Recently I’ve written several blog posts about biometric authentication in IT Shops (see “Target Attack Leads to Discussion of Biometric Authentication“, “IT Shop Requirements for Exploiting Biometrics“, “Biometrics and SSO“). This post discusses a couple of secondary factors.
Secondary inhibitors to the widespread adoption of biometric authentication in IT shops include concerns about spoofing and cost. Spoofing in biometric is the ability to provide a measurement of an individual’s biometric without that individual actually being measured by a sensor. Cost concerns on the other hand are related to the perception that biometric authentication is still so new and high tech that it remains very expensive.
The folks that were able to spoof the biometric sensor on the iPhone within a few minutes or hours of its availability did a bit of damage to the reputation of biometric authentication. (The sensor on the iPhone utilizes match-on-device technology.) There are two reasons why this shouldn’t be the case. First, the fingerprint sensor in the iPhone was necessarily low cost and not very sophisticated. There are lots of manufacturers out there; some of which measure the “liveness” of the finger placed on the sensor. Just because one sensor could be spoofed, doesn’t mean all of them can be so easily spoofed. Second, fingerprint biometrics are only one type of biometric. Images of fingerprints can be easily transferred from a person to many surfaces and substances from which it can be captured — much to the benefit of law enforcement. This is not true for all types of biometrics. Retinal scans, for example, are much harder to take and, as far as we know, can’t be left behind when a person leaves a room. In other words, the limitations of one sensor for one type of biometric authentication doesn’t invalidate the usage of biometrics for all sensors or all types of biometrics.
