good discussion of fingerprinting as overrated authentication method

From Naked Capitalism comments:

QuarterBack
April 21, 2017 at 7:30 am

I have worked in information systems security for 30 years, and I have advised that biometric authentication is a bad technology approach. At the end of the day, the digital representation of your biometric data is just a digital token every bit as match as the magnetic stripe data on your card. The big difference is that if your biometric data is compromised, you cannot be issued new biology. [emphasis added --tm] Every biometric marker can be collected without you even knowing (referred to as “non-cooperative” collection) with simple technologies. Once someone has your biometric data, they can authenticate or digitally sign as you. Further, the general consensus of the movie-watching public is (incorrectly) that biometrics are the strongest authentication method, making it more difficult to repudiate.

Biometrics are a good technology for identification, but not for authentication. [good as in efficient, not as in ethically sound --tm] These two security concepts are often conflated. Identication is basically just your username used to reference who you are, whereas authentication is the method of confirming that an identity is who you think it is. Biometric identifiers add convenience in performing the identity step, but add nothing in terms of security any more than your username or email address alone would.

philnc
April 21, 2017 at 8:41 am

Twenty years in IT, over ten in identity management, have allowed me a ring-side seat to this particular circus. We all really want to believe the PowerPoints, but they’ve all fallen short. Most of the discussion has focused on the physical limitations of particular technologies, like the poor quality resolution of past fingerprint scanners, but never reaches the more important practical weaknesses of any single or even two factor concept like that proposed here. As QuarterBack points out, probably the most dangerous aspect of any biometric auth scheme is that the factor (or factors) used cannot be changed (no reissuing as with a new credit account number or digital certificate). Therefore if stolen the only option for the victim is to be forever barred from using that scheme. [emphasis added --tm] And as QB also points out, fingerprints are one of the easiest biometric factors to acquire, without the owner ever knowing about it.

In sum, there are a lot of approaches better than this from an identity management point of view. [such as? --tm] Unfortunately fingerprint scanner tech already has (totally unjustified) cache[t] with a credulous public, and can make a lot of money for manufacturers, so it’s almost certain to show up in force over and over. Here’s hoping it doesn’t take off.

QuarterBack
April 21, 2017 at 10:18 am

Thanks philnc. BTW, for a real life example of the problem of using non-revocable identification factors for authentication, look no further than the history of using social security numbers for this purpose. In the past, “what is your social security number?” was a common method of authenticating. That did not work out so well, because SSN was too easy to acquire. Also, as many (unfortunately) may know, that when your SSN is compromised, it initiates a cascade of subsequent problems. Even then, in extreme circumstances, you can get a new SSN, but good luck with that. I have to say, that it boggles my mind that many organizations (including banks) still use last-4 of SSN for authentication (someone might steal you SSN, but the last-4 is MUCH more secure?).

Another problem with biometrics for identification, is that unchangeable identifier can be used (by anyone with knowledge of it) to track or monitor you forever. If your identity (say a username or account number) is compromised, you could always get another one. I recommend compartmentalizing identifiers in many cases on a system by system basis. Governments will always have some ability to stitch these separate identifiers together, but you don’t want just any grifter or hedge fund player to be able to monitor you.

the case for trust-busting (and why it might not apply to Silicon Valley)

Matt Stoller argues against current Silicon Valley monopolies not because they concentrate power into the hands of a few knuckleheads but because they stifle innovation, whatever that means at this point (he adopts this frame because he is writing for Business Insider -- in his youth he was a blogger for Open Left, a platform where "good tech" was a means to a political end and not an end in itself). He gives a short history of circumstances where trust-busting led to, let's call it positive technological change:

In 1956, a Republican administration and AT&T signed a consent decree forbidding AT&T from competing in any but common carrier communications services. The decree also forced AT&T to license its patents in a non-discriminatory manner to all comers.

One of those patents was for something called the transistor, which two small companies — Texas Instruments and Motorola — would commercialize.

In the 1960s and 1970s, an antitrust suit against IBM caused the company to unbundle its hardware and software, leading to the creation of the American software industry. It treated suppliers for its new personal computing business with kid gloves, including a small company called Micro-Soft. In the 1990s, a suit against Microsoft allowed another startup named Google to offer an innovative search engine and ad business without fear that Microsoft would use its control of the browser to strangle it.

The great business historian Alfred Chandler, in his book on the electronic century, called antitrust regulators the "Gods" of creation. Antitrust was originally understood as a uniquely American "charter of economic liberty".

But there hasn't been a Sherman Act Section 2 anti-monopolization case for 15 years. And the anti-merger Clayton Act is not being enforced. Neither Bush, nor Obama, nor Trump (so far), has seen fit to stop the monopolists from buying their way into dominance and blocking innovation.

His conclusion is suspect, however:

It is time for leaders in Silicon Valley to start demanding from our government the birthright of every American, which is an open market for commerce, innovation, and personal liberty.

It is time to demand antitrust, so that what once were innovative upstarts, and are now Kings, do not stop the next wave of innovation. Then there will be so much more to invest in, so much more to invent, and so much more to actually create.

That's like saying Bell Telephone should have led the demand to become Baby Bells. It's the disempowered who exert the pressure, not the overlords, by means of organized resistance, boycotts and counter-education. Stoller's analogies break down in the case of Silicon Valley, because crap like Amazon and Facebook is actually hugely popular. To think about breaking them up, you would have to also be thinking about changing your behavior -- throwing away your iPhone and not using Amazon to shop. And there's the rub -- consumers are too addicted to do that.
It's hard to see anything other than infrastructure collapse or societal breakdown causing a change in the Silicon Valley style of monopolistic stranglehold. Even if the internet becomes two-tiered due to cable company pressure, people won't feel it enough to protest if they are using one or two companies to do everything "online."