Security
-
hydroflare
- Posts: 64
- Joined: 01 June 05 7:30 pm
- Location: sydney
- Contact:
That's a huge question and the topic of exhaustive debates and investigations! <p>
One critical flaw, which is a strong argument against it (in it's form as a single authentication credential) will be the substantial reliance on it and a false sense of trust in the credential. The credential will have a limited life before it is compromised and, if infrastructure is relying substantially on this credential then the integrity of the infrastructure may also be weakened. So it won't be an 'ID card' since it can't be relied on to provide 'ID'.<p>
In simple terms, there isn't a single credential out there that has not been compromised at some stage and it won't be any different for this one.<p>
If the credential can't be relied on, then it has no real purpose since it will be a costly system to enroll, issue and maintain. Who will be doing background checks on each person receiving a card? And to what extent? Then you have to deal with lost cards, stolen cards, damaged cards (estimated at about 10% per year). <p>
A better, and more workable system is to use multiple credentials to establish identity and trust. These can range from passports, DL's, and a whole range of information that can be cross-referenced. It is the depth of knowledge and information that will establish the identity proof, not one single isolated credential.<p>
Biometric identification systems also have flaws when used as a single credential for proof-of-identity. In fact there are serious flaws in using biometrics for any proof-of-identity mechanism.<p>
One critical flaw, which is a strong argument against it (in it's form as a single authentication credential) will be the substantial reliance on it and a false sense of trust in the credential. The credential will have a limited life before it is compromised and, if infrastructure is relying substantially on this credential then the integrity of the infrastructure may also be weakened. So it won't be an 'ID card' since it can't be relied on to provide 'ID'.<p>
In simple terms, there isn't a single credential out there that has not been compromised at some stage and it won't be any different for this one.<p>
If the credential can't be relied on, then it has no real purpose since it will be a costly system to enroll, issue and maintain. Who will be doing background checks on each person receiving a card? And to what extent? Then you have to deal with lost cards, stolen cards, damaged cards (estimated at about 10% per year). <p>
A better, and more workable system is to use multiple credentials to establish identity and trust. These can range from passports, DL's, and a whole range of information that can be cross-referenced. It is the depth of knowledge and information that will establish the identity proof, not one single isolated credential.<p>
Biometric identification systems also have flaws when used as a single credential for proof-of-identity. In fact there are serious flaws in using biometrics for any proof-of-identity mechanism.<p>
-
Team Piggy
- Posts: 1601
- Joined: 02 April 03 5:16 pm
- Location: South Australia
-
GeoWombats
- 200 or more found
- Posts: 46
- Joined: 11 May 04 11:23 pm
- Location: Darwin, NT
Re: Security
I had to use a Medicare card for proof of identity for my then 8 month old baby to hop on a Qantas flight. I had asked on the phone whether ID was needed, got told it wasn't and THEN got asked to produce ID. The first thing they suggested was a Medicare card. Just as well I was carrying that! [I actually was carrying his birth certificate as I don't trust airlines but I was surprised that a Medicare card sufficed.]hydroflare wrote:No, it is not accepted as proof of ID. Anyone who does accept it is fooling themselves. A little piece of plastic with a name on it does not prove anything. Neither are you obliged to have one.swampgecko wrote: Hang on a minute... do you have a medicare card? And that is accepted as proof of id, is it not? By my way of thinking then, there is already a National Identity Card....
-
hydroflare
- Posts: 64
- Joined: 01 June 05 7:30 pm
- Location: sydney
- Contact:
For Team Piggy, there is no effective repudiation mechanism with a biometric. Unlike a certificate, key, card or other credential, you can't repudiate your biometrics.<p>
For GeoWombats (great name), the Medicare card did not prove any form of identity. What you saw was corporate policy and beauracracy gone crazy. The mere idea that a piece of plastic with a name on it 'proves' identity is absurd. <br>What it possibly showed was that the infant was attached to an adult (since the infant's name would be on a card with an adult's name). It did not show that the infant being carried (nor the adult) were the people whose names were on the card.
For GeoWombats (great name), the Medicare card did not prove any form of identity. What you saw was corporate policy and beauracracy gone crazy. The mere idea that a piece of plastic with a name on it 'proves' identity is absurd. <br>What it possibly showed was that the infant was attached to an adult (since the infant's name would be on a card with an adult's name). It did not show that the infant being carried (nor the adult) were the people whose names were on the card.
-
Team Piggy
- Posts: 1601
- Joined: 02 April 03 5:16 pm
- Location: South Australia
I wonder how many will be heading to Dictionary.com to look that word uphydroflare wrote:For Team Piggy, there is no effective repudiation mechanism with a biometric. Unlike a certificate, key, card or other credential, you can't repudiate your biometrics.
I have found that biometrics work excellent, I have come into contact with a large number, and personally would say they have a better success rate and stability than any other type of ID mechanism. Eg: Proximity, Swipe, magnetic, insert. All of the others seem to have a high failure rate in the cards/units and they "can" be bypassed depending on the code used in them.
