Security is always a moving target in both philosophy and application. You must change your perspective and processes as your environment changes. So where is the security community headed as a whole? Toward biometrics-based security perhaps?
Biometrics security is becoming a popular alternative to usernames and passwords, and many companies are pushing for widespread adoption of the technology. But is biometrics security more secure than other technologies, such as one-time tokens and smart cards?
Biometrics security is based on identifiable signatures derived from a human body. For example, the unique retina patterns in your eyes can be scanned, stored, and used for comparison during a logon sequence, where you press your face into some kind of mini scanner that compares your eyes to the stored pattern. The same premise holds true for fingerprints, facial heat patterns, voiceprints, and other forms of biometrics security technology.
At first, biometrics security sounds like a fantastic way to control access, but maybe that's a short-sighted perspective: I've heard a story circulating for years about an Air Force colonel who sat through a meeting on the merits of fingerprint-based biometrics security. The colonel stood up and interrupted the meeting, jolting everyone in attendance with his thought, "The finger doesn't have to be attached to the body, does it?" You get the point.
In that light, perhaps you think DNA signatures will become a more secure method of identification in the future. I've read where notable industry insiders have suggested the government establish a DNA database of all people to help with identification. Ouch! Consider that potential while knowing what science has already accomplished with DNA research today. In Europe, scientists have successfully cloned sheep (amid great controversy I might add) and elsewhere, scientists have recently manipulated the DNA of rabbits and other critters so that their skin glows in the dark like a firefly! I'm not kidding.
So how long will we wait before science clones a human? And what if science learns to clone humans so they develop at a much faster rate? Will rogue bio-scientists become the super-crackers of the future? I think so.
I don't know about you, but I'll take a one-time token rather than base my entire security (and privacy) on fixed variables such as DNA strands, retina patterns, or my fingerprints. Remember, security is a moving target; there's no reason for it to sit around like a duck on a pond waiting to be shot.
Obtaining samples of users' DNA is easier than obtaining information locked away in their minds. We probably won't learn any time soon that science has developed the ability to rapidly clone humans, perhaps not even in our lifetimes. But even so, human cloning will happen eventually, and when it does, it might instantly become the biggest threat to information security ever—that is, if we base our information security solely on biometrics.
While we await that potentially horrifying future (my apologies for the bleak outlook, but it's entirely possible), I'd like to know how many of you currently use biometrics for information security. Stop by our Security Web site and take our latest security poll located on the home page.
I'll post the results in a future edition of this newsletter. And by all means, if you have any thoughts about this topic, feel free to drop me a line. Until next time, have a great week.