Home » blogs » sneakin's blog

GCHS Use of Biometrics

  • user warning: Table 'nolan.comments' doesn't exist query: SELECT COUNT(*) FROM comments WHERE nid = 106 AND status = 0 in /home/sneakin/web/nolan.eakins.net/includes/database.mysql.inc on line 120.
  • user warning: Table 'nolan.comments' doesn't exist query: SELECT c.cid as cid, c.pid, c.nid, c.subject, c.comment, c.format, c.timestamp, c.name, c.mail, c.homepage, u.uid, u.name AS registered_name, u.picture, u.data, c.score, c.users, c.thread, c.status FROM comments c INNER JOIN users u ON c.uid = u.uid WHERE c.nid = 106 AND c.status = 0 GROUP BY c.cid, c.pid, c.nid, c.subject, c.comment, c.format, c.timestamp, c.name, c.mail, u.picture, c.homepage, u.uid, u.name, u.picture, u.data, c.score, c.users, c.thread, c.status ORDER BY c.thread DESC LIMIT 0, 50 in /home/sneakin/web/nolan.eakins.net/includes/database.mysql.inc on line 120.
Submitted by sneakin on Sat, 2005/02/12 - 08:15. |

This is a Letter to the Editor that I sent in a while back, and I am finally putting it on my blog. Enjoy.

The November 9th edition of the Daily Journal featured an article describing Greenwood Community School Corporation's use of fingerprint scanners to secure its computers. The article quoted Joe Huber, GCSC's director of information systems, saying, “there's no combination of letters or numbers to try to crack”.

That statement is false. As any knowledgeable computer user knows, all information that goes into and is stored by a computer gets converted into a series of ones and zeros. The same goes for a fingerprint that is scanned by a computer. Thus to a computer a fingerprint is no different than a combination of letters and numbers. Just because an attacker can't crack the “password” doesn't mean that a biometric system is more secure.

Using one's fingerprint as a password only gives the appearance of security because it's a fingerprint. It is no more secure than using a single, really long password. It's actually much less secure than a different password for each system because every system would be using the same “password”. An attacker would either have to capture the raw fingerprint data to gain access to all the information that that fingerprint is allowed to access or get a hold of the entire database of fingerprints. Either way using fingerprints alone only decreases the overall security of the information it's trying to protect.

Biometrics also presents another problem: a user's fingerprint can't be changed. There are only a handful of “passwords” available unless their toes are counted too, and if their toe-prints get captured by an attacker then there's not much left to scan on the body.

There are two possible solutions that are more secure: password managers or a public key infrastructure. Password managers are just that, programs that manage and securely store a list of passwords. The only password that can be captured is the one that is used to open the list of passwords, instead of a password that grants access to a system.

While using a password manager doesn't get rid of the multitude of passwords, a public key infrastructure can provide the only secure means of verifying a user's identity on a computer network while using a single password. In a public key infrastructure the only password that is used is used to unlock the user's key. With the proper setup a public key infrastructure can be used as the basis for a secure login along with other benefits. To be completely secure, a public key infrastructure would require smart cards that store the user's key and can also perform encryption on the card.

Both, password managers and a public-key infrastructure, offer greater security than a biometric fingerprint scanner appears to and can ever offer, and if Joe Huber believes that biometrics is a cure-all then he's either not paranoid nor informed enough to be in charge of a school corporation's computer security.

» sneakin's blog | add new comment

Ad's by Google