Law enforcement agencies have been using fingerprint records to identify individuals for over 100 years. With developments in physical biology, behavioural science, and technology, the idea of using a person’s physical characteristics or behaviour as a basis for access control, identification and security continues to gain in popularity.
The global reach of the smartphone (many with the imaging and scanning tools needed to capture snapshots of their users) has contributed to this. In an August 2015 report issued by US-based market intelligence firm Tractica, it’s estimated that the world-wide market for biometric technology will increase from its 2015 level of $2.0 billion, to $14.9 billion by 2024.
The Need for Simpler Security Solutions
It’s easy to see the appeal of biometrics over more traditional methods of securing data and assets such as passwords, smartcards, and keys. People tend not to respond favourably to being made to “jump through hoops” in order to perform simple transactions. Present them with a multi-stage authentication requiring passwords, SMS verification, and annoying pop-up windows, and they’ll either go away, or try to expedite the process by using “easy to remember” (i.e. “weak, and easy to predict or hack”) credentials that can leave gaping holes in their security profiles.
By being quick and requiring little effort on the user’s part, biometric authentication offers a powerful alternative.
Basic Principles of Biometric Authentication
Biometric authentication uses the unique physical or behavioural characteristics of an individual as the key to unlocking devices, gaining access to user accounts or personal information, or for the more general purpose of identification.
Typically, a database of physical or behavioural markers is set up using fingerprints, retinal scans, photographs, and other techniques. These may be compared with data scanned from an individual at a point of access, or during an ongoing transaction.
Advances in technology are pushing the boundaries of what it’s now possible to use as identifiers – and the capacity and scope for obtaining biometric data from individuals with or without their knowledge and consent.
The human body offers several markers, unique to each individual: fingerprints, the pattern of blood vessels in the iris of the eye, the clustering of veins on the face, and the structure of the ear are just a few of them. Hardware and applications to scan and identify using these markers have been in existence for some time, and more are being developed.
Digital biometric databases have been around since the 1980s, but were largely restricted to use by government and law enforcement agencies until Apple’s home button / fingerprint sensor for its 2013 iPhone popularised biometric verification with the general public.
Descartes Biometrics is one of the companies pushing mobile security apps based on the biometrics of the human ear. Applications like EyeVerify can study images taken with a smartphone camera to register the pattern of blood vessels in the white of the human eye. And MasterCard has recently entered a partnership with Nymi, a biometrics firm developing techniques to provide authentication for credit card transactions based on the unique rhythms of an individual’s heartbeat.
The way we act can be as individual a marker as the way we look, and behavioural biometrics tools are being developed to take account of this. Authentication and identification applications are evolving, based on criteria such as the way a person walks, the expressions and hand gestures they habitually use, and other traits.
Research at Sweden’s Lulea University from 2006 led to a patented technology now known as BehavioSec, which analyses the way an individual interacts with Web content on their mobile device based on how they hit and release keys, while typing. The Swedish company’s BehavioAion technology can be integrated into mobile apps and operating systems, to provide real-time feedback from a user. Coupled with GPS location data and a smartphone’s accelerometer and gyroscope, authentication and verification can be performed invisibly, and on the fly.
The technology is currently being adapted for use on smart watches, which can differentiate between the pressure of a tap or push on their screens.
So Much for The Tech…
All of these developments are highly innovative and cool-sounding, but there are larger issues that may hamper the more widespread adoption of biometrics. Chief among these are security and privacy. Compromised or stolen passwords, encryption keys, or smartcards may be an immediate crisis for the users affected – but these can at least be replaced. If a hacker gains possession of your biometric data, you’ll be hard pushed to get a replacement ear, or iris. And at the moment, biometric databases aren’t sufficiently protected to ensure that this won’t happen.
Over a decade ago, Professor Tsutomu Matsumoto, an information security specialist at Yokohama National University, imprinted someone else’s prints onto fake fingers made from gelatin, and was able to successfully bypass a biometric fingerprint scanner. As recently as last year, a hack on the US Office of Personnel Management got the intruders access to the fingerprint data of 5.6 million people.
There are concerns too, over who will have access to personal biometric databases, and how the information in them will be obtained. The DeepFace facial recognition archive operated by Facebook currently houses data from the over 350 million photographs uploaded to the social media platform every day. Many (if not most) users may be unaware that this database is being compiled – and might not be reassured by Facebook’s assurances that “affirmative express consent” must first be obtained, before a user’s privacy settings may be overstepped.
The Need for Codes of Conduct
In fact, biometric data collection is currently a self-regulated process, with individual organisations and enterprises applying their own discretion to how information is gathered and used. This clearly demonstrates the need for binding codes of conduct to be established, to ensure not only national or corporate security, but to also safeguard the privacy of the individual on the street. As biometric technologies and applications evolve, the drawing up of comprehensive and adaptable standards to govern the sector will be a challenge, for the future.
Share this Post