Biometric authentication is finding more and more parts of the human body to prove we really are who we say we are. But will it ever fulfil the promise of so many sci-fi representations? And will it ever be worth pursuing in preference to simpler checks?
They are at once unique and universal, and for decades they have been the focus of efforts to improve security, personal identification, and even access to electronic devices. Our biometrics – from brain physiognomies down to the characteristics of locomotion or gait – can in theory differentiate one individual from another, and the study of how best to sort between them has resulted in the technological enclave of biometric authentication.
Typically, authentication can be classified in three different forms: a user can create an unusual password or personal identification number, use a security token or smart card, or use their own physical or behavioural biometric traits. 'Biometric' implies the identification or authentication by human characteristics, such as DNA, fingerprints, facial characteristics, irises, and voice patterns, which are then securely measured, analysed, and matched.
As with any authentication process there are challenges, but the need to provide secure access to all kinds of technology has grown at the same time as the scale of threats such as identity theft, which means that security failsafe procedures involving some degree of biometric has expanded. In conventional enterprise IT, weak passwords continue to be a root problem in corporate data breaches and are a common way in for cybercriminals. Credit cards, smart cards and security tokens can be lost or stolen and hacked, or their secrets swiped by keystroke loggers, and even the most advanced encryption techniques may eventually be hacked.
Small wonder then that the security industry is investigating biometric authentication's potential as the next generation of primary identity assurance, as human characteristics are all unique. Biometric authentication is usually required for two-factor authentication purposes, through sheer convenience as finger or voice traits cannot be lost or stolen.
However, tokenless authentication experts SecurEnvoy say that, while two-factor authentication is necessary, biometric authentication is still flawed. "With so many biometric technologies out there the security risks differ but if you take face recognition for example, it is currently way too easy to confuse the system," explains Andy Kemshall, technical director at SecurEnvoy. "Face recognition with non-3D based cameras can easily be fooled with a single photo of the user's face. Unless the user has a very high-resolution camera, or even two cameras, to recognise their face it is far too simple to bypass the application.
"Another example of an unreliable method is the speed-of-typing recognition system. It detects the way a user enters characters and the strokes they use when on a keyboard. However, this system assumes the user will always be using the same keyboard and type in the same manner. People are unpredictable – a change in mood or sense of urgency can affect the way they type and easily cause problems when authenticating."
Biometric authentication technology has been something of a slow burn in adoption terms. Because of its very advanced nature, it is – and probably will always be – expensive, putting it beyond the reach of many organisations."I don't believe organisations are in fact changing their attitudes towards biometric authentication but they are moving towards two-factor authentication and realise they now need more than just a password in order to reliably authenticate," says SecurEnvoy's Kemshall. "Cost and reliability are both reasons why organisations are moving towards this, it is far cheaper and more reliable to authenticate using technology someone already owns."
Another aspect of widescale adoption are common technological standards, which have emerged only comparatively recently. In 2011, the International Organisation for Standards and the International Electrotechnical Commission jointly published a security and privacy standard to ensure the safeguard of biometric data used for online authentication and ensure it will not be compromised. The 'ISO/IEC 24745:2011 Information Technology – Security Techniques – Biometric Information Protection' standard has been published as a guideline with advice on the management and processing of biometric data used for authentication.
The standard outlines: specific 'solid countermeasures' to protect individuals; among them are analysis of threats and countermeasures inherent in a biometric and biometric-system application models; security requirements for binding between a biometric reference and an identity reference; biometric system application models with different scenarios for the storage and comparison of biometric references; and guidance on the protection of an individual's privacy during the processing of biometric information.
'Biometrics' refers to the identification of human physical and behavioral characteristics, such as fingers, hands, ears, teeth, veins, voice and eyes. This concept of biometric authentication means biometrics are used to authenticate the body parts themselves as it is difficult to steal them, lose them, or duplicate them.
Biometric authentication is a vital element in security due to unauthorised immigration, visa fraud, and border intrusion; it is increasingly being implemented at security checkout points at airports.
