Got Fingerprints? Biometric Security Isn't That Simple

Attorney Mark D. Rasch is the former head of the U.S. Justice Department's computer crime unit and today is a lawyer in Bethesda, Md., specializing in privacy and security law.

Sometimes it's the little things. Apple (NASDAQ:AAPL) just announced its new version of the iPhone, and among the (mostly minor) changes, the company added a little thing that is a potential game changer: a fingerprint reader to authenticate the user. It's a simple biometric of the type that has been on many computers for years. But just as the addition of the iTunes store to the iPod transformed digital purchases, and the addition of apps to iOS transformed software, the addition of the biometric reader can transform identity management, online purchases, key management and DRM, and can be used to either enhance or destroy privacy as we know it. Or not. We will see.

There are many problems with biometrics, and with the way we currently implement biometric programs. Of course, some of them are inherent. The second thing we must do is capture the biometric (scan the fingerprint, iris, face, gait, voice, DNA, whatever) and create some form of digital representation of what we have scanned. I say "second" because the first step in any biometric solution is the hardest. We must have some way of identifying the individual who we are biometrically "fingerprinting."

For our purposes we have to accept the fact that this can't really be done. But in many cases, it doesn't matter. For many purposes, we don't care if the person accessing the bank account is really "Jane Doe." What we really care about is that the person who accessed the bank account is the same person who created it. How can you prove that I am me, and not my identical twin brother (except that I am much better looking, and not quite as skilled at emergency medicine)?

So someone asserts that she is Jane Doe, and provides some identification that we are willing to accept. After that, for biometric purposes, she is Jane Doe. Well, except when we don't want her to be. More on that in a minute.

So the first problem is the registration problem. Can't be solved. Move on.

Second is the measurement problem. When we scan anything, we are looking for physical or chemical or other properties that can be measured, that are unique to each person, that cannot be easily altered or spoofed, and that do not change over time—that is, don't expire. We may also look for the ability to measure these things from a distance, or without the consent of the subject. And we may look for the ability to measure the attribute under various conditions (weather, humidity, poor lighting or audio, gloves). Thus, measuring the biometric is not simple.

And in measuring say the fingerprint, how detailed a measurement are you making? Remember the case of Brandon Mayfield, the Portland attorney who was arrested for the Madrid train bombing? His arrest was based, at least in part, on the fact that his fingerprints "matched" those found in Madrid. But what constitutes a "match?" In that case, the FBI found 20 points of "similarity" between Mayfield and the latent train print.

Twenty out of how many? How similar? How much granularity in the pictures? It's all about probability. We have often heard the "fact" that no two people have the "same" fingerprints, but it's all conjecture, since we haven't ever compared everybody's fingerprints, have we? And what do we mean by "the same?" Art critics debate furiously over whether a Vermeer is "authentic" or a first century ossuary is a forgery, with "experts" lined up on either side.Let's just say that fingerprint identification, while based on scientific principles, is as much an art as a science. That's why two fingerprint examiners can come to different conclusions about whether two fingerprints are a match. It's not about the science. It's about the people interpreting it. And what degree of discrepancy from a precise match is sufficient to make something not a "match?"—0.05 percent? 2 percent? 20 percent? Beats me.

Then there's the scan itself. Just as there are anomalies in the biometric, there are anomalies on the way we measure and record the biometric. Whatever scanner we use has certain tolerances and anomalies that can be exploited. Oh, and spoofed as well. Don't be so impressed by your technological wonder.

Here's where the iPhone can shine. Or not. Most biometric solutions require a large number of people to register their biometric with a central repository, which then retains that biometric (or an encrypted hash of it) in a database, which is of course, subject to corruption, deletion, interference, spoofing, redirection, theft or whatever. That's because most biometrics ask the question "Who is this?" You get to an airport, and the scanner scans your retina and tries to identify you from a database.

The iPhone, if properly implemented, asks an entirely different question. It says, "Hmmm... I am Mark Rasch's iPhone. Are you my owner?"

