Friday, December 23, 2011

Biometrics in Their Proper Security Context

Here's a really good article that, on its surface, is about the facial recognition capabilities included in the Android 4.0 mobile operation system. It also communicates a couple of important security concepts: deterrence and layers.

Facial Recognition and The Club (IT Business Edge via @m2sys)

Deterrence:
I don't have to be faster than the bear, I just have to be faster than you.
OR
Don't be the lowest-hanging fruit.
In the bigger picture, it's useful to think of The Club. The device, which clamps onto opposite sides of an automobile's steering wheel to prevent its turning, isn’t enough to prevent a theft. It is enough, however, to require at least a moderate level of expertise (and, in this example, tools) to get it off. There simply are so many totally unprotected targets – cars in one case, mobile devices in the other – that it doesn’t take too much to make the thief move on to lower-hanging fruit. The Club and facial recognition are deterrents, not foolproof safeguards.
Layers:
Just because my house has locks on the doors and windows, doesn't mean I'm in favor of dissolving the police department.
The danger is that the technology will be seen as all the device owner needs to do to be safe. That isn’t the case. Serdar Yegulalp at Byte has it about right in his view that biometrics is best seen as one tool in the security tool chest:
There's ways to fix the facial unlock function to make it more useful. Schneier mentions in his piece how fingerprint readers could be programmed to prevent cheating by detecting a pulse or a pore pattern. Facial unlock, likewise, could be reprogrammed to only work if the person winks or smiles - two things a photo definitely can't do.
There are those who object to biometric identity management measures on aesthetic grounds. That's fine. There's no accounting for taste. The argument that because biometric security applications are imperfect as stand-alone solutions they are useless is, however, without merit.