The different biometrics
Fingerprint scanning is becoming a widely used methods of verification, either to log into computer systems, at passport control, or premises entry control. Biometrics have even found their way to Disneyland in the US, where a system has been designed to deter visitors from buying fake tickets from scammers. iPhone manufacturer Apple is also taking advantage of fingerprint technology; it is thought that the iPhone 5S and iPhone 6 handsets will be embedded with a fingerprint scanner for added security.
Iris recognition is a fairly well-established authentication method; it works by analysing the characteristics in the coloured tissue surrounding the pupil, which typically has more than 200 points of reference for comparison, and along with rings, furrows and freckles. Facial recognition measures the distinctive facial characteristics, including the distances between the eyes, nose, mouth, and jaw edges. The measurements are stored and compared when an individual's face is scanned again. Iris and facial biometrics can be used in aviation security, accessing computers, buildings and homes, and border crossing. Biometric authentication systems have already been installed at schools where pupils are using fingerprint and hand scanners for attendance registration, cashless catering and site access. Airports too are using authentication systems to control border security; in particular in 2011 Gatwick airport installed biometric identification company Human Recognition Systems MFLow Track. The iris recognition system, which reportedly was part of the £45m upgrade of the South Terminal, aims to speed up security checks.
Voice recognition identifies who is speaking by digitising the voice; the recording is then dissected into small, recognisable speech bits called phonemes and stored. Once the voice recognition software recognises the phonemes, the complex process of identification and contextual analysis begins, as it compares and pairs up each recorded phoneme against text equivalents in its memory. Voice biometrics are commonly used for remote authentication, for instance by adding another level of security to smartphones.
Analyst Gartner Research has identified biometric authentication as a key technology to watch, according to its 2012 'Hype Cycle for Emerging Technology' report. This comes as no surprise as US research company Marketsandmarkets predicts from its 'Next Generation Biometric Technologies Market – Global Forecast & Analysis 2012-2017' report, that the total biometric technologies market is expected to reach $13.89bn by 2017. The report explains though voice, signature, vein, and DNA recognition are being used, face, fingerprint and iris recognition are commonly used in industries such as finance and government offices but are gradually being deployed in defence, consumer electronics, healthcare and home and commercial security.
The report also reveals why various sectors use biometric authentication: government applications cover voting, personal ID, and building access; travel and immigration use the technology for border access control, detection of explosives at airports; and the finance sector requires biometric authentication for account access and cashpoint security.
While technologies are evolving, some industry experts are taking the traditional biometric elements and refining them. Hand and fingerprint are currently the leaders, but IT companies Hitachi and Fujitsu have developed biometric systems specialising in vein authentication technology.
Hitachi has created 'SecuaVeinAttestor', a finger vein authentication system, integrated with near-infrared rays generated from a set of light-emitting diodes which penetrate the finger and are absorbed by the haemoglobin in the blood. The rays are absorbed by the veins and appear as dark areas, captured by a charge-coupled camera embedded in the 'SecuaVeinAttestor' device.
The image is processed to construct a finger vein pattern and is then compressed and digitalised and registered as the users' unique template. Similarly, Fujitsu has developed 'PalmSecure', like the Hitachi device it captures the vein pattern using infrared rays. The system can only recognise the vein pattern if haemoglobin is actively flowing within them.
Other advances in biometrics include brain waves and heart rhythms; though they are still in their infancy, scientists and researchers claim these two vectors are impossible to imitate or alter. Heart rhythms are unique to each individual as patterns can change due to stress or if an individual has a heart problem. "Patterns from the heart do possess uniqueness, but this is trickier as conditions such as exercise, emotional states can alter the heart patterns. Hence specific methods to normalise the changes will need to be developed," says University of Wolverhampton's senior lecturer in engineering, Dr Palaniappan Ramaswamy.
He continues to explain why brain waves are less complicated to test: "It is easier to normalise brain patterns, especially as you can develop the necessary two state paradigms – one state as baseline measure and another the actual 'test scenario' and use the baseline information to normalise any variations."
Researchers at the University of Wolverhampton investigated if the brain's electroencephalogram and heart's electrocardiogram signals could be used as a biometric tool; however, though in theory the concept means these biometric tools could deter fraud, the technology is (as yet) not accurate, and therefore is still classed as 'futuristic'.