The Risk of Using Biometrics: People Get Fat

DISA has develop a new guide detailing how individuals gain access to Defense Department computers and networks, which contains pages of cautionary warnings about the use of biometric identifiers.

Much of the guide covers today’s current system, using digital identifiers on the Common Access Card backed up by passwords. But the guide, which goes by the bureaucratic title “Access Control in Support of Information Systems Security Technical Implementation Guide (STIG),” also warns that current and planned biometric identification systems carry more than their share of risks.

“A compromised password can simply be changed, however once a biometric is compromised there is no going back or changing it,” according to the STIG. “For information systems that currently accept Biometrics-only for authentication, this must be combined with another authentication method such as a password.”

“The central risk of the verification process is that the technology will mistakenly verify a user’s identity when that person is actually someone else â€" a phenomena known as false acceptance,” according to the guide.

Though biometric scientists keep refining algorithms to reduce the false acceptance rate, “a perfect algorithm is essentially unobtainable because human beings are constantly changing â€" they age, gain and lose weight, sustain injuries, modify their behavior, etc.,” according to the guide.

Poorly designed biometric-recognition systems can be tricked into verifying someone else’s identity, the STIG reports. For example, with a poorly designed facial recognition system, an imposter may simply show the capture device a life-sized photograph of a valid user or, in the case of voice recognition, a tape recording of the valid user’s voice.

The DISA guide added: “For any biometric, one can devise a potential substitute to mimic the real user, though certainly some biometric characteristics are more susceptible to this than others. To mitigate this risk, robust biometric solutions have ‘liveness’ checks that validate the sample as coming from a live human being and not a facsimile.”

Based on the above, it appears that biometrics are not the holy grail of identifications, and the DISA guide suggests they be used in conjunction with other identity verification systems.

I obtained the above information from a draft copy of the STIG, which is OK to write about because someone at DISA stamped the document “For Office Use Only,” instead of “For Official Use Only.”