Who do you trust with YOUR biometrics?

The UK Government has been promising a biometrics strategy since 2012, but it has been repeatedly delayed and is now due to be published sometime in 2018.
The committee chairman Norman Lamb has written (see link below) expressing his disappointment in the government's position and asked for more clarity on the delay.
"I remain concerned about how the Review will be implemented as well as uncertainty on the government's position on other important areas – DNA, fingerprints and so on,"
www.parliament.uk/documents/commons-committees/science-technology/Correspondence/171219-Letter-to-Baroness-Williams-Biometrics-strategy.pdf
Biometrics are seen by many (alongside blockchain) as "the holy grail" of identity; but are in fact a potential nightmare!
Some of the problems are as follows;
  1. Who do you trust with YOUR biometrics.
    We assume the fingerprint on our phone is secured "on device", never backed-up and the NSA (or other spooks) never have access; but how does Joe Public know this? Let alone verify this? But at least the phone is a device that you (sort of) own and control.
    For everything else the question you should be asking is; “where is your biometric held and processed”? and it is usually impossible to find this out, let alone verify this – even if Joe Public knew or understood the nasty questions to ask.
     
  2. We've already seen the first beaches of biometric data;
    Biometric data stolen from corporate lunch rooms system
    https://www.theregister.co.uk/2017/07/10/malware_scum_snack_on_lunchroom_kiosks/

    UIDAI says Aadhaar system secure, refutes reports of biometric data breach
    http://smartinvestor.business-standard.com/pf/pfnews-479889-pfnewsdet-UIDAI_says_Aadhaar_system_secure_refutes_reports_of_biometric_data_breach.htm

    OPM Now Admits 5.6m Feds’ Fingerprints Were Stolen By Hackers
    https://www.wired.com/2015/09/opm-now-admits-5-6m-feds-fingerprints-stolen-hackers/

     
  3. Processing and replay attacksWhen you place your finger on a sensor or have your photo taken on (for example) a door entry system; where is this processed?
    • Is it on a secure chip?
    • Is it passed as a raw data capture over the wire or is there some form of encoding performed?
    • Can what is passed over the wire be replayed?
    • Is it processed on a central PC or server controlling the doors, or possibly multiple doors?
    • Or (because it faster/cheaper) processed on a cloud system?
    • Or maybe it goes off to an army of people in China or India (because people are better at facial recognition matching) who get the two photos to compare and then click “match” or “no-match”?  Bottom line, even if you knew to ask, there is no easy way of knowing how the system is architected, or how your data is being handled. Lifting fingerprints off the wine glass to gain entry are the stuff of “Mission Impossible” and films of a similar genre, but how many of these solutions are vulnerable to such an attack, or liable to a replay attack?
       
  4. The locus-of-control problem (Jericho Forum Commandment #8)1;
    Biometric identity systems turns a variable (maybe Person) to a binary (IS Person), according to some undisclosed (to the person taking the risk) criteria, which is probably de-tuned to ensure minimal false positives.
    Thus in a global identity ecosystem if I get an "IS DEFINITELY Person" from a Kazakhstan Bank system - do I trust it? (probably not), thus;
    The only solution is that you have to enrol your biometric with MY system which I control and thus I understand the risk - back to the locus of control problem!
     
  5. The authentication ennoblement problem;
    Using biometrics are often perceived as, or sold as, a more secure method of authentication, quite possibly as they are usually more expensive and difficult to implement.
    More worryingly, biometric authentication is usually implemented using a system that is in effect a black box, with the person taking the risk having no knowledge of how that binary “passed authentication” is actually arrived at; or even how many attempts it took, or the probability of the match.
     
  6. The access-creep problem;
    Try this simple experiment; register your fingerprint as (say) #6 on your friends or partners phone (with their permission), now set them up for e-banking, and get them to enable fingerprint authentication. Now simply access their e-banking app using your fingerprint!
    Yes it's trivial, but its access-creep - yes my partner was happy for me to unlock their phone (useful for me to look at traffic if they are driving or to make a phone call) but they never understood this would also let me have full access to their bank account.
    The bank (or whoever) just sees fingerprint authentication as a "stronger" authentication method than PIN and applies, possibly incorrectly, a higher level of trust. At least with a PIN code I can have a four digit PIN for my phone unlock and an (enforced) six-digit PIN (and thus different PIN) for my e-banking.
The conclusion we came to when looking at how a global identity ecosystem should be designed, is that YOUR biometric should only be held in a dedicated device, under your control, which only releases a crypto-proof of "sameness".
Ultimately, biometrics will only be truly usable if the entity taking the risk is able to evaluate the complete risk-chain; from how the human authenticates to the device, and then all the attributes of the components in-between.
If you couple this with the device able to assert both "model" and "chain of custody" (and potentially "duress"), then you have a robust model by which the entity you are asserting the sameness to; can make a risk-based decision as THEY understand the full risk-chain.


References:

  1. Jericho Forum Commandment #8 – “Authentication, authorization, and accountability must interoperate/exchange outside of your locus/area of control”
    https://collaboration.opengroup.org/jericho/commandments_v1.2.pdf

Paul Simmonds, CEO Global Identity Foundation, December 2017