Biometric Technologies: Is the Future Already Here?

Biometric Technologies: Is the Future Already Here?

You have probably noticed that biometric technologies are becoming more prevalent - and we start seeing them in many devices, such as laptops and smartphones - so you might be wondering how safe these technologies are. There isn’t a single answer to this question, and I hope that by the time you finish reading this, you’ll be able to decide for yourself when and how you will want to adopt biometric technologies.

Let us start by a fundamental difference between the most common form of access control technology, the password, and biometric technologies. Passwords are a binary form of access control. Either you have the correct password and the system allows you access, or you do not have the correct password, and you are denied access to the system. You cannot have a 95% correct password and successfully access a system. Biometric technologies are probabilistic. Your pattern, extracted from features such as your fingerprint or your face, will have small reading errors, and the system will consider it acceptable if the level of similarity is above a certain threshold, usually defined either by the system administrator or by the device manufacturer. For instance, if the threshold is set at 94%, a fingerprint that the system considers 95% similar to yours is enough to gain access to the system.

By now, you are probably wondering why we cannot define the threshold to 100%. That is a great question! There are a few reasons for this, most associated with the technologies currently available to capture the patterns and some to users’ behaviors. Capturing a biometric pattern is a complex task with multiple variables. Would you ever be able to take two different pictures that look exactly the same? Probably not. That tells you any biometric technology that uses a picture is going to have the same problem. The user’s face will be at a slightly different angle, the lighting conditions will be slightly different, the user will be slightly more tanned, and so forth. When it comes to fingerprints, the user will place the finger in the reader at a slightly different position, and the user’s skin will be in slightly different conditions. That is why biometric technologies look for similarities, instead of exact matches, to reach a decision on accepting or rejecting the user.

To make things more complicated, biometric technologies are just like any other access control technology, in the sense that the harder you make it for an intruder to gain access, the harder it is for the legitimate user to be able to get in. The easiest analogy is a door. You can decide to have more locks, but it is less convenient for you, and the probability of one of the locks breaking down, or one of the keys getting twisted also increases, which means the probability you will not be able to open your own door also increases. This means biometric technologies have two different types of error: false acceptance rates and false rejection rates. For each specific biometric technology, we cannot optimize both. That is why you often have to place your finger in the biometric reader more than once or look at your phone’s camera multiple times. The system thinks that you do not look enough like yourself! The system could be set to a lower threshold, but then the probability of the system finding someone else who is similar enough to you would increase, and we would have a serious security problem.

Now, we’ve covered a lot about why biometric technologies are not precise, but you still want to know if they are better than passwords, right? Well, it doesn’t take much to be better than a password, given that passwords are never good, but there is a situation when using biometric technologies is actually worse than using passwords. Have you ever used one of those systems that asks you for a password if the biometric system does not recognize you? Those are worse than passwords and exist to increase user convenience, not security. Why do I say that? Easy: because you are allowed access if you pass one of the barriers, which means you can go through the weakest point of access. If the password is weak or someone found it in a Post-it Note under your keyboard (NOOOooo!), the attacker does not need to worry about the biometric technology. If the password is strong and the attacker cannot surpass that, then the attacker can try to circumvent the biometric system. It is like having a backdoor to your house. It is convenient to bring the groceries in, but it doesn’t add any security and it might actually decrease it.

Now you are thinking, “Is this guy telling me that biometric technologies are useless?” No, I am not. Actually, I have more than 15 years of research on biometric technologies, and I would need to revisit my life decisions if that were the case. Biometric technologies are useful when combined with other security mechanisms in an AND, not OR, setting. Requiring biometric technology and a password increases your security, just like having to go through two locked doors to enter your house would increase your security. It is the OR that creates a security problem. This has been acknowledged by the National Institute of Standards and Technology (NIST), which, in NIST Special Publication 800-63B, defines that “Biometrics SHALL be used only as part of multi-factor authentication,” and in fact, it isn’t rare to find biometric technologies combined with other access control factors, such as a password, an access card (optical, magnetic, RFID, etc.), or both.

I would love to discuss the differences between biometric technologies for identification and for authentication or to discuss the differences between collaborative biometric technologies and stealth biometric technologies, but I will have to leave that for another post. For now, and to wrap up, I’ll leave you with a short description of a few different biometric technologies.

Fingerprints

Fingerprints are likely the most well-known biometric feature, given that they have been in use for forensic purposes for far longer than for access control. Almost every individual has a specific set of curves on the pads of their fingers, and this technology looks at the specificities of those curves, called minutiae, including where they merge or bifurcate, to distinguish any two individuals. Only a few individuals in the world do not have fingerprint marks, due to a rare genetic condition called adermatoglyphia.

