What do we teach our students in a network security course regarding authentication. Well, that it can be done based on what we know (password/pin), what we have (a card, or a device), and who we are (biometric). Unless you are an expert in biometric, a typical teacher will give an impression to students that biometrics is a fool proof method. It is fool proof because it is "private" and it is "unique." We can forget password, or others can guess our password. We can lose our card or others can steal our card. But we can not forget our fingerprint, we cannot lose our fingerprint (in normal situations) and others can't steal our fingers, of course. And we don't need to remember anything, since we always carry this information with us.
I think all such teachers should either follow the biometric research or follow the Aadhaar case in Supreme Court. Biometric is neither private nor unique and hence has a certain failure rate.
It is not private in the sense that lots of people have your biometric or can get it easily. I must have given my fingerprints to more than 10 people so far (passport, visas, driving license, aadhar enrollment centers, a few airtel agents, a few vodafone agents, and so on) and they could have saved them for replaying them at an opportune time. It is also not unique. Not just that every sensor is slightly different, but the position, the pressure and everything else is going to be slightly different. To some extent, an approximate search is possible and you may compare only some important features of the biometric, and it can authenticate you correctly. And if the issue is only the process and the sensor, you may just try again, and hopefully you will get authenticated. However, "who you are" changes with time. Fingerprints change and it is quite possible that if you attempt authentication against the fingerprints stored 5 years ago, you may not succeed in this. And you may fail in authentication at a very crucial time.
Now, this post is not to argue for or against Aadhaar. I don't want to get into whether despite these shortcomings, we can make something work, or are these shortcomings so fundamental to the scheme of things that there is no possibility of making it work. That would be an interesting debate and I will continue to follow the case in SC for that. (Would also be open to any paper by a knowledgeable researcher/technology expert.)
Here, my only contention is that as an academician, it is our responsibility to tell our students the limitations of any technology that we teach. Interestingly, when I just searched for some course notes on network security courses in Google, I noticed that courses in top CS departments even 10-15 years ago were teaching the shortcomings of biometric based authentication in those courses, since researchers knew about them long time ago. Are we doing the same in India. (I can say for myself that on a couple of occasions when I have taught network security course, I indeed have pointed out to some shortcomings.)
In general, the point is that we must keep our eyes and ears open for any information that relates to what we teach. We typically learn by following journals and conferences. But let us face it, we often teach courses which are beyond our research areas, and in those areas we do not read papers. Our regulators like AICTE would tell us that we should interact with industry to know broadly what is going on and the shortcoming of our educational institutions is that they don't encourage interaction with industry. To me, it seems, that it is even more important to learn about public policy and laws as they relate to technology and incorporate that learning in our courses. In a lecture on authentication, we should be able to present Aadhaar as a case study.
Our graduates should be solving the challenges faced by industry and build new technologies. But they should also be sensitive to the use of that technology as an instrument of public policy and whether that will necessarily benefit the society. They should be able to participate in such debates and ensure that the government takes informed decisions.