PROS AND CONS OF BIOMETRICS
Biometric Authentication has been heralded as the future of security systems, a verification system that not only drastically reduces the risks of the systems security being compromised but also eliminates the need for much of the traditional security overhead. In recent years biometric authentication systems have become more prolific as numerous manufacturers of biometric sensing devices and middle-ware providers have entered the market. Having met with particular success in restricting physical access in high-security environments it is curious to note that this success has not been echoed where network authentication is concerned. It is with this in mind that we look at the pros and cons of biometric authentication for networks and investigate whether this slowness of uptake is an indication of things to come or whether biometric authentication is the next big thing, worthy of all the claims of it's biggest proponents.
Each form of biometric authentication has it's own strengths and weaknesses, but before going into specifics it is necessary to discuss biometrics as a whole and whether biometric authentication is a practical concept or subject to any one of a number of design flaws. The following paragraphs shall loosely be devoted to the pros and cons in that order with arguments for being given in the paragraph discussing the pros along with any counter-arguments aimed at specific points, the converse is true for cons.
Arguments in favour of adopting biometric authentication for network access are many and varied but the core arguments revolve around three key areas. The first of these is the uniqueness of biometric attributes. The uniqueness of biometric attributes makes them an ideal candidate authenticating users. The fact that fingerprints have been used as a method of identification since as early as 1858, Scotland Yards Central Fingerprinting Bureau being established in 1901 is a testament to its longevity. What better way to verify a users identity than by something that is inherent and unique to that user. The second argument in favour of biometrics in principle is one of the least disputed, with the user now unable to forget and share passwords, password administration and overhead is reduced while network security as a whole is increased. This in fact could be considered the driving argument behind the biometric authentication movement. The third argument is again that of security, it is thought to be much more difficult to replicate a biometric feature at the data acquisition stage than it is to replicate someone's user ID or password and as opposed to tokens a biometric characteristic cannot be lost or stolen.
Arguments against the introduction of biometric authentication are far more numerous. The current cost of Biometric authentication measures are, while falling, still very expensive. Not only does the hardware and software need to be acquired but it must also be integrated with the current network. The price return ratio is not as of yet satisfactory; while biometric authentication may reduce administration overheads the cost of introducing the system is still far too high. Also it must be borne in mind that as it stands, biometric authentication is only suited to simplistic networks at best. The high price couple with the fact that biometric authentication is an all or nothing technology is another argument against. By all or nothing it is meant that there is no point in having biometric authentication at every desktop on your network if someone using a laptop can remotely login in with no biometric authentication as this would completely undermine the system. While it can be argued that storing the biometric data (data of a more personal nature than a username and password) is an invasion of the users privacy proponents of biometric authentication counter that it is not the data it self which is stored but a representation of that data from which the original cannot be constructed, that said it would still need to be ensured that the data was not misused and kept secure. Given the tendency of successful technologies to spread there is a danger that the same biometric data could be used in to authenticate the user in a variety of different applications this could mean that were someone’s biometric data to be compromised it might not only compromise network security but also their bank account, their car etc. This issue is often brushed aside stating that as it stands there are so many independent incompatible vendors and products that the chances of the same biometric data being used for multiple applications are negligibly low, but with the emergence of standards as is necessary for any technology seeking global acceptance this is sure to change.
It has been mentioned that biometric data has not got the necessary attributes of a key, i.e.: secrecy, randomness and the ability to update and destroy (Schneier). Not only are your biometrics unique, but they are also unary. If your biometric data is compromised it is not simply an issue of issuing you a new password. There are also a number of other minor objections to it's use as network authentication: people's comfort level with the new technology which is always a factor, that fact that not all people are able to enrol to any one particular system, statistically between .5 and 10% of users will not be able to enrol on a given system due to features which the system is unable to extract reference point from, and the worry that a system may not recognise a valid user. This last is particularly worrying in cases where the biometric used to identify the user is one in which change is not unlikely, such as a cold for vocal analysis, any fallback authentication also compromised the integrity of the system. It should also be noted that no two reads from biometric data reader are exactly the same and while a user name and password are binary i.e. either you have access to the system or you don't, biometric authentication gives a likelihood of a match, though access can be set to be granted to those of very high likely hood, there is still an element of uncertainty which results in a not entirely secure system.
A number of other issues exist such as ensuring the measured biometric is live, but after this most of the issues are those that apply to the majority of networks today. It must be remembered that after data acquisition the biometric data is represented they same way as any other authentication measure and as such is vulnerable to the same attacks. It should also be mentioned that although storage is getting cheaper the biometric data template could take up a lot more space than regular user/password combinations.
The pros and cons associated with specific devices are highlighted below:
Fingerprint readers
Pros: Not much storage space is required for the biometric template
Cons: Has traditionally been associated with criminal activities and thus users could be reluctant to adopt this for of biometric authentication
Iris Scans:
Pros:
1- Non-intrusive, camera can be up to 12" away
2- High accuracy in identifying users
3- Low data storage requirements for template
Why this Blog ? News articles in the Wide World of Web, quite often disappear with time, when they are relocated as archives with a different url. Archives in this blog serve as a library for those who are interested in doing Research on Aadhaar Related Topics. Articles are published with details of original publication date and the url.
