Biometrics Myths
Myth-buster busters
"James Bond, Ethan Hunt, and Jack Bauer circumvent biometrics all the time."
"I saw a Mythbusters episode where they opened a biometric door lock with a photocopy of a fingerprint."
"I don't want to give anyone my fingerprint."
Biometrics evokes strong responses often based on Hollywood depictions, hype based on concentrated attacks in laboratory environments, and associations with criminal investigations. Here are some common myths debunked:
 |
Biometrics can't be hacked as easily as depicted in movies and TV
Obviously anything we see on TV or in movies needs to be taken with a grain of salt. The fact that only the richest and most powerful villains use biometric security and only the savviest heroes can break in actually reinforces the idea that biometrics is the strongest form of authentication around.
|
 |
Biometrics can't be hacked easily as shown in lab environments
Mythbusters is the most mainstream example of this, but there are also individuals and groups that are able to hack or “spoof” biometrics in lab environments whose results have been publicized online. Such lab experiments rely on high-quality molds of the enrolled fingerprint as well as open access to the inner workings of the device being hacked. This is usually not the case in the real world. Also, read about security and accuracy below. |
 |
Biometrics raises the security bar
First of all, no security is 100%, and anyone who tells you their security is 100% you should be skeptical of. More importantly, the security level of any “point of attack” needs to be evaluated relative to both how valuable the target is AND the cost and effort involved with alternative ways of breaking in. Biometrics makes authentication a strong link whereas bad guys naturally gravitate towards the weakest link. |
 |
Biometrics is very accurate
Accuracy in the biometrics industry is evaluated by such measures as the False Reject Rate (denying access to someone who should have access) and False Accept Rate (letting in someone who shouldn’t have access). Generally accepted rates are a 0.2 % False Reject Rate, meaning your system wouldn’t recognize you 1 out of every 500 attempts (a minor inconvenience) and a 1/150,000 False Accept Rate, meaning your system would incorrectly let in 1 out of every 150,000 unenrolled fingers. Keep in mind, this does not mean that if a bad guy tried to use his finger 150,000 times he would get in; it means that the bad guy would have to bring a team with 150,000 different fingerprints to try to gain access, in which case he’ll look for another way in or give up. |
 |
Fingerprint biometrics is not necessarily related to criminal investigations, government databases, or terrorist alert systems
It’s true that fingerprints have been used by crime investigators, government agencies and transportation agencies to identify people they are looking for or want to track – the fact that fingerprints are used for such critical applications is a testament to the reliability of fingerprints as a means of identifying people. But using fingerprint sensors for personal computing devices is not related to these central databases. These fingerprint sensors don’t store fingerprint images – they remember some data points that can not be reverse engineered to create a fingerprint image. And these fingerprint sensor typically store the data points on the device, not in some central database. |
 |
Biometrics does not jeopardize privacy
As explained above, personal computing devices don’t store fingerprint images – they store data points that can not be reverse engineered to recreate a fingerprint image. Privacy concerns about using fingerprint sensors are exaggerated considering we leave our fingerprints on everyday objects like drinking glasses, doorknobs, etc. And concerns that someone will use your fingerprint to impersonate you need to be weighed realistically relative to the cost and effort involved of alternative “points of attack” or alternative targets. |
 |
Biometrics isn't only used for security
It’s true that biometrics are used for a lot of security-related applications by governments, businesses and for consumers, but biometrics also offers the convenience of simply swiping your finger instead of remembering and typing passwords or carrying around a token or ID card. As more and more of our financial, health, and social data moves online, protecting online access with strong but convenient technology like fingerprint biometrics just makes sense. |
Created on 4/17/2012 9:36:55 AM