Biometric Authentication, Cracked In Seconds? OK, Maybe We’re Being A Little Optimistic HereWritten by Frank Hayes
With all the current retail-related efforts at biometric security—everything from PayPal’s (NASDAQ:EBAY) authentication-by-photo to the iPhone’s supposed new fingerprint feature—it’s useful to be reminded that not every biometric system actually, well, works. Case in point: A new motion-control gadget called Leap Motion, which was launched a month ago. One of the applications for the device, SignWave, is supposed to let a user unlock a PC screen “quickly, easily and securely” just by placing his hand over the sensor, which then identifies it and is supposed to reject any other hand. Unfortunately, a security researcher discovered very quickly that just by spreading his fingers, he could confuse the biometric software and open another researcher’s PC. Oops.
It’s not the failure that’s the problem—software has bugs, and SignWave’s vendor, Battelle, says it’s coming out with a new version that fixes the problem. It’s the fact that something billed as a biometric security system was so poorly tested that it was optimistically touted as more secure than a password. What if that tech had been deployed for months before the hack was discovered? In the case of SignWave and Leap Motion, it’s now academic. For the dozens of other would-be biometric security solutions lining up at your POS, the lesson is only just beginning.