{"id":40,"date":"2008-01-11T15:19:27","date_gmt":"2008-01-11T23:19:27","guid":{"rendered":"http:\/\/cubist.cs.washington.edu\/Security\/2008\/01\/11\/security-review-biometrics\/"},"modified":"2008-01-11T15:25:50","modified_gmt":"2008-01-11T23:25:50","slug":"security-review-biometrics","status":"publish","type":"post","link":"https:\/\/secblog.cs.washington.edu\/Security\/2008\/01\/11\/security-review-biometrics\/","title":{"rendered":"Security Review: Biometrics"},"content":{"rendered":"<p><font face=\"Calibri\"><strong>Summary<\/strong><\/font><\/p>\n<p><font face=\"Calibri\">Biometrics is an authentication mechanism that relies on identification or verification based on unique physiological characteristics.\u00a0 Biometric devices employ fingerprint recognition, hand geometry, retina scanning, and other methods to identify or verify a person based on stored biometric information.\u00a0 Biometric devices are becoming more prolific and are now standard on many laptops and computers.<\/font><\/p>\n<p><font face=\"Calibri\"><!--more--><\/font><\/p>\n<p><font face=\"Calibri\"><strong>Assets and Security Goals<\/strong><\/font><\/p>\n<ul>\n<li><font face=\"Calibri\">Provide convenient and secure method for authentication, identification, and verification.\u00a0 Users of biometrics as a singular authentication mechanism would not have to remember passwords or carry smartcards.<\/font><\/li>\n<li><font face=\"Calibri\">Provide secure storage of biometrics. \u00a0Adversaries \u00a0must not be able to obtain stored biometric information.<\/font><\/li>\n<\/ul>\n<p><font face=\"Calibri\"><strong>Potential Adversaries<\/strong><\/font><\/p>\n<ul>\n<li><font face=\"Calibri\">Any person, entity, corporation, group, or agency not authorized for access to the protected system who would want to obtain access for malicious or non-malicious purposes.<\/font><\/li>\n<li><font face=\"Calibri\">Anyone interested in obtaining biometric information stored for identification purposes for malicious or non-malicious purposes.<\/font><\/li>\n<\/ul>\n<p><font face=\"Calibri\"><strong>Potential Weaknesses<\/strong><\/font><\/p>\n<ul>\n<li><font face=\"Calibri\">Spoofing and mimicry attacks &#8211; An artificial finger made of commercially available silicon or gelatin may deceive a fingerprint biometric sensor.<\/font><\/li>\n<li><font face=\"Calibri\">Off-limit power fluctuation or flooding &#8211; Flooding a biometric sensor with noise data (i.e. flashing light on an optical sensor, changing the humidity of a fingerprint sensor, or spraying materials on a sensor&#8217;s surface) may cause biometric devices to fail. <\/font><\/li>\n<li><font face=\"Calibri\">Residual biometric data &#8211; The residual biometric characteristic of a previous user on the sensor may be sufficient to allow access to an adversary.<\/font><\/li>\n<li><font face=\"Calibri\">System used for storage and control of biometrics and biometric devices may be subject to attack.<\/font><\/li>\n<\/ul>\n<p><font face=\"Calibri\"><strong>Potential Defenses<\/strong><\/font><\/p>\n<ul>\n<li><font face=\"Calibri\">Utilizing biometrics as a complementary form of authentication may increase security and reduce the impact of the potential weaknesses listed above.<\/font><\/li>\n<li><font face=\"Calibri\">Consent of use for user\u2019s of biometrics by companies employing biometrics may limit legality concerns around compromised stored biometric information.<\/font><\/li>\n<li><font face=\"Calibri\">Auditing and logging should be employed to ensure proper use, maintenance, and control of biometric devices and systems.<\/font><\/li>\n<\/ul>\n<p><font face=\"Calibri\"><strong>Risks<\/strong><\/font><\/p>\n<p><font face=\"Calibri\">The security risk involved with using biometrics would depend on the information or valuables being protected by the biometrics system.\u00a0 Serious privacy issues may arise from stolen biometrics information since the biometric information, unlike passwords or keycards, cannot be changed and once compromised, it will always be compromised for the life of the user.<\/font><\/p>\n<p><font face=\"Calibri\"><strong>Conclusion<\/strong><\/font><\/p>\n<p><font face=\"Calibri\">Biometrics can be a valuable security addition as a complementary form of authentication.\u00a0 By forcing someone to have a password and a biometrics identifier, the authentication mechanism is now two-fold instead of being simply single-layered.\u00a0 Biometrics should not be used unless the storage of the biometrics data can be secured and monitored effectively.<\/font><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Summary Biometrics is an authentication mechanism that relies on identification or verification based on unique physiological characteristics.\u00a0 Biometric devices employ fingerprint recognition, hand geometry, retina scanning, and other methods to identify or verify a person based on stored biometric information.\u00a0 &hellip; <a href=\"https:\/\/secblog.cs.washington.edu\/Security\/2008\/01\/11\/security-review-biometrics\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":28,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13,9,5],"tags":[],"class_list":["post-40","post","type-post","status-publish","format-standard","hentry","category-physicalsecurity","category-privacy","category-security-reviews"],"_links":{"self":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/40","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/users\/28"}],"replies":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/comments?post=40"}],"version-history":[{"count":0,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/40\/revisions"}],"wp:attachment":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/media?parent=40"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/categories?post=40"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/tags?post=40"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}