To do that, of course the math and transmission requirements are completely different. It's a yes/no question, which requires the biometric hash to be stored and accessed locally and does not require it to be transmitted anywhere. We can set the "acceptance" levels based upon what we are doing with the phone—say, low for Facebook access (probability above 95 percent is OK) and higher for banking access (require 99.95 percent accuracy).

Of course, there are problems with this. First, how does the phone know it is Mark Rasch's iPhone? How does this "knowledge" remain when the phone is stolen, lost, reformatted, etc.? And how do we "wipe" the biometric from the device?

Second, if the device is lost or stolen, can the biometric—or the portion thereof that authorized the phone—be reverse engineered, bypassed, altered, spoofed, etc.? The devil is in the details.

The iPhone biometric has the potential of enhancing privacy. Many services we use require us to input a name, address, etc. using identity as a proxy for authority. We need to know who you are to know that you are authorized to access, use, or do something.

But the truth is that in many, many of these cases, we really don't need to know who you are. I have to show an ID to buy alcohol, not because the liquor store needs to know my name and address, but because they need to know I am over 21. If I try to buy pseudoephedrine, the CVS needs to know that I am not the same person who bought it from six different stores this morning, not that I have a cold and am congested.In fact, even things that we consider embedded with identity, like banks and credit cards, really ultimately don't need identity (well, except that the government wants it.) If I want to buy a candy bar with a credit card, neither the seller nor the financial institution should care that I am Mark Rasch. They should care that I have enough money in the bank (or the ability to pay) to complete the transaction.

So we can divorce identity from authorization in many cases, and protect privacy. We can permit anonymity and pseudonymity for many classes of transactions. On gaming and messaging systems, we frequently interact with people's doppelgangers and avatars. We can add a biometric component to that interaction, allowing people to remain anonymous with a strong authentication component. That is, assuming we want to.

On the other hand (there's always another hand) strong authentication means that we can track everything someone says or does. Non-repudiation is great except when you want to repudiate something. If I can track all "authenticated" interactions, I can know everything you wrote or bought, where you went, who you were with, etc. So there's that.

One possible implementation of the iOS biometric reader is to allow users to download apps, tokens or other bits of software which will look for a biometric in order to be "activated." Suppose you load your online banking app, which downloads a cookie-like thingie to your phone. You authenticate yourself to your phone with the biometric, and the cookie is then "activated."

In one possible scenario, the biometrically authenticated cookie allows you to go to the bank website as you, and then sends you an SMS message with a one-time PIN code, which likewise must be biometrically authenticated and activated. You enter the PIN code into the website, and voilia! You are in. This provides two-factor, biometrically enhanced, two-channel (out of bandwidth) authentication.

Sure, there are ways to defeat this, but it's still a lot better than a silly picture of a baseball or a kite!

If the iPhone also contains NFC, we can add a biometric authentication to "real world" situations that currently lack it. A doctor can carry the iPhone in her pocket, and use it to authenticate either online or offline to gain access to medical records, or to gain physical access to a hospital or specific rooms via NFC. The phone substitutes for the badge around the neck or waist. It can require reauthentication for things like prescribing scheduled narcotics, or administering certain procedures. Biometrically activated tokens are just one way to go.

We can also create biometrics that authorize things, but with a caveat. My kid wants the car keys to my NFC-activated car? I can transmit the keys with a biometric activation so that he, and only he, can drive the car, and I can include a "time out" function. Same with a door lock. I can let the housekeeper in, but prevent her from retransmitting the credentials, or using them later. I can even create a "panic" biometric. Scan the index finger on the phone at or near the ATM, and get cash. Scan the middle finger and get cash and call 911!

So the fingerprint reader has the possibility of being transformational and enabling online commerce, purchasing, music, etc. Or it could just be a cool way of avoiding a four-digit PIN to open the phone. We will see.

If you disagree with me, I'll see you in court, buddy. If you agree with me, however, I would love to hear from you.