Photo of Terence Eden. He has a beard and is smiling.

Falsehoods programmers believe about... Biometrics

· 18 comments · 700 words · read ~8,073 times.

(For the new reader, there is a famous essay called Falsehoods Programmers Believe About Names. It has since spawned a long list of Falsehoods Programmers Believe About....)

Everyone has fingerprints!

The BBC has a grim tale of a family with a genetic mutation which means they have no fingerprints. It details the issues they have getting official ID.

In 2010, fingerprints became mandatory for passports and driver's licences. After several attempts, Amal was able to obtain a passport by showing a certificate from a medical board. He has never used it though, partly because he fears the problems he may face at the airport. And though riding a motorbike is essential to his farming work, he has never obtained a driving licence. "I paid the fee, passed the exam, but they did not issue a licence because I couldn't provide fingerprint," he said. The family with no fingerprints

Even if this genetic issue didn't exist, it should be obvious that not everyone has fingers, or hands. Some people are born without hands, some people lose them later in life.

Policy is about the edge-cases. It's easy to design something which works for the majority of people - the real challenge is how we deal with the fringes.

Everyone has a unique face / unique DNA

Ever heard of twins, dumbass?

OK, it is a little bit more complicated than that.

It is easy to revoke a biometric indicator

Even if you assumed that everyone has ten fingers - that means you can only change your ID 9 times. If you're using iris recognition, that's one change you're permitted before you have to grow new eyeballs.

Biometrics can't be copied

Back in 2002, Tsutomu Matsumoto copied fingerprints using Gummy Bears.

Researchers can consistently fool iris scanners

3D printed facemasks can defeat facial recognition systems.

The thing about biometrics is that they are not secret. You leave your fingerprints everywhere. If a camera can read your face, it can copy your details.

Biometrics can't be changed

Will having a "nose job" stop your iPhone from recognising you? Probably not. But there are a range of surgical procedures which can be done.

People who have Facial Feminisation Surgery can be given a letter from a doctor to explain to border guards why a person's face may no longer match their biometrics.

Just remembered last nights dream about trying to go back to the UK but getting refused entry as my facial biometrics no longer matched.Thanks, brain.I bet the clinic would have warned you.Oh they did. I have formal letter stating that I might not pass biometrics anymore. 😂

What are they good for?

Biometrics are not passwords. Nor are they a universal 2nd factor. Biometrics are, at best, usernames.

For the average user, it's probably fine to use your fingerprint or face to unlock your phone. If you think an enemy state is going to devote considerable resources to steal copies of your biometrics, consider changing to a different password mechanism.

Or, if you have kids.

Or if you're cheating on your spouse.

A Qatar Airways pilot was forced to make an emergency landing after a passenger found out her husband was cheating on her and had a violent reaction in midair. The woman reportedly used her sleeping husband's finger to unlock his phone and discovered his cheating ways. Eyewitness News

In a safe-ish environment, biometrics are a good convenience mechanism. If your phone is snatched by an opportunistic thief, they're unlikely to have the means to spoof your ID.

But they are not a perfect security measure.

Share this post on…

  • Mastodon
  • Facebook
  • LinkedIn
  • BlueSky
  • Threads
  • Reddit
  • HackerNews
  • Lobsters
  • WhatsApp
  • Telegram

18 thoughts on “Falsehoods programmers believe about... Biometrics”

  6. said on twitter.com:

    I was musing about this the other day! "identiscan"s in the game Horizon: Zero Dawn use a futuristic DNA-matching tech through unobtrusive (what seems to be) laser scanning and was wondering how such tech would sample (e.g. strips top skin layer? 🤔) & avoid tampering, if existed

    Reply | Reply to original comment on twitter.com

  9. David says:

    Biometrics are without a doubt the best way to identify people such as refugees. If you are really concerned about people being able to change their identity then use their DNA to identify them. Nothing in this article says otherwise but there will probably be edge cases. That said, I imagine the failure rate is very low.

    The alternative is what? Do you want to start chipping people or using tattoos? We know how many ways that can abused.

    Reply

  10. says:

    I am currently experiencing trigger finger in my left thumb (trigger thumb?).

    I couldn't give my left thumbprint now if my online life depended upon it.

    Reply

  13. says:

    Some more falsehoods: * Every face has exactly two eyes, a nose and a mouth * Every face has at least something similar to two eyes There's e.g. a very famous German science journalist, who regularly complains about non-working face detections ( https://twitter.com/fischblog )

    And of course there are many more related to certain features (e.g. Micrognathism), where most face detection algorithms fail.

    Reply

  15. says:

    @blog i know someone who worked in security for a large public institution. when they found a lost phone with face id turned on the first thing they'd do was pass it around to see if anyone in the office could get it to unlock. it worked far more often than people would be happy about...

    | Reply to original comment on post.lurk.org

Trackbacks and Pingbacks

What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.

Allowed HTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <p> <pre> <br> <img src="" alt="" title="" srcset="">