In 2009, I became extremely concerned with the concept of Unique Identity for various reasons. Connected with many like minded highly educated people who were all concerned.
On 18th May 2010, I started this Blog to capture anything and everything I came across on the topic. This blog with its million hits is a testament to my concerns about loss of privacy and fear of the ID being misused and possible Criminal activities it could lead to.
In 2017 the Supreme Court of India gave its verdict after one of the longest hearings on any issue. I did my bit and appealed to the Supreme Court Judges too through an On Line Petition.
In 2019 the Aadhaar Legislation has been revised and passed by the two houses of the Parliament of India making it Legal. I am no Legal Eagle so my Opinion carries no weight except with people opposed to the very concept.
In 2019, this Blog now just captures on a Daily Basis list of Articles Published on anything to do with Aadhaar as obtained from Daily Google Searches and nothing more. Cannot burn the midnight candle any longer.
"In Matters of Conscience, the Law of Majority has no place"- Mahatma Gandhi
Ram Krishnaswamy
Sydney, Australia.
Aadhaar
The UIDAI has taken two successive governments in India and the entire world for a ride. It identifies nothing. It is not unique. The entire UID data has never been verified and audited. The UID cannot be used for governance, financial databases or anything. It’s use is the biggest threat to national security since independence. – Anupam Saraph 2018
When I opposed Aadhaar in 2010 , I was called a BJP stooge. In 2016 I am still opposing Aadhaar for the same reasons and I am told I am a Congress die hard. No one wants to see why I oppose Aadhaar as it is too difficult. Plus Aadhaar is FREE so why not get one ? Ram Krishnaswamy
First they ignore you, then they laugh at you, then they fight you, then you win.-Mahatma Gandhi
In matters of conscience, the law of the majority has no place.Mahatma Gandhi
“The invasion of privacy is of no consequence because privacy is not a fundamental right and has no meaning under Article 21. The right to privacy is not a guaranteed under the constitution, because privacy is not a fundamental right.” Article 21 of the Indian constitution refers to the right to life and liberty -Attorney General Mukul Rohatgi
“There is merit in the complaints. You are unwittingly allowing snooping, harassment and commercial exploitation. The information about an individual obtained by the UIDAI while issuing an Aadhaar card shall not be used for any other purpose, save as above, except as may be directed by a court for the purpose of criminal investigation.”-A three judge bench headed by Justice J Chelameswar said in an interim order.
Legal scholar Usha Ramanathan describes UID as an inverse of sunshine laws like the Right to Information. While the RTI makes the state transparent to the citizen, the UID does the inverse: it makes the citizen transparent to the state, she says.
Good idea gone bad
I have written earlier that UID/Aadhaar was a poorly designed, unreliable and expensive solution to the really good idea of providing national identification for over a billion Indians. My petition contends that UID in its current form violates the right to privacy of a citizen, guaranteed under Article 21 of the Constitution. This is because sensitive biometric and demographic information of citizens are with enrolment agencies, registrars and sub-registrars who have no legal liability for any misuse of this data. This petition has opened up the larger discussion on privacy rights for Indians. The current Article 21 interpretation by the Supreme Court was done decades ago, before the advent of internet and today’s technology and all the new privacy challenges that have arisen as a consequence.
Rajeev Chandrasekhar, MP Rajya Sabha
“What is Aadhaar? There is enormous confusion. That Aadhaar will identify people who are entitled for subsidy. No. Aadhaar doesn’t determine who is eligible and who isn’t,” Jairam Ramesh
But Aadhaar has been mythologised during the previous government by its creators into some technology super force that will transform governance in a miraculous manner. I even read an article recently that compared Aadhaar to some revolution and quoted a 1930s historian, Will Durant.Rajeev Chandrasekhar, Rajya Sabha MP
“I know you will say that it is not mandatory. But, it is compulsorily mandatorily voluntary,” Jairam Ramesh, Rajya Saba April 2017.
August 24, 2017: The nine-judge Constitution Bench rules that right to privacy is “intrinsic to life and liberty”and is inherently protected under the various fundamental freedoms enshrined under Part III of the Indian Constitution
"Never doubt that a small group of thoughtful, committed citizens can change the World; indeed it's the only thing that ever has"
“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” -Edward Snowden
In the Supreme Court, Meenakshi Arora, one of the senior counsel in the case, compared it to living under a general, perpetual, nation-wide criminal warrant.
Had never thought of it that way, but living in the Aadhaar universe is like living in a prison. All of us are treated like criminals with barely any rights or recourse and gatekeepers have absolute power on you and your life.
Announcing the launch of the # BreakAadhaarChainscampaign, culminating with events in multiple cities on 12th Jan. This is the last opportunity to make your voice heard before the Supreme Court hearings start on 17th Jan 2018. In collaboration with @no2uidand@rozi_roti.
UIDAI's security seems to be founded on four time tested pillars of security idiocy
1) Denial
2) Issue fiats and point finger
3) Shoot messenger
4) Bury head in sand.
God Save India
