Wednesday, May 7, 2014

"60% of the Time, It Works Every Time"

Subtitled, "Why you should be dubious of handgun lock boxes relying on fingerprint readers."

The quote in the title is what Brian Fantana infamously said of his cologne. The reliability record is much the same for fingerprint readers, and why they should not be used where quick access is required.

Ten years ago, the IBM T42 laptop sported a fingerprint reader that ostensibly took the place of keying in a password. If it worked on the first swipe, it was a little taste of awesomeness. To say it worked on the first swipe even 60% of the time would be more than generous. By the time you went for that second try, typing your password would have been quicker.

A decade later, the iPhone 5s will convince you that the experience has only marginally improved at best. If there's one thing reliable about unlocking your iPhone with a thumbprint, it's that it will fail when you most want it to work. Tellingly, the iPhone still depends on you memorizing a PIN code as a backup.

The pattern matching of a fingerprint - once imaged - is quite good, but it's the acquisition of the print where the technology has a damnably hard time. Recently I was exposed to a case where mechanics on a military base were unable to use biometric time clocks, compromising payroll and billings. In that line of work, greasy fingers or fingers with worn down pads are the norm. This foiled the print acquisition process by 1) degrading the print itself, or 2) occluding the reader over time. The system was unworkable and replaced.

Print readers are not for quick, reliable authentication. As important, they aren't secure. First, fingerprints are immutable. Unlike PIN codes or credit card numbers, once someone "knows" your fingerprint, you can't very well change it. How diligent are you at protecting the confidentiality of your prints? I'd wager that comparatively, a password on a yellow sticky pad under your mouse pad looks like freakin' Ft. Knox.

You leave fingerprints everywhere you go, and ironically, all over the screen of your iPhone 5s, right next to the reader that uses them for authentication. This video demonstrates the process to hack a reader - start to finish - using cheap supplies from your erstwhile Radio Shack.

All this background should color your buying decisions. Identilock is an example of an aftermarket trigger lock product made by Sentinl that uses fingerprints, and one you wouldn't catch me relying upon for the very reasons listed above. What's unreliable in normal use becomes doubly so when you're stressed out and trying to do the same task quickly.

For another example, look at this handgun lock-box with a biometric lock from Stack-On. It's commonly available at sporting goods stores, but the customer reviews on the manufacturer's website will tell you all you need to know: "Good thing I didn't need it in a pinch", says one reviewer. "It slowly took more and more attempts", says another. Sound familiar?

In contrast, Hornady makes a lockbox called RAPiD Safe that allows either RFID or the traditional four-key combo lock to access your gun. If you absolutely need some gimmicky tech on your safe, this is a good option because it has that manual fail-safe that will work 100% of the time, all the time. If you're going to train with one, I recommend training on that combo lock, unless you're planning to wear a silly silicone bracelet morning, noon and night (hint: you probably won't - after a month it will have a permanent spot on your dresser next to your FitBit or Up bracelet).

Speaking of RFID, there's been a lot of hand-wringing in New Jersey recently about the Armatix Smart System, which is more a regulatory concern rather than technophobia. On the technical front though, RFID and NFC certainly wouldn't dent the market for stolen guns. The transponder signals remain vulnerable to skimming, thieves can steal transponders a surely as they can guns, and since guns are fundamentally quite simple mechanical devices, bypassing any electronic safety should be a pretty simple exercise of gunsmithing. A system like Armatix's is most useful in close-quarter combat scenarios where a firearm is taken from a defender to be immediately used by the attacker. The limited value of preventing that edge case is something the market will decide, but I'll just say there's probably a reason we're not buying guns with treadmill safety keys incorporated into them.

What's good about incorporating new technology into peripherals is that it informs our understanding of function and reliability before we use it in more critical applications. Through our casual exposure to fingerprint readers, we know to avoid putting them between us and critical objects we may need in a hurry. The jury's still out on RFID and NFC technologies, because both the tech and its application are still evolving.

No comments:

Post a Comment

Please be courteous and of good spirit.