Biometrics

What are biometrics? It is authenticating people by some aspect of their body, typically fingerprints (or finger vein), iris scan or voice recognition. I think that it will become much more important in the coming years since it offers a painless way to get increased security.

As I talked about earlier, security is hard and people think it isn‘t. In the military and internally in big companies, the way that security works can be mandated. Even then there are regular stories of unencrypted disks going missing in the mail, or credit card databases being stolen wholesale. But in the consumer world there is a different issue: if the consumers find it too hard to use then they won’t use it. If a bank makes its customers jump through too many hoops to login and make online payments then either they’ll change banks or think badly of their bank for not really having a usable online payment system.

The solution that the credit card companies came up with is simply to accept a certain amount of fraud and try and manage it down. Some of the behavioral stuff they now use seems to have got really good. Someone got hold of a credit card number of mine recently and they didn’t let a single fraudulent transaction go through, and, until they finally put a complete hold on the card, without blocking a valid one. Further, that was the first time they put a hold on my card, they didn’t have any earlier false alarms. That’s a big improvement from when once I couldn’t pay for my hotel in Japan because "someone appears to be attempting to use your card in Japan". Er, yes, that would be me.

I think biometrics offers the possibility of industrial strength security coupled with consumer ease-of-use. There are some issues since a few people don’t have readable fingerprints and people occasionally cut their fingers and so on. So there does need to be an alternative route for those rare occurrences, although they can be relatively cumbersome. To some extent biometrics has a bad rap since early implementations were poor and had high failure rate (you put your finger on the pad and you are not recognized) and there are some health issues with shared detectors (do you really want to stick your finger on the same piece of plastic as several hundred other people, some of them with flu, already did?).

Biometrics is divided into what are called one-to-one and one-to-many. One-to-one is where you know who the person is and you are trying to confirm it. The amount of data and processing required is relatively low. The one to many is where you scan, say, someone’s iris or fingerprints and identify them within a second or two from a database of several millions people. That requires much more serious computation, although the amount of data required to be stored per person is only of the order of 1K bytes.

There are lots of subtleties to making biometrics truly secure in the face of virus-ridden PCs, keyloggers, unencrypted wireless networks and the rest. Unlike a password, you can’t change your biometrics so guaranteeing that the data remains secure is even more important.

This entry was posted in security. Bookmark the permalink.

Comments are closed.