What if “Something You Are” Can Be Impersonated?

A print of abolitionist U.S. President Abraham Lincoln actually was a composite. Thomas Hicks placed his head on the body of Andrew Jackson’s rabidly pro-slavery Vice President John Calhoun. It went undetected until Stefan Lorant, art director for London Picture Post magazine, noticed Lincoln’s mole was on the wrong side of his face. Source: Atlas Obscura

In multi-factor authentication systems, you typically are dealing with three data categories to establish uniqueness: something you know, something you have or something you are.

While you can create knowledge, create a thing to hold, it is the third category of “being” that often raises concern. There’s an inherent contradiction in treating a thing you expose everywhere and that in theory never changes, as some kind of unique secret that can’t be replayed by someone else. The state of “being” tends to be inherently observable, else you cease to exist.

For example you’ll be hard pressed to avoid leaving your fingerprints all over the place.

On top of the exposure contradiction of biometric secrecy, there also is a complexity and cost consideration in the biometric business, which lowers challenge quality (look for a couple spots that match instead of every detail and thousands of points) to profit/margin and is usually how we see decades of simple bypasses.

Nonetheless, despite the contradictions and bypasses, stark warnings about biometrics do appear. Consider the “lasting damage” claimed in an analysis of Digital ID applications:

In Zimbabwe, we spoke to people who did not know why the government was transitioning from the old metal ID to a biometric ID. There were theories about the ID system’s connection to national security and surveillance but little knowledge of the government’s intentions or the purpose of collecting biometric data (i.e., unique physical measurements such as fingerprints and iris scans)–which isn’t essential for providing legal identity. This type of data is forever associated with a person’s body, meaning that these systems can lead to privacy violations that cause lasting damage.

Meanwhile in RPI research news, we see the march of science challenging our sense of reality:

Scientists have created 3D-printed skin complete with blood vessels, in an advancement which they hope could one day prevent the body rejecting grafted tissue. The team of researchers at Rensselaer Polytechnic Institute in New York and Yale School of Medicine combined cells found in human blood vessels with other ingredients including animal collagen, and printed a skin-like material. After a few weeks, the cells started to form into vasculature. The skin was then grafted onto a mouse, and was found to connect with the animal’s vessels.

In related news, scientists also now can “knit” an artificial skin.

“We can sew pouches, create tubes, valves and perforated membranes,” says Nicholas L’Heureux, who led the work at the French National Institute of Health and Medical Research in Bordeaux. “With the yarn, any textile approach is feasible: knitting, braiding, weaving, even crocheting.”

This suggests we are entering an entirely new level of impersonation possibilities, which both are bad (unwanted) and good (wanted). You could knit a new set of fingerprints that even have blood-flowing in them.

Somehow I doubt the scientists considered the impact of bypassing authentication systems as part of their research, yet we’re clearly approaching a time when you can really do an about face and give the finger to biometric authentication vendors.

It all begs the ancient philosophical questions of whether quaint notions of authenticity are really something to hold a hard line on (e.g. authorize authenticity policing), or instead we should focus on harms and virtue ethics.

For a simple quiz I give my CS graduate students studying ethics, would you sooner criminalize actors doing modern voice impersonations or appearance impersonations?

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.