systems? - ALWAYS.

Biometric Security Systems have firmly taken a solid place in security practices, however they should however NEVER be your ONLY security method if you are protecting highly valuable or sensitive information or facilities. Alarm systems, monitoring and recording systems, biometric systems and good security practices should all go hand-in-hand based upon the level of security required. Remember, your mileage may vary and treat EVERY system as if it were capable of being compromised.

Our premiere access control solution for small business, the Lucky Technology iGuard is a VERIFICATION system.

Our premiere PC access solution, the PCLokR is capable of multi-factor authentication.
Our premiere Enterprise Network authentication solution, the
VeriSoft Access Manager is also a VERIFICATION system capable of multi-factor authentication.

Thank you for your time and consideration.
James ChildersCEO iQBio, Inc.Intelligent Biometric Solutions

If you have any other questions you would like answered here or in our Blogs, please email me at james@iqbio.net with the subject line - "I want to know"...