Or: "how to ruin your kids lives in all the sake of convenience".

I came across a recent news story about bulletproof authentication for high school students. Ostensibly, the goals are very good. Allowing students to check in and out of study classes instead of being driven to distraction by following a more regimented cirriculum:

...They settled on flexible modular scheduling. High school students will still take core classes, but will be given a lot more time throughout the day to visit resource rooms staffed by teams of teachers to help them with homework or projects...

Students, being kids still, are assholes. And they slack a lot. So, there was a bulletproof need to make sure they were checking in to the right places and tracked efficiently. Enter finterprinting.

...Fearing student ids could easily be traded among students. School leaders settled on the biometric scanners fearing student id cards could easily be handed to other students looking to skip class...

Security Cornerstones

In the world of Security, there are three cornerstones for authentication. You can think of it as a triangle or, like below, a Venn Diagram

Diagram

  • Something You Know - A password, your mother's maiden name, last 4 digits of your SSN, are all things that you know. It is something you carry with you in your memory and (like a password) can change.
  • Something You Have - This is something physical. An ID card. A key fob, even your house keys. You carry it with you and can show it to others or brush it by a door sensor to give you access. Like passwords, they can change.
  • Something You Are - Your DNA, and fingerprint biometric data are unique to you as a human being. Biometric data has been used for authentication successfully in some instances. However, unlike the first two cornerstones, biometric data can never change.

Fingerprint Security

While fingerprint scanners seem to be a good solution for the school, there's a nasty surprise in store. They don't really work that well. In the Youtube video, a little effort, some gelatin, and a bit of clever allowed unauthorized people to access a "biometrically secure" computer. You know who else has lots of free time, access to trivial household ingredients, and are painfully clever?

If you said "high school students", then you're correct. A fingerprint will not keep high school kids from skipping class any more than handing an ID card off- and will be much more difficult to detect in the long run.

Long Term Problems

As both companies and schools move to implement biometric scanning, what happens to to the information stored? Is the data transmitted elsewhere? Is it shared with other governmental agencies? What happens when (not "if", when) the system is compromised and the fingerprint data is stolen. What then? What is the data retention? Is it encrypted? Is it audited? What safeguards are there to that data?

The jury is still out as to how biometrics will be used in the future for authentication. One fear that comes to my mind is a world filled with biometric scanners. The scanners themselves aren't the problem, but the danger of third parties having access to that data- bag guys making simple gel molds and cleaning out bank accounts.

Like I mentioned, biometric data can never change. Can we conceiveably be setting up an entire generation at risk for identity thieft?

Simpler Fixes Needed

Security isn't hard. It is common sense wrapped in a thick layer of common sense with some common sense sprinkled on top.

Implementing authentication for this setup can work fine with (already existing) school photo ID's and someone to look at the ID. That's it. I saved you tens of thousands of dollars in equpment costs and training. Just have the instructor (or so-instructor) match the person on the photo. Takes 4 seconds and does not threaten the future security for our kids in the name of convenience.