Biometrics are biological measurements — or physical characteristics — that can be used to identify individuals. Fingerprint mapping, facial recognition, and retina scans are all forms of biometric technology, but these are just the most recognized options.
Because physical characteristics are relatively fixed and individualized — even in the case of twins — they are being used to replace or at least augment password systems for computers, phones, and restricted access rooms and buildings.
Advanced biometrics are also used to protect sensitive documents. Citibank already uses voice recognition, and the British bank Halifax is testing devices that monitor heartbeat to verify customers' identities. Ford is even considering putting biometric sensors in cars.
Biometrics are incorporated in e-Passports throughout the world. In the United States, e-passports have a chip that contains a digital photograph of one’s face, fingerprint, or iris, as well as technology that prevents the chip from being read — and the data skimmed — by unauthorized data readers.
Biometrics scanners are becoming increasingly sophisticated. For example, the facial recognition technology on Apple's iPhone X projects 30,000 infrared dots onto a user's face to authenticate the user by pattern matching. The chance of mistaken identity is one in a million, according to Apple.
The new LG V30 smartphone combines facial and voice recognition with fingerprint scanning and keeps the data on the phone for greater security. CrucialTec, a sensor manufacturer, links a heart-rate sensor to its fingerprint scanners for two-step authentication. This helps ensure that cloned fingerprints can't be used to access its systems.
The challenge is that biometric scanners, including facial recognition systems, can be tricked. Researchers at the University of North Carolina at Chapel Hill downloaded photos of 20 volunteers from social media and used them to construct 3-D models of their faces. The researchers successfully breached four of the five security systems they tested.
Examples of fingerprint cloning are everywhere. One example from the Black Hat cybersecurity conference demonstrated that a fingerprint can be cloned reliably in about 40 minutes with $10 worth of material, simply by making a fingerprint impression in molding plastic or candle wax.
Germany’s Chaos Computer Club spoofed the iPhone’s TouchID fingerprint reader within two days of its release. The group simply photographed a fingerprint on a glass surface and used it to unlock the iPhone 5s.
Protecting Biometric Identity
Unauthorized access becomes more difficult when systems require multiple means of authentication, such as life detection (like blinking) and matching encoded samples to users within encrypted domains. Some security systems also include additional features, such as age, gender, and height, in biometric data to thwart hackers.
India's Unique ID Authority of India Aadhaar program is a good example. Initiated in 2009, the multi-step authentication program incorporates iris scans, fingerprints from all 10 fingers, and facial recognition. This information is linked to a unique identification card that is issued to each of India's 1.2 billion residents. Soon, this card will be mandatory for anyone accessing social services in India.
The Good and the Bad
Biometric authentication is convenient, but privacy advocates fear that biometric security erodes personal privacy. The concern is that personal data could be collected easily and without consent.
Facial recognition is a part of everyday life in Chinese cities, where it's used for routine purchases, and London is famously dotted with CCTV cameras. Now, New York, Chicago, and Moscow are linking CCTV cameras in their cities to facial recognition databases to help local police fight crime. Ramping up the technology, Carnegie Mellon University is developing a camera that can scan the irises of people in crowds from a distance of 10 meters.
In 2018, facial recognition is set to be introduced at Dubai airport, where travelers will be photographed by 80 cameras as they pass through a tunnel in a virtual aquarium.
Facial recognition cameras are already at work in other airports throughout the world, including those in Helsinki, Amsterdam, Minneapolis-St. Paul, and Tampa. All that data must be stored somewhere, fueling fears of constant surveillance and misuse of data.
A more immediate problem is that databases of personal information are targets for hackers. For example, when the U.S. Office of Personnel Management was hacked in 2015, cybercriminals made off with the fingerprints of 5.6 million government employees, leaving them vulnerable to identity theft.
Storing biometric data on a device – like the iPhone’s TouchID or Face ID – is considered safer than storing it with a service provider, even when the data is encrypted.
That risk is similar to that of a password database, in which hackers may breach the system and steal data that’s not effectively secured. The ramifications, however, are significantly different. If a password is compromised, it can be changed. Biometric data, in contract, remains the same forever.
The risks are real, but biometric technology still offers very compelling solutions for security, as the systems are convenient and hard to duplicate. They make a good replacement for user names as part of a two-factor authentication strategy that incorporates something you are (biometrics), something you have (like a hardware token) or something you know (like a password). That's a powerful combination, especially as IoT devices proliferate.