In another assault on personal privacy, I just read about a plan to move towards using biometric identifiers for hotel room access over standard room keys. Read Hotel Card Keys Edge Toward Extinction. I had never thought much about biometric identifiers as security risks until recently. I figured unique to me as a person was a good thing, but after listening to Brandon McMillon speak on A Primer to Secure Coding (Parts 1 and 2) at the 2005 Alabama .Net Code Camp many good points about biometrics were raised.
1) In computer terms, a biometric reader (fingerprint, handprint, retina scan, etc) takes unique values from the physical attribute and converts it into a numeric value (we’ll call it a hash).
2) That hash is compared to what is stored in a database and if a match is found, then identification is verified
3) So, the validation system is only accepting a hash (generated by the machine that examines the biometric attribute) which is a number, and a certain type of reader will always generate the same hash value
4) If you somehow gain access to that number, you can always spoof the reader that generates that value to the authentication system (of course this does rely on being able to gain access to the intermediate system).
And then the real kicker that has made me anti-biometric (and didn’t I just read that United States Passports will start containing RFID chips, and probably personal info, maybe even biometric by October 2006). If someone compromises the hash and has access to the intermediary system…you can’t do anything to change your identifying information to restore security to the system. The manufacturer would have to change their hash algorithm. If a username or password is compromised, I can change those easily. Hard to change my fingerprints or retinas.
So hopefully, these hotels will have some backup authentication mechanism in place. It would seem they would have to. Big Rob brought up the point last night about people with no fingers. Can’t discriminate against them. I for one will refuse to stay at a hotel that demands biometrics. I just don’t trust the security of the systems.