So what happens if biometrics are compromised? You can’t easily change your face, retina, voice or fingerprint. If a password or PIN is compromised, it’s easy to generate a new password or PIN. Grimes also expressed concern about the unchanging nature of biometrics. The security is overpromised in almost every situation,” he said in a n interview. It’s a way to access a device without having to type out a PIN.Īs lax as that sounds, Grimes argues that the situation is likely worse. “The NIST tests are best-case scenarios. What’s the point? It's clear that the major phone vendors use biometrics less for authentication or cybersecurity, than for convenience. In other words, if a thief wants to get around biometrics, all he or she has to do is fail once or twice and then deal with the easier-to-crack PIN. Why? Because when a biometric authentication fails, access defaults to a phone’s PIN. Why can’t facial recognition do the same thing?ĭon't forget, too that from an authentication perspective, a lot of the biometric deployments are a joke. Side note: why do many banking apps deal with check scans (yes, some companies still use checks) in a more sophisticated way? The app will typically tell you to “move the phone closer” or “move back” before it photographs the check image. (Again, this is not an issue with fingerprints.) I then adjust the difference a bit and - if I’m lucky - my phone will unlock. I personally use an iPhone with Face ID and I typically see failure 60% of the time. With facial recognition, a device needs to be a precise distance from the face to read it accurately - not too close, not too far. None of that is in play when using fingerprint recognition. Have you seen any children or siblings getting phone access via fingerprint? Facial recognition has to deal with lighting, cosmetics, hair change and dozens of other factors. In practice, though, that often doesn’t happen. In theory, facial recognition is much more discerning because it can consider a larger number of datapoints. Consider two popular phone authentication methods: facial and fingerprint recognition. Remember those videos showing phones letting in the children or siblngs of a phone user when using facial recognition? That’s a big reason why.Īnother key factor is theoretical accuracy versus real-world accuracy. They do not want a lot of people being improperly locked out of their phones, so they choose to make it less strict, in effect giving a greenlight to device access by higher numbers of unauthorized people. On top of that, many vendors, including Apple (iOS) and Google (Android), make marketing choices in their settings, where they choose how stringent or lenient the authentication is. In independent testing, many biometrics simply do not accurately deliver on their promise. I routinely see errors at 1:500 or lower.” I have been involved in many biometric deployments at scale and we see far higher rates of errors - false positives or false negatives - than even what NIST is seeing in their best-case scenario lab condition testing. That is a far cry from 1:100,000 and certainly nowhere close to the figures touted by most vendors. “The best solutions have an error rate of 1.9%, meaning almost two mistakes for every 100 tests. "So far, none of the submitted candidates come anywhere close,” Grimes wrote, summarizing the NIST findings. NIST accuracy goals depend on the review and scenario being tested, but NIST is looking for an accuracy goal around 1:100,000, meaning one error per 100,000 tests. NIST received 733 submissions for its fingerprint review and more than 450 submissions for its facial recognition reviews. As he explained: “Any biometric vendor or algorithm creator can submit their algorithm for review. Roger Grimes, a defense evangelist at KnowBe4, wrote on LinkedIn about the National Institute of Standards and Technology (NIST) evaluation ratings.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |