Computers

Biometrics

It’s a mixed blessing, but biometrics are here to stay. That’s an odd statement, so let me explain what I mean.

We need to start with authentication, which is the process of identifying yourself so that you can get access to things you should have access to, like your bank account.  Way back in 1977 a reasearcher gave what would prove to be a long-lasting definition for successful authentication.  A user must provide one of these three things:

  • Something you know
  • Something you have
  • Something you are

The first is a password or pin number. An example of the second would be the identification card you may have for work. The third refers to a biometric measurement.  For years now, mobile phones and tablets have allowed users to identify themselves with either a pin number or their fingerprint, as do some laptops.  And they seem to work, unlike the early versions I tried to use ten years ago which failed to recognise my fingerprint one time in three.  You can see the next step too – phones that recognise you from your face.  The front-facing camera takes several photos of your face in quick succession, analyses about a thousand individual points on each image, and lets you in if the images match the stored photograph.  That’s pretty amazing when you think about it.

Your face and fingerprint are two obvious biometric traits, or features, but there are a lot more.  Anyone who has watched the US TV show NCIS will have seen the eye scanner used to get into the more secure areas of the building. The bright blue light isn’t something you would see in the real world, but the principle is fine apart from that, even though it’s not clear what’s being measured.  It could be the iris – that coloured ring surrounding the black pupil in your eye, or it could be the pattern of veins at the back of the eye.

There are sensors that measure the shape of your hand – finger width, length and separation, and the shape of your palm.  Your palm has a series of uniquely placed lines similar to a fingerprint, and that’s another option. Babies are identified from footprints taken just after birth, because feet too, have a unique pattern of ridges. Your voice can identify you, but perhaps not uniquely.

You might think that DNA would be a good choice, but there are problems with using it. It takes time to completely analyse a DNA sample, currently in the region of four hours, but the process is gradually getting faster. The sample has to be entirely yours, so no accidental impurities or contamination can be included. Finally, it won’t work on identical twins because they have the same DNA.

If you read the research literature, there are some completely outrageous ideas out there, real “left field” stuff. One researcher suggested your body odour would be unique, another that the surface of your tongue could be used. Someone else is convinced that a detailed image of your skeleton is distinctive when you consider overall size as well as detailed measurements of individual bones. In my case perhaps – I have a few healed breaks and a stainless steel plate and screws in my left ankle. But in general, I’m doubtful.

The drive behind the use of biometrics elates to the inherent vulnerability of the passwords or pins that so many of us use every day. Because, whatever the rules behind password use say, there are a few constants that have been shown to be true year after year.

People choose poor passwords – you mothers birthday or maiden name may not be as secure as you hope. They get written down however many times we say they shouldn’t be. The same password gets used in so many different places, so if one gets broken, all sorts of other sites can be broken into.

Biometrics are considered to be different. Treated correctly, your fingerprint will be the equivalent of a strong password. The problem is, of course, if someone does manage to decode your fingerprint, you have a limited number of options – 9 to be precise. If it happens a second time, that drops to eight. A number of IT security professionals are uncomfortable with this. they feel that a fingerprint should be a replacement for your username, not for your password. Which doesn’t help you very much with your new iPhone. Although, to be fair, the sensor appears to work well even though Apple don’t release technical details.

Let’s look at fingerprints for a moment. The police still use them because they’re easy to find at a crime scene and once your library of prints has been scanned into a computer, matching us easy enough. But when you design a sensor to record a fingerprint, it’s important to be able to tell the difference between a real finger and a plastic one. That sounds crazy, but 3 Japanese researchers wrote a paper descibing in detail to make a model finger using gummy bears which fooled sensors two times out of three. It’s a funny story, but a security disaster. It showed that the sensors at the time were not up to the job, they weren’t paying enough attention to little but important things such as the pores on the ridges.

So, biometrics are certainly useful and they may even be unique, although there’s a lot less evidence for uniqueness than you might expect. But there has been little or no interest in understanding people who don’t have the preferred biometric trait. For example, individuals have been found who do not have usable fingerprints, surprising as that may seem. And, people who do some kinds of manual labour, like bricklayers, can abrade their prints to the point of uselessness.

But I’m hopeful that these issues can be dealt with so that marginalised individuals can be included, rather than ignored.

Suggested Reading

When Biometrics Fail: Gender, Race, and the Technology of Identity by Shoshana Amielle Magnet