Threat of Biometrics to Security and Its Structure
Hitoshi Kokumai
Advocate of Identity Assurance by Citizens' Volition and Memory. Founder and Chief Architect at Mnemonic Identity Solutions Limited
Threats of biometrics to privacy, democracy and humanity are already taken up by quite a few people, but not many people are discussing the threat of biometrics to security and many of them are often carried away by the eye-catching ”known” incidents of spoofing and leakage. Few people pay attention to the base-layer problem solidly inherent in the biometrics technology.
Assume an extremely unlikely scenario that someone comes up with a set of dream solutions by which there can be no spoofing and no leak of biometric data altogether. Even such a 'perfect biometrics' would only provide the level of security lower than a password/pincode-only authentication in cyberspace because biometrics needs to be deployed with a fallback measure (usually default password/pincode) against false rejection (false non-match) in a 'multi-entrance' deployment. https://www.dhirubhai.net/pulse/quantitative-examination-multiple-authenticator-hitoshi-kokumai/
This peculiarity of biometrics constitutes the base layer of the threat to security. On top of this base layer, biometrics gives us additional layers of vulnerabilities; spoofing and data leakage, which are supposed to haunt us for long in this real world.
By the way, as for the threats of spoofing and leakage, we need to assess both “known” incidents or precedents and “unknown” threats.
Just as the threat of man-made crimes should be assessed differently from the threat of natural disaster, new threats of ever-evolving digital crimes should be assessed differently from the time-honored threat of pre-digital crimes. If we have to wait for an incident or precedent to be “known to us” before we are allowed to discuss the threat, we would never be able to logically and mathematically identify the threat and prevent the identified threat from actually turning into an incident or precedent.
Whether a logical and mathematical reasoning of a potential threat is correct or wrong can only be tested logically and mathematically, not by whether it is known to us or not, whereas a physical phenomenon, for instance, whether this key fits into that lock or not could be tested physically.
Separately we could assess the threats of biometrics to the security of individual persons as well as that of the overall networks. Attacks on individuals must not be dismissed as a trivial matter.
Mr. A, for instance, is not wealthy so he can be confident that no bad guys would try to attack his accounts for money. He cannot be confident, however, that no bad guys would try to break into his accounts for personal revenge or harassment. He believes he has lived honestly, trying not to harm anyone. But it does not guarantee that he does not get hated. When his biometric data gets leaked, it could be an issue of life and death for him and his family.
And, it goes without saying that there are millions and millions of individuals who have money, power and influence that bad guys would not hesitate to spend their resources to pursue
Moreover, we know of the tragic events that actually happened – https://www.valuewalk.com/2018/02/biometrics-aadhaar-danger/ In this article we referred to an ill-thought deployment of biometrics with an explanation with graphs of what are false rejection and false acceptance.
As such, it is really sad to see so many people being (mis)led to believe that, although biometrics may be a threat to privacy, democracy and humanity, the biometrics must be supported by governments and citizens because biometrics contributes substantially to better security. This is a big myth that must be busted.
< Related Videos and Articles >
Video 1: Biometrics in Cyber Space - "below-one" factor authentication
Video 2: Six Reasons to Believe Biometrics Don't Ruin Cyber Security
Early models of smartphones were safer than newer models - How come?
What would it be like if Vested Interests or Sunk Costs are placed above Logic?
Biometrics as a Threat to Security, Privacy, Convenience and Economy
Digital Lemming’s Congested Competition for Bestseller Snakeoil
#identity #authentication #password #security #safety #ethic #privacy #civilrights #democracy #biometrics
Information Security Researcher, Academician, Entrepreneur | Password & Cybersecurity, Digital Identity, Biometrics Limit, 3D Education | Linux Trainer | Writer | Podcast Host
5 年Dawid Jacobs?For online authentication or identification, the physical fingerprint biometrics has to go through electronic fingerprint biometrics. Do you agree? It is not clear to understand your points from the long exchange of comments below.
Inventor of the only solution to nullify the $10.5T+ global problem of Deepfake Synthetic Identities.
5 年Hitoshi Kokumai, I am referring only to fingerprints - and this is where many without knowledge of Fingerprints are missing the object of my questions or statements. There exists a major difference between "electronic" fingerprint biometrics and "physical" fingerprint biometrics.? You made this statement in your link: "Whether a logical and mathematical reasoning of a potential threat is correct or wrong can only be tested logically and mathematically, not by whether it is known to us or not, whereas a physical phenomenon, for instance, whether this key fits into that lock or not could be tested physically." This is the difference between fingerprints and other biometrics, it can be tested physically.? Where the "electronic" fingerprint biometrics (AFIS using algorithms) can have a False Rejection or Accepting, factor, the use of "physical" fingerprint biometrics as back-up to it can make it a 100% or 0% match. The eye is a precision instrument, it can detect, identify, match and verify minutia found on a fingerprint much better than any computer. The other reality, is that if a large database of fingerprints in "physical" format is stolen, hacked or exposed, you can't use it, without having direct contact with the person it belongs to. It belongs to a specific body and with 'physical' biometrics in place, it is worthless to anyone but the owner thereof. This is the difference between fingerprints and all other biometrics which is only being used in "electronic" format. You can change anything in computer format, but if you want to change "physical" fingerprints, you have to either cut off the digit or scar it right through to the dermis, but also then, all that you have done, is create a new "scarred" fingerprint which can be matched and verified against the new data of a subject with the trained eye of a Fingerprint Expert. It is for this reason that we have created a solution based on Forensics with Fingerprints as core Biometric (electronic and physical).? The Key fits 100% or 0%.
Information Security Researcher, Academician, Entrepreneur | Password & Cybersecurity, Digital Identity, Biometrics Limit, 3D Education | Linux Trainer | Writer | Podcast Host
5 年Well articulated points Hitoshi Kokumai?.. The password security systems are the weakest links in the Internet driven world. Since no password security system is 100 percent foolproof, we need to choose wisely which password security system(s) to be adopted for authentication and identification. I fully agree that the governments and the service providers must NOT force people to accept biometrics as the only authentication / identification tool, because it is creating problems.
X-Ray(Metaphor) | Music Composition | Design & Build Software , Electronic Devices & Mobile Apps by combining & riveting together multidisciplinary technologies and multitude of ideas | Psychology | Philosophy
5 年The problem is , the person who designed adhaar is a highly successful person because of he was a team member of billion dollar company . Another problem is that ,The people get easily influenced by the massive success of any individual . So, people not only considered highly successful person equal to God, but ,they also develop the perception , that , whatever highly successful does or says is word of God , and it cannot be wrong . And then it becomes very difficult to make the people understand about the consequences of actions of highly successful and highly influential person.