I ran into this article in a few different places, but in Malaysia a man had his car stolen and his finger chopped off with a machete so that the carjackers could start the biometrically secured car later. Are biometrics really the answer? Let’s figure out what the question is first.
The question is, what is the best way to secure something while keeping it still usable? Well, the usability in biometrics are questionable (what if I don’t have fingers?) but let’s see what we are trying to secure first. In this case, the car in question was worth $75k in resale. I don’t know the man personally, but I would suggest that it’s not worth $75k to lose a finger if you were to ask him in retrospect.
Now computers are beginning to be outfitted with the same technology. For instance the Apple has a blog post about adapting your laptop with fingerprint technology. Although technically interesting, does it actually do what you want? Are your files still secure, and is your finger secure? Frankly, nothing I own is worth any of my body parts, but that’s just me.
The interesting part of biometrics, if you aren’t already familiar with them, is the crossover error rating (CER). The CER on a fingerprint is 1:500, compared to a retinal scan which is closer to 1:10,000,000. So in that stance it is not practical (although I’d rather loose a finger than my eye anyday). That and the gummi bear attack make fingerprints a fairly substandard authentication technique compared to passwords.
Is it all worthwhile? I think the concept of biometrics is interesting, but it lacks some pretty obvious safeguards, and if I can just chop someone’s finger off, why wouldn’t I, (assuming that the goal was worth it)? But would it matter? Let’s take the laptop idea for a second. The fingerprint scanner does not encrypt the drive, and does not lock out the hardware. Ripping out the drive, booting and rooting it will still give you access to the same information without actually requiring an actual finger. Not a particularly good security device in that regard. Sure, you could encrypt the drive, put volitile information on a car that will destruct if removed, etc… but who does that other than the guys at HavenCo?
Ultimately, I think I’ll just stick to passwords for now. No need to remove body parts… just stick to rubber hose cryptanalysis on me - at least I can give up my password without any blood.