Biometrics can be described as either the study of biological measurements, or the use of those measurements to identify people or verify them. Voice, fingerprints, hand geometry, face, signature, iris and gait can all be measured and used for identification and authentication.
Surely a lot of this stuff is still theoretical?
Different technologies are at different stages of development. Fingerprint biometrics are well established; iris recognition has been around for a decade; but other systems, such as gait recognition — how a person moves — are still emerging. Other technologies at different stages of commercialisation include vascular pattern recognition, ear structure, odour and palm prints. There is an ongoing debate as to whether DNA can be used as a biometric, as identical twins split from the same fertilised egg share DNA.
Why should I care about it now?
Once the stuff of science fiction, biometrics are very much science fact as anyone who has flown to the US recently will know. The US recently introduced fingerprint scanning for all foreign visitors. For businesses, the proliferation of passwords has led to the development of single sign-on systems providing access to multiple applications. To reduce the security risk of having one point of access — for example, a single password that replaces multiple passwords — biometrics can be used instead. Some financial and military organisations institutions already use biometric recognition for identification.
Government schemes focusing on authentication have also driven biometrics development. The UK Government passed the Identity Cards Act this year and aims to introduce ID cards by 2008. Biometrics technology is also being used by the US Government in its US-VISIT border-control programme.
How do I collect biometrics?
Most biometrics are collected using sensors, which capture the biological information — an electronic thumbprint scan, for example — and convert it to digital form. When the thumbprint is captured, a template made up of a map of specific points of that feature is created. That template is then compared with a database of templates using algorithms, and a decision about the identity of the user can be taken when there is a close enough match between templates.
How reliable is biometric authentication?
Biometrics technology doesn't work in absolutes. The way to get a comparable match isn't by comparing stored pictures. The complexity of biometric data means there are instances of false positives — where an individual is identified incorrectly as someone else — and false negatives, where a person is incorrectly rejected by the system. Rather than saying absolutely whether two images of a biometric match, most systems work by calculating if the images are similar enough based on set limits. Each biometric system can be set with higher or lower authentication threshold, depending on the level of security necessary.
How could a criminal get around a biometric system? Could they cut off a finger and use it to gain entrance to a building?
That's a bit James Bond. Some biometrics systems can detect whether there is a pulse in the body part being presented, and your average security guard would probably notice if you started waving severed fingers around.
What are the privacy concerns around biometrics?
Privacy campaigners claim that it is difficult to control when, where and how biometric information is used. Biometric data showing medical information can be passed through to commercial systems or insurance companies, for example.
Identity theft is also a concern. If a password is stolen, it can be re-set, but if a biometric template is stolen, it is much more difficult to suspend use of the compromised information. Security experts claim that to a certain extent, biometric details are already compromised through being in the public domain, and design biometrics systems accordingly.
Talkback
A good example of a biometric vulnerability is when fingerprints are used for door access. A villain can, with a small amount of effort, take a fingerprint from a surface and use it to create a gummy fingertip that slips over their own, complete with pulse. The necessary equipment costs only tens of pounds. Where can they find a valid fingerprint? On the door handle, right next to the reader.
It is therefore alarming that the UK government is talking up biometrics as being secure, for applications like their ID card scheme, when the vulnerabilities are there for all to see. Once a villain is using your fingerprint, you can't just request a new one.
As more legislation is enacted around the world that mandates the use of biometric data and as commercial use of biometrics increases, the market for biometric information security and assurance will increase greatly. Hackers will attack and eventually crack databases containing biometrics, even with the best applied encryption. If biometric input devices such as cameras and scanners are all that are needed to substantiate identity; then it is only a camera or a scanner that is needed to steal an identity…
The validating authority that has the biggest concern is the government. "HACKED" biometric databases are a very dangerous problem to national security efforts. If a system is ever hacked - all the data contained within is compromised (whether it is a single loss, 100 or 1000 persons) and is rendered worthless...
Eliminating the market value of the biometric identifiers in order to protect them from theft is better than firewalls, algorithms, security codes and encryption.
The correct thought process has just begun.
Centralised databases of Biometrics will degrade our security. There have recently been cases of tax fraud deriving from mass theft of civil servants' personal details from government computers : how can anyone say such information will be secure, and keep a straight face?
What's more curious to me is that a geek forum should be interested merely in the question of technical robustness to the exclusion of the more fundamental question as to whether it's right for a government to keep a centralised file on each of its citizens.
I guess this thread is yet young!