Biometric authentication, or Biometrics in general, is a dumb idea. Biometric authentication corresponds to certain methods for uniquely identifying humans based upon physical or behavioural attributes. This unique process of authentication is not particular to humans and their computers, but also exists in a highly cultivated form in nature. A good example is a dog’s method of identity management based on olfactory sense alone (dog sniffs air….smells other dog’s butt…knows who that dog is). Humans can’t come close to a dog’s level of identity management, so we’ve fabricated several methods to distinguish one person from another. Examples include, but are not limited to fingerprints, face recognition, DNA, voice recognition, palm prints, hand geometry, and iris recognition (which has largely replaced retina, and odour/scent recognition – Good dog!).
Let’s talk about single, and two-factor authentication for a moment. Single factor authentication does in no way “identify” who you are. It consists of a user ID and password, and anyone could potentially have that information. Two-factor authentication asks for your user ID and password, and then asks for a third component (really three-factor) such as an ever-changing token number (or better still, a cell phone call that asks you to enter a PIN). With “two-factor” authentication, you are purportedly identified by this external third component, but, this still does not genuinely “identify” who you are.
The great thing about this method of authentication is that if you forget any component of the operation, you can change it. The bad part is that there is no way to demonstrably prove that the person logging in is you.
Enter Biometrics. Now you submit your user ID and password, and add the third component such as a thumbprint (many IT novices, eyes aglow with the idea that biometric scanning is the wave of the future, think a simple thumbprint is all that should be needed for the entire transaction). The thumbprint or iris print is specifically unique to an individual, and consequently genuinely identifies who you are.
But, there are two specific and monumental troubles with this.
We’ve all heard of the hypothetical scenario where the research scientist with access to his lab’s restricted areas by way of handprint or eyeball scan has his hand chopped off or eyeball removed by evil intruders, so they can gain access. This is a certain possibility.
But, even worse, if the handprint or eyeball data is compromised, it can’t be changed like a password or PIN can (unless you are in the movie, Minority Report). Once your biometric data is compromised, your identity as a whole is completely compromised, and you can’t change it.
Stick with something that is changeable – while it does not cleanly identify who you are, it will afford you far more security in the long run, and will never compromise your identity.
If you are a dog, please disregard this post.