The Strong Authentication Battle

Tokens and biometrics are often used to replace insecure passwords. But these strong authentication systems are far from perfect.

Biometrics Aren't Foolproof

Biometrics are also susceptible to replay attacks. The simplest is to replay the biometric itself: A friend of mine once fooled a voiceprint lock into opening because he and his brother, the lock's authorized user, sounded so much alike. Researchers in Japan demonstrated how to use gelatin to make a gummy finger with a lifted print: In tests both there and at MIT, the lifted print could fool commercial fingerprint readers. Face recognition systems have been fooled by a photograph of the person to be identified being held up to the camera.

But while these attacks are fun to perpetrate, they aren't practical if you are sick in bed and need to let your assistant log in to your desktop so that you can get a printout of your e-mail. Although it is possible to set up some kind of delegation with biometrics, in practice such systems are rarely set up before they are needed. Thus, biometrics can create problems for authorized users because the people who install them usually don't anticipate the messiness of day-to-day operations.

Although we're likely to see more and more biometrics in the coming years, to date these systems have been most successful when they are deployed to limited user communities that can afford the installation costs, training and inevitable hand-holding. For applications where the users themselves have an incentive to bypass the authentication technology, biometrics are a good alternative to passwords. But for many applications, tokens can be both simpler and more democratic.