The precision of the different fingerprint-based available technologies varies significantly. If you are interested in learning more about that, you can consult the public results available at the FVC-onGoing website, promoted by the University of Bologna (Italy), which is the current evolution of the International Fingerprint Verification Competitions that, at the beginning of the century, opened the door for public benchmarking of biometric technologies.

Palm Geometry

As the name indicates, palm geometry uses the shape of the hand to establish the user’s identity. While this technology looks great in movies, it isn’t among the most precise, except when the reader is capturing and comparing not only the hand geometry but also the fingerprints in that hand and/or the vein pattern underneath the skin.

If you want to learn more about the implementation of hand geometry systems, you should read the ISO/IEC 19794-10:2007 standard. I know! You are now thinking “2007? Really?” Yes, the hand geometry is not complicated and, therefore, the standard doesn’t need to change often. Actually, ISO reviewed and confirmed this standard in 2014 and expects that it will stay current until 2033.

Face Recognition

The developments in computer vision set the foundation for the development of facial recognition biometric technologies, making it a widely spread technology, capable of operating even under imperfect light conditions. Only a couple of decades ago we were still working to distinguish a human being from its shadow, and now we are at a point where computer systems can distinguish two people in a large dataset better than humans can.

The Federal Bureau of Investigation, the Department of Homeland Security, and several other agencies have a long history of collaborating to sponsor regular assessments of facial recognition technologies conducted by the NIST. One of the outputs of these challenges was the face recognition technology database. If you happen to be a software developer interested in getting some hands-on experience working with facial recognition, you should visit the project’s website, from where you can download the database.

The fear that organizations implement facial recognition without the knowledge of users has raised some concerns and, in June, several senators and representatives reintroduced bicameral legislation, the Facial Recognition and Biometric Technology Moratorium Act of 2021, to limit the ability of the government to use biometric technology. We will soon see if it gets approved or not.

Voice Recognition

Voice recognition is an interesting technology, in the sense that it combines physical characteristics with behavioral characteristics. Organs such as the vocal cords, the palate, the tongue, and the lips influence the way we speak, and our learned speaking habits have a significant influence as well.

There are multiple advantages to voice recognition biometric systems. The first is the availability of hardware. Most computational systems, such as phones, laptops, and smartwatches, are equipped with a microphone and that is all that the system will need to capture your voice data. Another interesting, but scary, feature is that organizations can use voice recognition for access control remotely and without the user’s knowledge. That means whomever you are calling might be using your voice to make sure they are dealing with who you say you are or storing your voice to sell it to a third party. That adds a layer of security in what comes to access control, but it also means someone is storing your biometric data and possibly trading it. Depending on whom you are calling and where they are located (some regions have legislation to provide some level of consumer protection), that is something to consider every time you make a phone call or speak to one of your smart devices.

Iris and Retina

Iris and retina technologies use characteristics of your eyes to establish your identity. Iris technology has evolved to require only a digital camera, while retina technology continues to use sophisticated and dedicated hardware to measure the vein patterns in the back of your eye.

Users are often renitent to use any intrusive technology that involves their eyes, and maybe that is one of the reasons why retina technologies continue to be limited to highly-secured environments, which also means that its price is not practical for most budgets. Iris, on the other hand, uses a normal camera, which increases its level of comfort and acceptance.

The 2005 and 2006 Iris Challenge Evolution (ICE) workshops promoted by NIST are landmarks of this technology, which became free to develop and explore after the patent registered by Flom and Safir expired in 2005. The datasets used for these competitions are available for download from the workshops’ websites, which means that the development community can use them to continue to improve this technology. A curious fact: the results from the ICE show that iris recognition algorithms perform better when using the right eye, instead of the left!

Keystroke Dynamics and Pointer Dynamics

I could not close this post without talking about behavioral biometric technology. Did you know the way you type in your keyboard, or the way you use your touchscreen, is unique to you? Well, it is. Keystroke dynamics is a biometric access control technology that assesses the way you type to find your pattern, while pointer dynamics works in a similar way, but using the way you use the computer’s mouse or how you interact with your touchscreen.

The Rand Corporation published the first experiments with keystroke dynamics in 1980, in a report that analyzed the typing “signature” of seven professional typists.  As is often the case, the idea is an application to computational systems of something that existed in the analogic world. In this case, the idea came from the fact that telegraphists have a unique style, the “fist,” which allows the operator to be recognized by their peers. Despite the promising results, keystroke dynamics didn’t attract much attention until the early 2000s, when it developed significantly (and I am proud of being part of that evolution), and we had to wait more than 10 years to start seeing commercial applications of keystroke/pointer dynamics. We had to wait a few more years to see this technology hit the news when, in 2020, a company called TypingDNA raised $7 million from Google’s venture fund.

We’ll keep an eye on how that progresses...