I was more interested in the flaws side of it? I gather you have had a bit of experience with it all?
-
GEK
- 200 or more found
- Posts: 139
- Joined: 22 August 03 12:11 am
- Location: The Shire (Southern Sydney)
OK, here's the flaw in biometrics as I see it.
People will always find ways to fake ID, even ID based on biometric data (see the movie Gattaca for an interesting take on this theme). The problem is that as soon as someone "steals" your ID (or finds a way to fake it) your ID is useless. If your ID is a piece of plastic, or a digital key, or perhaps a passport, all you have to do is get it replaced and the original is invalidated. That is what the term "repudiation" means.
But the problem with biometrics is that you CAN'T replace your ID or invalidate it. It's part of YOU.
Imagine if someone discovered your online banking password but the bank wouldn't let you change it. That's the flaw in biometrics.
GEK
People will always find ways to fake ID, even ID based on biometric data (see the movie Gattaca for an interesting take on this theme). The problem is that as soon as someone "steals" your ID (or finds a way to fake it) your ID is useless. If your ID is a piece of plastic, or a digital key, or perhaps a passport, all you have to do is get it replaced and the original is invalidated. That is what the term "repudiation" means.
But the problem with biometrics is that you CAN'T replace your ID or invalidate it. It's part of YOU.
Imagine if someone discovered your online banking password but the bank wouldn't let you change it. That's the flaw in biometrics.
GEK
-
CraigRat
- 850 or more found!!!
- Posts: 7015
- Joined: 23 August 04 3:17 pm
- Twitter: CraigRat
- Facebook: http://facebook.com/CraigRat
- Location: Launceston, TAS
- Contact:
Exactly.GEK wrote:Imagine if someone discovered your online banking password but the bank wouldn't let you change it. That's the flaw in biometrics.
This has been raised in a few forums I have been in.
This is why you need to subscribe to the 'bring something(biometrics/swipe etc) know something(pin or passphrase)' philosophy... its not perfect, but its a Best Effort thing.
Allowing access to areas based on 1 item of authentication is risky indeed.
/works in the industry(sort of)
Hmmm..what was the topic again??
-
hydroflare
- Posts: 64
- Joined: 01 June 05 7:30 pm
- Location: sydney
- Contact:
Looks like everyone else beat me to it! <p>
Biometrics has its uses, as part of a multi-factor authentication mechanism. It's convenient and relatively good. However, as with all of these types of systems there are weak points. It may be the biometric authentication method, the capture and template generation methods etc. At some point we can expect it to be compromised, the same way as encryption algorithms are routinely tested and eventually reach the end of their shelf life.<p>
Revoking a key or certificate is easy, however the public might be nervous about cutting their fingers off or pulling out their eyeballs!
<p>
There are some excellent essays on security fundamentals and authentication methods if you want to follow up the topics further.<p>
Anyhow, I imagine that suspicious security guard that started all of this has gone down to the pub by now ...
Biometrics has its uses, as part of a multi-factor authentication mechanism. It's convenient and relatively good. However, as with all of these types of systems there are weak points. It may be the biometric authentication method, the capture and template generation methods etc. At some point we can expect it to be compromised, the same way as encryption algorithms are routinely tested and eventually reach the end of their shelf life.<p>
Revoking a key or certificate is easy, however the public might be nervous about cutting their fingers off or pulling out their eyeballs!
<p>
There are some excellent essays on security fundamentals and authentication methods if you want to follow up the topics further.<p>
Anyhow, I imagine that suspicious security guard that started all of this has gone down to the pub by now ...
-
Team Piggy
- Posts: 1601
- Joined: 02 April 03 5:16 pm
- Location: South Australia
I'll still take biometrics anyday over standard Proximity and other forms of access control gear
I dont know of many places that use biometrics as the "sole" access device, most require a PIN number then the biometric. The PIN number can simply be changed, so without the correct PIN and Hand/retina/facial recognition scan = No access
I could tell you some nice horror stories about standard access control methods, and some on just "how" easy it is to get past a lot of it too But I wont, that would make the game too easy !
I dont know of many places that use biometrics as the "sole" access device, most require a PIN number then the biometric. The PIN number can simply be changed, so without the correct PIN and Hand/retina/facial recognition scan = No access
I could tell you some nice horror stories about standard access control methods, and some on just "how" easy it is to get past a lot of it too
But I wont, that would make the game too easy !-
Slider & Smurf
- 550 or more Caches found
- Posts: 390
- Joined: 02 April 03 11:59 pm
- Location: Canberra
- Contact:
A bionic finger ... cool!!
<p>
(go here, click on the View TV spots link, then choose the ad on the left!)
<p>
(go here, click on the View TV spots link, then choose the ad on the left!)
Like the pig said:
Security = done. Move on.
Biometrics & ID debate = Has merit.
The Bronze.
FARQ = http://www.bioprivacy.org/faq_main.htm
Security = done. Move on.
Biometrics & ID debate = Has merit.
The Bronze.
FARQ = http://www.bioprivacy.org/faq_main.htm