What Biometrics Vendors Tell Us versus What NIST Tells Us
I recently posted “Comfortable Biometrics Ecosystem” In its aftermath, I learnt from one of my LinkedIn contacts that NIST had publicised test results of some biometrics products.
Above is a screenshot of the test result of a biometric product, of which the accuracy is boasted by the manufacturer as ‘FNM (false non-match = false negative/false rejection) rate being 1 out of 100,000 at FM (false match = false positive/false acceptance) rate being 1 out of 10 million”.
The huge difference between what the manufacturer tells us and what NIST tells us is mind-boggling. I cannot help but to be very curious about which set of figures have been presented to their clients.
We looked for newer results for the same products but were not able to find any.
False sense of security has only been benefiting criminals, hasn’t it?
Biometrics has continuously contributed to providing a favorable environment to criminals, not to citizens, for nearly two decades and the public has been misled to believe that biometrics has provided better security for citizens. This false sense of security might well keep causing huge damages on our societal life for many more years unless somebody speaks out articulately.
Over several years we have repeatedly made clear that biometrics brings down security to the level lower than a password-only authentication where it is used together with a password in a ‘multi-entrance’ deployment, as against a “multi-layer” deployment.
We have received not a single logical or evidence-based refutation, which led us to suspect that the biometrics guys love a one-way propaganda but hate the exchange of opinions.
They might be prepared to allow people to debate on ‘spoofing’ and ‘data leak’, because they could counter these debates by talking about the eternal endeavor of improving technologies. But it looks like they are aware they cannot afford to be involved in the discussion on the negative security effect of biometrics used with a 'fallback password’ required against false rejection/non-match, presumably because there is absolutely no way of eliminating the presence of trade-off relation between false match/acceptance and false non-match/rejection due to the nature of the body features inherent in living animals.
In other words, it looks as though they are afraid that, should they publicly admit the necessity and actual presence of 'fallback measure', a default password/pincode in most cases, the very foundation of their decades-long allegation of “Biometrics brings better security than passwords” would evaporate right away.
As such we are led to suspect that all that the biometrics guys can do is turn a blind eye, cover their ear, close their mouth and keep earning as much quick money as possible before their 'business model' collapses.
Incidentally, we are also very worried to have noticed that biometrics data is seldom publicized in a logical and scientific manner.
Quite a few biometrics vendors publicize a part of a fact and do not disclose the other part of the fact, for instance, publicizing a nicely low false match/acceptance rate without saying anything about the corresponding false non-match/rejection rate, which could be alarmingly high, but remains unknown to the public.
Subsequently, this phenomenon comes with their silence on the need and presence of a fallback password/pincode against the false non-match/rejection, which brings down security to the level lower than password/pincode-only authentication, as repeatedly made clear in this article.
Moreover, we could add that unsubstantiated theoretical data is often presented as if it were the objective empirical data.