Government Computer News
NIST identifies good and bad points of biometrics
Digg
De.licio.us
Slashdot
Technorati
Image:
Craig Watson of NIST’s IT Lab examines one of millions of fingerprints used to evaluate accuracy of biometric identifiers.
The act calls for biometric identifiers on noncitizens’ travel documents by October 2004, and “it’s going to happen whether you like it or not,” said Charlie Wilson, manager of the Imaging Group in the NIST IT Lab’s Information Access Division.
NIST came to four preliminary conclusions:
- Iris scans rely on proprietary technology that makes evaluation of their accuracy difficult.
- Fingerprints work pretty well, but accuracy needs to be better for widescale use.
- Facial recognition technologies aren’t mature yet.
- No biometric technology works well enough to be relied on by itself.
Biometric identifiers “always look stronger and easier in theory than they are in practice,” author and security consultant Richard Smith said. “Effective enrollment is difficult, and physical spoofing is a lot easier than we would like.”
Smith, who has worked on a number of federal IT security projects, described the challenges of biometric identification at the Black Hat Briefings in Las Vegas last month.
“As a practical matter, simply using biometrics by itself doesn’t work,” he said, because all biometric systems make errors. If sensitivity is reduced to make a system user-friendly, the number of false acceptances rises, hindering security.
Likewise, increasing sensitivity to heighten security results in high numbers of false rejections and inconvenience for users.
Multiple readings are necessary to create an accurate enough biometric pattern to confirm identity. That makes enrollment time-consuming and expensive for large numbers of people, Smith said.
Keep tabs on cards
If biometric identifiers are stored on a token such as a smart card, they must be managed so that issuance, validity and revocation can be tracked.
If authentication happens over a network, data potentially could be intercepted and replayed to gain illicit admission. And, unlike a password, a fingerprint cannot be changed if compromised.
It’s even possible to fool some fingerprint readers with fake fingers or prints lifted on tape. Wilson, however, called such spoofing nonsense. It might work in a lab environment, he said, but in real-world use, say, at immigration checkpoints, spoofing would be impractical if not impossible.
| |||
| Latest News |  WashingtonTechnology.com |
FCW.com |
|
GCN.com
The latest technology news from GCN.com
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
 |
![1105 Government Information Group [happiness]](/images/1105logo_website.gif "Government Computer News [happiness]")
© 1996-2008 1105 Media, Inc. All Rights Reserved.
