“Voice print verified.” It used to be the stuff of movies – back when computers were command-line, monitors glowed green, and even a short sequence of numbers were an almost uncrackable password.
Now Android verifies identify with your face. The Xbox One will listen for your voice, read your heartbeat, and even sense your mood. Apple’s rumored to be building a fingerprint scanner into an iPhone.
Passwords were mostly things we knew – they could be forced or tricked from us, guessed, hacked, or otherwise compromised. At their best, they were gnarly strings of pseudo-random characters whose complexity, it was hoped, made them too difficult to be broken in a universe without quantum computing.
Now “passwords” can also be things we have. Never mind access cards, phones, or other dongles, they can be biometrics. They can be parts of our bodies.
How would we change our eyes, our thumbprint, or our capillary pattern, if that ever got compromised?
Thumb and iris scans are some of the most commonly seen, at least on TV and in movies. What happens if, or when, those are compromised? The imaginative folks in Hollywood have show us everything from prosthetics to chopped-off hands and gouged-out… okay, this is getting grisly.
It seems like a week doesn’t go by without some website or app announcing a breach and advising us to change our password. Changing a bunch of letters, numbers, and symbols is easy enough. How would we change our eyes, our thumbprint, or our capillary pattern, if that ever got compromised?
The answer seems to be not storing any actual biometric data that can be hacked, but storing something based on the biometric data that can’t be reverse engineered, but could be changed to some other thing based on the same data if and when it’s hacked.
Like any form of authentication, fingerprint scanners are susceptible to fooling. The Discovery channel series Mythbusters tackled fooling fingerprint scanners in a 2006 episode. Hosts Kari Byron and Tory Belleci were tasked with tricking a fingerprint scanner into believing that they were fellow Mythbuster Grant Imahara.
After obtaining a clean copy of Imahara’s fingerprint front a jewel CD case (despite his knowing about their mission and taking steps to clean up his fingerprints), Byron and Belleci made three copies of the fingerprint – one etched into latex, another made of Mythbusters favorite ballistics gel, and one merely of the pattern printed onto a piece of paper.
Tested against both an optical scanner and one that was touted to be “unbeatable” thanks to its ability to detect temperature, pulse rates, and skin conductivity, all three methods were able to fool the scanners when wetted with a lick. Even the paper.
Technology, well implemented, could mean this will never be a problem. But how often have we learned technology we thought well-implemented turned out to be no such thing? Is it even possible to make something reverse engineering-proof?
Science fiction is again becoming science fact, but the one thing that isn’t changing is us. It’s our responsibility to make sure that before we give over our irises and thumbs and skeletons, we make sure, to the limits of our ability to inform ourselves, that it’s being done securely, and in a way that prevents any of our actual biometric data from being compromised even if the system and our informational data is.