- Smartphone smackdown: Storm vs. iPhone
- Cisco fights to keep No. 1 spot
- 10 IT security companies to watch
- Researchers take a step in quantum computing
- Making the Wi-Fi connection
Mich Kabay takes a high-level view of security issues and provides resources to help safeguard your corporate and personal security.
Regular readers may know that I detest passwords as a method of authentication and have leaned towards tokens and biometric authentication as more secure, less expensive solutions for identification, authentication and authorization. However, my friend and colleague Frank Platt, a distinguished expert in physical security and emergency management for the last 40 years, sent me an interesting e-mail message recently and I asked him if we could publish it for the readers of this column.
The remainder of this column is Frank's (with minor edits):
* * *
The U.K. is planning to launch a national biometric identity card next year, along with a national database to include all the citizenry. This card will certainly be convenient when purchasing or banking or to quickly authenticate one's identity. But the whole idea may be deeply flawed.
On June 8, the London _Daily Mail_ carried an article whose headline was "Mafia will steal millions of biometric identities, MPs warned." The article covers a report to Parliament by Ross Anderson, professor of security engineering in the Computer Laboratory at the University of Cambridge in England and a well-known contributor to the security community. His point is that criminals can easily steal biometric scans.
Once that happens, it is not possible to re-enroll the person whose identity is compromised. You can't issue someone a new fingerprint [although MK notes that you can enroll another finger], or a new retina, or a new face. So once a person's biometric data are compromised, they will have to be out of the proposed system forever. There are much better ways for secure authentication, he suggests – for example, using chips within an ID card, PIN numbers, and perhaps random keypads.
I too offer a suggestion (not knowing exactly what the U.K. has in mind): two-factor authentication. If a PIN is required when using the national ID card and also a keypad with random key locations, the PIN can then seed an encryption process. Since the authentication process will first assign each 0-9 number to randomly selected keys on the keypad, the encrypted packets will be different each time. Then, if an identity is compromised, the PIN can easily be reissued. The person recording the biometric scan does not know the PIN, so simply changing the PIN can reestablish security. A new finger won't be necessary.
M. E. Kabay, PhD, CISSP-ISSMP, is Program Director of the Master of Science in Information Assurance program at Norwich University.
Rss FeedRss Feed
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 The Leader in Network Knowledge© 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comments (4)
A New Meaning to "First Response"By Anonymous on September 29, 2008, 3:05 pmThis one was related by a SANS instructor: a company started implementing retina scans, as one factor in a two-factor identification system. But some women were...
Reply | Read entire comment
a boondoggle to be sureBy Anonymous on August 13, 2008, 9:40 amLooks like more busy work by the politicians. Grasp on to a hot topic, throw tax payer monet at it and drop it later. By the way, what mafia? Couple guys get together...
Reply | Read entire comment
government-based biometric database is scaryBy pjbrockmann on July 15, 2008, 10:45 amI can't think of a more ominous thing than a giant government database of biometric data on its citizens. This is the stuff of B movies. Maybe the UK should experiment...
Reply | Read entire comment
e passportsBy Robert Harris on July 15, 2008, 9:51 amWhat is particularly disturbing to me is the effort, both physical and monetary, being put forth by governments to CONTROL every movement and aspect of the populace....
Reply | Read entire comment
View all comments