In today’s world, data security is largely composed of passwords, ID badges and the like. The inherent flaws in these forms of identity verification, which are based on things the user knows or has, become clearer with each successive media report of a huge corporate data breach.
Biometric authentication techniques, which verify identity based on some physical or behavioral trait of the user, relies not on something the user has or does, but on something the user is. Biometric identification is already in use in a number of corporate and government capacities and may soon appear in consumer products. But biometric identification techniques are by no means foolproof — and they’re often costly.
Types of Common Biometrics
While some biometric authentication techniques are still in the development stages, a number are already widely used. These include:
- Fingerprint scanning
- Hand shape scanning
- Retinal scanning
- Voice verification
- Signature verification
- Iris scanning
- Facial recognition
Biometrics in development include vein pattern scanning, palm-print scanning, gait analysis, ear analysis, and even body odor analysis.
Why Aren’t Biometrics More Common?
At first glance, biometric identification seems to have a significant advantage over security measures such as passwords since it relies on users’ inherent traits; unlike a password, biometric forms of identification cannot be stolen, copied or shared. Biometric identification devices could prevent fraud in financial transactions and keep the personal data we store in our phones and computers safe.
In situations where data security is paramount, biometrics is already widely in use. It is accurate and safe. After all, you can’t steal someone’s fingerprint, right?
Actually, you can. Japanese cryptographer Tsutomu Matsumoto demonstrated in 2002 that he was able to fool a fingerprint scanner using a fake finger he made out of gelatin. Fingerprints, while unique, aren’t exactly your most private identifying trait; you leave them on everything you touch. Matsumoto was able to lift fingerprints from a glass. His gelatin finger was easy and inexpensive to make.
German hackers Lisa and Starbug have further demonstrated that facial recognition systems and even iris scanners can be fooled by high-resolution photographs; those systems that check for head movement can be fooled using video footage. These weaknesses underscore the need for a two-factor authentication process that identifies users based on a pair of biometric parameters. Some procedures, like passport control, rely on human oversight to help prevent false verification.
Another inherent flaw in biometrics is the fact that physical, and even behavioral, identifying traits change. An injury to the fingertip, for example, could make a fingerprint scanner reject a valid user. An eye patch, a beard, a hat, a pair of glasses or even a different haircut could cause a facial recognition scanner to reject valid users.
These are things businesses must take into account before incorporating a biometric system of worker identification. Many companies get around this by placing biometric information on a token, so that it remains constant, but making enough tokens for every employee adds up, especially when somebody loses one and needs a replacement. For a company trying to protect its trade secrets, there may be no better option; but for consumer products like phones, changes in identifying traits could definitely cause some user hiccups.
Perhaps the most troubling flaw of biometric identification is the fact that, if your biometric information is compromised, you can’t just change it like you would a password. When biometrically secured data is breached, it can be impossible to re-secure it.
Biometrics: The Wave of the Future?
Despite the risks and extra costs associated with biometrics, it’s likely we’ll one day rely on it in our day-to-day lives to secure our personal data. The Fast Identity Online (FIDO) Alliance is currently working on making things like voice readers and fingerprint scanners as common as passwords are now. Rumor has it that Apple is working on a biometrically secured smartphone.
Even with all of these flaws, biometrics is still a better protection against fraud than passwords and tokens. As technology improves and costs come down, we can expect to see this technology become ubiquitous.
About the Author: Contributing blogger David Kemp has worked in corporate information security for over 20 years. He’s excited about the security benefits that widespread use of biometrics can bring.