Biometrics
Lockstep has long advocated a more critical appraisal of biometric security systems.
Here is a selection of our analyses and commentaries on biometrics.
Blog entries
Quote: "[It is] very optimistic to imply ... that biometric ATMs will have false positives of 'one in a million' and false negatives of 'one in ten thousand'. These error rates are not achievable simultaneously, even in the lab. And the FBI tells us these results do not apply outside the lab, where real ATMs operate."
Quote: "Published error rates for biometrics are chronically optimistic. Biometric performance measurement almost always uses the 'zero effort imposter' assumption, which causes systemic over-estimation of their strength. False Match Rates are worked out by counting accidental matches, and do not look at scenarios where someone is trying to get matched falsely ...
"In other words, the stated performance specifications of biometric solutions don’t tell us much about how well they stand up to criminal attack. This failing is nothing short of remarkable. Shouldn’t resistance to would-be robbers be top of mind when commissioning banking system security?"
Quote: "The term 'unique' in the context of biometrics is utter hyperbole. Even if it were true that voice patterns are 'unique', the critical question is whether a biometric mechanism is capable of telling all voices apart. And the truth is that no biometric apparatus is perfect. In fact, most biometrics fall so far short of perfection that I believe use of the word 'unique' constitutes false advertising."
- "Plurality of Identities, and trouble ahead with biometrics" Open Forum blog, Nov 2007.
Quote: "Let's consider the possibility that this singular identity paradigm has enabled, without anyone noticing, the rather too easy acceptance by security experts of biometrics. The idea of biometric authentication plays straight into the orthodox world view that each user has one 'true' identity that underpins multiple authorisations. The strong intuitive attractiveness of biometrics must be based on the idea that what matters in all transactions is the biological organism. But it's not. In most real world transactions, the role is what matters, and it's only under rare conditions of investigating frauds that we go into the forensic exercise of locating the organism.
"There are huge risks if we were to make the actual organism central to routine transactions, by deploying biometrics too expeditiously. It would make everything intrinsically linked, implicitly violating Privacy Principle No. 1: Don't collect personal information that is not required for the transaction at hand. The stakes in biometrics are extremely high. As yet there is no proven way to cancel and re-issue a compromised biometric template (and I worry that fundamentally it can never be done properly without trading off integrity). And despite ... often surprisingly large false match rates, biometrics are still thought of, even promoted, as proving 'unique' identity."
Whitepapers and publications
A number of Stephen's Online Banking Review columns look at biometrics; see archived OBR copies from February 2006 and August 2008, as well as the recent pre-print of the April 2009 column below.
See below.
 | OBR Lockstep Column No 34 Biometrics ATMs (preprint) | [download, 42Kb] |
| Quote: "The FBI warns that lab results do not reflect resistance to deliberate attack: 'When a dedicated effort is applied toward fooling biometrics systems, the resulting performance can be dramatically different'. In other words, the stated performance specifications of biometrics solutions don’t necessarily tell us how well they stand up to criminal attack. Resistance to robbery is surely important in ATM security, and so the leap from laboratory to the High Street needs to be taken with great care." | ||
 | Lockstep Babystep No. 3 Limitations of Biometrics | [download, 46Kb] |
| Biometrics seem so simple and intuitive that the question sometimes arises: couldn't we just replace all our current authentication gadgets with a fingerprint reader or face scanner? The answer is emphatically not, for reasons that become apparent when we take a closer look at biometric technologies. | ||
| Lockstep Privacy Senate Inquiry submission 22 Feb 05 | [download, 690Kb] |
| Quote: "[Biometrics] fundamentally can never be as foolproof as people have been led to believe by cursory viewing of sci-fi movies. In this submission, by applying no more than a junior high school level of scientific analysis, we hope to expose some of the inescapable limitations of biometrics, and to thus help set more realistic expectations amongst law and policy makers as to the real abilities of biometrics". | ||
| Online Banking Review Speaking-of-bank-details Jun08 | [download, 241Kb] |
| Quote: “With any biometric, the most important design decision is probably getting the trade-off right between false accepts and false rejects. This is especially critical in retail settings where customer convenience is paramount, and can even outweigh security considerations. … Any biometric system will always suffer to some extent from both types of error. On some occasions, the system will confuse the person being presented with someone else enrolled in its database (i.e. a false accept). On others, it will fail to recognise an enrolled person when they present again (i.e. a false reject). | ||