You saw a movie a few years ago with an elite person gaining access to a high-security facility. Her finger or eye was scanned, and voila, she was in. Today you're excited to see that same technology becoming reality. We're in the future. It's sexy, but...

The name for that technology, Biometrics, refers to methods that use unique body characteristics as identification: finger prints, retinal or iris patterns, face, voice, even the way someone walks (gait). It seems fool-proof. We're unique, right? Who else could gain access to my device if I'm the only one with my fingerprint?

Here's the problem: People who want to break into that device are not going away. They will find a way, and devices that rely on biometrics alone may actually make things easier for them.

Consider these points.

1) Today's hackers require a certain degree of technological savvy to be able to break into a computer system. They have to have some understanding of how the insides of a computer or device work or communicate in order to be able to break into it and gain access to private information. This fact alone limits the number of people who will even try. With the introduction of biometrics as security for mobile devices, anyone with enough time to experiment with making likenesses of his own finger, eye, etc., will be able to find ways to by-pass the security of his personal devices from the outside. Once that person knows how to break into his own device, he will be able to use that knowledge to get into other people's devices.

2) Compared to the simplicity of changing a password when there is a possible threat, biometrics will be expensive as a business model. You can't change your fingerprint, iris pattern, etc. When (not "if") hackers get good at replicating these things, businesses will have to deploy more and more sophisticated hardware/software to thwart them. That's billions of potential dollars spent where much less is spent today.

3) Legally, just as you can be compelled to submit to a breath test if you are arrested for driving drunk, you can also be compelled to provide a fingerprint or other biometrics which, if these are used as security for your devices, would conceivably allow access. A piece of information, such as a password, however, is stored in your mind, and as such has a legally protected status. The 5th amendment protects your right to refuse to be a witness against yourself. In other words, you can refuse to provide that piece of information if you think doing so could incriminate you. (Not that you have anything to hide, mind you!)

So while biometrics continue to carry the wow-factor, and their convenience can't be argued, their usability as the main protection for mobile devices is questionable. For large systems that remain on-site, say a fingerprint reader at the entrance to a government building, where it would be difficult for someone to fake a finger or fiddle around with the interface to see what works and what doesn't, biometrics may still be feasible for security. But for mobile devices, the answer to security is likely to be a hybrid approach that does not rely solely on biometrics or on passwords, which admittedly can be inconvenient. At Sympius we have state of the art solutions that you can try today.



presi#bioPitfalls
Denise Dannels