Thursday, October 10, 2013

Lets use Thingometrics instead of Biometrics

One of these pebbles could be your next password, and this is a much better idea than using your fingerprint as a password.  Sound crazy? Then read on.

Image in the public domain
It is entirely possible that a hundred people have thought of this before, and if so, my apologies.

Much ado is made of biometrics from time to time,  most recently on the latest iPhone.

Most of the attention focuses on how wonderful it is to be able to use your thumb, eye-ball or some other body part to identify yourself.

Many companies are formed based on the assumption that biometrics are secure, and are generally speaking A Good Idea.

However, as we have been reminded by the Chaos Computer Club (CCC) in Germany breaking the biometric authentication on the iPhone in less than two days using common household ingredients and just a photo of the fingerprint.

The CCC sum up many of the major problems with biometrics in their post:

"We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token", said Frank Rieger, spokesperson of the CCC. "The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access." Fingerprint biometrics in passports has been introduced in many countries despite the fact that by this global roll-out no security gain can be shown.

There are a few salient points in the above that are so important that they require repeating, as well as some important consequences. Please excuse the all caps, but these are really important points that need to be made again and again, because industry, government and individuals continue to be badly deluded as to the value and sensibility of biometrics as an authentication or access control.

1. You leave your fingerprint EVERYWHERE.  Despite the fact that we tell people to keep their passwords secret, the biometrics movement encourages people to use a password that is IMPOSSIBLE to keep secret.

2. Because you leave your fingerprint "password" everywhere, you don't know when someone has captured and compromised your password.  So you continue to acting like your fingerprint is secure, and so does your phone, your passport and everything else that depends on it.

3. If you do discover that someone is doing something naughty with your supposedly secret fingerprint password, YOU CANT CHANGE YOUR FINGERPRINTS.

4. Because of all of the above your fingerprint is of more value to naughty people who want to defraud you than it is to you.  

5. All of this is bad, because it creates economic incentives for bad people to STEAL YOUR FINGERPRINT, or worse STEAL YOUR RETINA.

6. In case you think that practically perfect fingerprint cloning on real fingers is impossible consider the following: It is well known that bricklayers often abrade their fingerprints completely, showing that making a "blank finger" is trivial.  All that remains is to engrave the blank finger with the target's finger print, e.g., using laser micro-surgery techniques.  I'm not saying that this would be trivial, but it is hopefully apparent that there are major problems facing fingerprint based identification, even if it advances to actually requiring a live person attached to the finger print.

We also know that normal passwords are both annoying and also have their own security problems. (Although at least you can give your password to someone and retain binocular vision and the ability to hold cutlery, and then get a new password to replace the old one.)

So, what should we do?

We should try to do something that will not make the biometrics lobby too upset, so that they don't push back with more lies and patently false claims about the security or sensibility of biometrics.

One way of doing this could be coming up with a scheme that can leverage the accurate object and surface imaging technologies that these companies have created, and allow them to rapidly transition focus from the largely counterproductive biometrics field.  In other words, lets leave them room to still make money and be prosperous.

Enter the idea of thingometrics instead of biometrics.

Basically, lets stop scanning body parts, and instead scan simple objects.

Simple objects can be easily chosen that:

1. are hard to clone from a photograph (unlike finger prints),
2. don't leave the means to reproduce them on surfaces everywhere. That is are more rivalous than not, instead of the practically nonrivalous nature of fingerprints.
3. can be given to a forceful attacker without having to hand over any body parts
4. can be easily replaced if ever compromised

Things like sea shells, small pebbles, a crumpled mass of stiff wire, or any other morphically stable robust object would be good candidates.  Attach them to your physical key ring for convenience. You could even use one of your existing physical keys for extra convenience (which always comes at a cost to security).

Need to change your password? Just go outside and find a new rock, or better yet take a monthly work-mandated trip to the beach to find your new password.

It would be quite possible to make a 3D printer to produce a pseudo-random object with a keyring attachment point if you want an more environmentally sensitive source of things to metric.

If you want to be super-paranoid you could reduce the residual risk of someone comprehensively imaging your password object from a distance by making the interior of it the password part.  Again, 3D printers would be your friend here, or if you have a handy supply of geodes would make for a password with street cred among your geologist friends.  If used with dedicated imaging sensors the complex interior need never be visible from the outside at all.

Oh yes, and with thingometrics you can easily implement some helpful security protocols.  For example, you can register anti-passwords, in the form of other objects that when presented cancel the authority of an other thingometric password, analogous to revocation certificates in PKI systems.

You might carry one anti-password with you, and one or more in a safe remote place so that if you lose (or are robbed) of your thingometric passwords anti-passwords you can easily cancel the stolen password (or instruct someone remotely to do so on your behalf).

You can also physically destroy a thingometric password if you are worried about it being captured, and because well chosen thingometric passwords are closer to being rivalous, you can have better confidence that no one else has obtained the password if you still hold the original.

3D printers and the like represent risks, but nothing is perfect, and the risks are much lower than with fingerprint biometrics which as previously noted leave sufficient imprint everywhere for people using relatively easy technologies like those developed by the CCC.

Thingometrics has the extra advantage that it could be implemented using the camera on a smart-phone, without needing to have an extra sensor.  At most, you might want a second camera for stereoscopic vision.   So not only is thingometrics safer for you, and more secure for your data, it can also be cheaper to implement.

It also means that it would be much easier to support in free and open software and operating systems, because there are no more funny closed drivers and firmware than normal.

So let's think about what would be needed to implement thingometrics in practice.

1. Some good image mapping algorithms, that can capture the shape and texture of an object in front of a camera to develop a detailed enough 3D image.

2. Some good image matching algorithms that can detect (or reject) an object being held in front of the camera.

And, er, that's about it really*.

I suspect that suitable technologies exist in part or in full in the academic literature and elsewhere, and that creating a functional system could be implemented fairly readily* by a skilled and dedicated team.

If you go for a dedicated sensor and the inside-out key idea described above, then this becomes much, much, simpler to do. It could probably be implemented in a semester by a good student (any volunteers? I'm happy to supervise. You don't have to be in Australia, either.)

So, here is the challenge: Let's get a bunch of us together to implement thingometrics, and give the world a better alternative to biometrics.  I've registered the domain names.  Now we just need the team.

Paul "I want to keep my thumbs" Gardner-Stephen.

* Which isn't to say that there wouldn't still be quite a bit of work. Everything is relative, after all.

1 comment:

  1. It's there already - QR codes. See https://www.grc.com/sqrl/sqrl.htm

    ReplyDelete