Body Check: Biometrics Defeated

Biometric security devices are supposed to keep us safe. But tests by German technology magazine c't show that even highly touted systems such as retinal scanners are easily defeated, often by absurdly simple means. Reprinted with permission.

Reprinted with permission from ct Magazine.

Memorizing passwords is out. Laying your finger on a sensor or peering into a webcam can suffice to gain you immediate access to a system. There is the danger, however, that this new ease might be bought at the expense of security. How well do biometric access controls prevent unauthorized access? We have tested eleven products for you.

According to estimates of the IBIA, the international organization of biometric devices and programs suppliers, worldwide turnover of biometric security devices and programs this year will for the first time exceed the 500 million euro limit. Though the growth is primarily being driven by large scale orders by industrial customers and administrative bodies, nevertheless the number of products on the market designed for in-home and in-house PC use is rising.

The range of biometric security access tools for PCs meanwhile extends from mice and keyboards with integrated fingerprint scanners to webcam solutions whose software is able to recognize the facial features of registered persons to scanners that make use of the distinct iris patters of humans for identifying individuals. When the PC is booted the security software that goes with the tool writes itself into the log-on routine expanding the latter to include biometric authentication. In many instances the screen saver is integrated into the routine thus allowing for biometric authentication after breaks from work while the PC is still running. Sophisticated solutions, moreover, permit biometrically-based security protection of specific programs and/or documents.

The problem that all biometric security access procedures and devices still have in common, however, is the necessity of establishing fault tolerance limits: When a manufacturer - by making the appropriate hard and software efforts - decides to set his fault tolerance limits very narrowly, this increases his systems security, the user-friendliness of the system, however, is likely to decline in proportion. Should he on the other hand decide from the outset to permit considerable deviation, this will make his system easy to use, but greatly diminish its protective value.