Biometrics do not offer non-repudiation

The question of the repudiation of biometrically authenticated transactions has been
the subject of widespread discussion. Such discussion is not limited to biometric
authentication though; other more traditional forms are also open to debate. Generally,
signatures have been accepted as legally binding indicators but they are certainly
open to challenge in the courts and such challenges are not unknown.
Non-repudiation of authentication typically rests on 2 considerations:
· Strength of binding of the authenticator to the individual in question
· Informed consent of the individual at the time the authentication was given.
Most authenticators are open to challenge on either or both of these grounds. The
former is a technical issue, signifying the non-forgeability (or otherwise) of the
authenticator. Normal signatures are known to be readily forgeable, so do not offer
strong binding. Various other authentication tokens have been proposed and used
which themselves offer much stronger binding, for example cryptographic signatures.
However, cryptography does not address the crucial issue of binding the
authentication to an individual. This final step has to be provided by a supplementary
mechanism usually involving a PIN or password, a token, a biometric, singly or in
combination. These generally have much lower strengths than the cryptography and set
a limit to the true strength of the individual binding and hence the non-repudiation.
Biometric Security Concerns produced for the UK Biometric Working Group. Last updated September
2003
16
The relative strength of binding provided by biometrics compared to passwords or
tokens is not straightforward to define and there is currently no generally agreed basis
for the comparison. It is known that each mechanism has strengths and weaknesses in
different areas, and relating these areas of difference and mapping them into a single
equivalent “strength” figure has so far proved intractable.
Biometric specialists normally agree that the biometric error rates such as FAR and
FRR are the equivalent of the password space in PIN/Password based authentication.
The exact relation is more elusive however, because the biometric mechanism cannot
be compromised by a simple exhaustion attack in the same way as that for a
PIN/Password. A 4 digit pin has 10,000 distinct values, so a single chosen value has a
1 in 10,000 chance of success (assuming that the “true” value has been chosen
randomly). A biometric system with a FAR of 1 in 10,000 (0.01%) might be deemed to
be equivalent, as a single trial has the same chance of success. However, different
values of PIN can be tried in succession, lowering the actual strength of the PIN
mechanism in a way that the biometric is not subject to. Thus it could be reasonably
argued that the biometric is stronger than the PIN in this case; but how much stronger?
Also, the biometric may be subject to a spoofing attack which has no equivalence for
the PIN, so how much (loss of) strength is this worth? However the biometric cannot be
lost or disclosed in the way that a PIN can be (and often is!), so how much strength is
this worth? These arguments have been extensively reviewed, and a recent consensus
view relating biometric performance figures to strength of function is given in the
section entitled “Performance Limitations” earlier. This can be regarded as a current
UK government view, but is subject to change in the light of further analysis or practical
experience.
The second factor is that of informed consent. The “informed” is important, because
there are situations where an individual could give consent based on false or
inadequate information. This factor also runs up against the issue of functional creep. If
the declared use of the system does not correspond to its actual use, the consent is
not informed and therefore not valid.
No authentication system can offer an unconditional guarantee of unique identification,
because the guarantee also depends on the assumption that the mechanism has not
been compromised in any way (e.g. procedural failure).
Solutions
Repudiation requirements must be determined and the authentication mechanism
matched to the requirement. A proper procedural framework will need to be put in
place, which may involve legal accreditation (e.g. as for digital signature legislation).
The availability of such a legally accepted and enforceable framework will effectively
determine the repudiation status of an application. Note that if non-repudiation is not
achieved, the risk of “bad” transactions is transferred to the service provider and away
from the service user.
Biometric Security Concerns produced for the UK Biometric Working Group. Last updated September
2003
17
Repudiation is likely to be an issue for applications where there are legal ramifications
for identification/verification, e.g. financial transactions. This is a potential future
problem, when a substantial number of financial and other contractual transactions are
endorsed by biometric authentication.

Related posts:

1. Biometrics should only be stored on smart-cards
2. Valuable assets are traditionally protected by secrecy
3. Could I accidentally give my biometric ‘signature’?
4. Will I know when and how my biometric has been used?
5. Does using biometrics increase likelihood of capture, coercion or
6. Biometrics do not provide absolute identification

Related posts brought to you by Yet Another Related Posts Plugin.