Beyond passwords: Biometrics continue to evolve

Patrick Lambert looks at the current state of biometrics in security systems.

We've talked a lot about passwords and the many ways they can be compromised. Everyone agrees that a better way to authenticate users is needed but there is always the conflict between usability and complexity. So it's no surprise that many companies and security researchers have been looking at various other means, either to replace passwords, or to add something to them. The use of biometrics isn't a new idea, but it has been evolving greatly over time. Just like passwords, the technology has its pros and cons. Let's examine some of the ways biometric authentication is being used for security purposes.

First, it's important to remember that no security system is perfect, even something that requires a part of your own body in order to unlock the device. Biometrics are nothing more than security systems that ask you to identify yourself by using a part of yourself. This is typically done via a fingerprint scanner, a retina scanner, a hand scan, or with voice- and face-recognition software. At first glance, this seems like a very solid security measure, and can be. But it's not without problems. The first major issue is that unlike a password, a security card, or a PIN, you cannot change your eye or your fingerprint. If, at any point, the data corresponding to your physical attributes were to get loose, that means you would never be able to use that type of biometric ever again. The second issue is that while it's hard to reproduce your fingerprint or your iris, it's not impossible. Many researchers over the years have shown various ways to bypass some of the biometrics used in security systems, whether it's by creating fake hands using a mold, or tricking iris scans.

Of course, that doesn't mean research in this area stopped. Biometrics have come a long way, and companies are constantly making new products that can provide better security, while hopefully being more convenient for the user. One example is with mobile payment systems. Paying with a credit card has always been somewhat of a fertile playground for thieves. Stealing credit card numbers isn't hard, and when the only type of security includes your signature, visible for all to see, it's no wonder that companies have had to adopt a policy to take care of any bogus charges, because otherwise, it would be a completely untenable system. So now that many companies are moving to the next-generation payment systems, such as paying with your phone using an NFC chip, they are trying to increase the security at the same time.

Most NFC payments right now rely on a PIN, which is alright but not great in terms of security. So some companies have been working on fingerprint scanners to replace this. Just think if you could go out to the cashier, take your phone out, and then press your finger on the screen, and you would be authenticated right there. One company is even building devices that include pressure sensors so it can know whether you have a living finger or if it's a fake.

So what about biometrics in the enterprise? While you may currently be buying a laptop that includes a fingerprint scanner, and soon your payment systems may also use some type of biometrics, what solutions are there for you to implement in your business? Right now, there's no question that fingerprint scanners are the most popular devices. These have become commonplace and can be added to almost anything. If you have a door that has to be kept secured, such as the one leading to the server room, there's no good reason why it should have only one factor of authentication, such as a keypad or a card scanner. You can add a second one such as a fingerprint scanner at a very low cost. Some devices are so small that they can be bought for $10. The same is true with modern computer systems, which can all be outfitted with a fingerprint scanner. By tying it to disk encryption, you increase security by a lot. BitLocker, for example, can be tied into your computer's fingerprint reader, if it has one, simply by going to the Control Panel and enabling it. You can also do so through Group Policies.

A recent report shows that the market for biometrics will increase by 21% over the next two years. Like any other security measure, nothing is perfect, but in this case, it can actually increase security dramatically over simple passwords, and make it easier for users since they don't have to actually remember their fingerprints! But there are still challenges ahead. Right now, biometrics are used for local systems almost exclusively. That's because even if you transmitted a hash corresponding to your fingerprint over the Internet, it could be intercepted and replicated. Worse, you couldn't change it anymore. Because of these challenges, it's unlikely that biometrics alone will replace passwords or other factors any time soon. Still, there are clever ways to use biometrics to enhance current systems. Think for example, if you could call a company, and on top of identifying yourself through your access code or date of birth, a system was running in the background that would listen to your voice patterns and identify you. This is something Nuance is offering. But again, it can't be a unique solution, because what if the person has a cold? Suddenly, any voice-based identification could be thrown out of the window.

Does your organization use any type of biometric authentication? If you have any experience with any of these systems, share it with us in the Comments.


Patrick Lambert has been working in the tech industry for over 15 years, both as an online freelancer and in companies around Montreal, Canada. A fan of Star Wars, gaming, technology, and art, he writes for several sites including the art news commun...


whatever happened to RFID implants? surely the technologies are there or near. the ultimate dream comes true with a cashless and crimeless society where one can't buy anything, go any where or do anything without being correctly identified. if you want to steal my id, you'll have to jump through quite a few hops, since skynet will pickup conflicts such as me appearing at more than 1 place at the same time, or at 2 distance places within a short time. you can't even chop my hand off and take it with you because the RFID will include dead or alive status code. of course nothing is perfect, but it is hard to beat if security is your major concern. for a while, i thought 911 will push things over the top, and make this happen...


From "Biometrics. Collar the lot of us! The Biometric Delusion" David Moss 2009. When he was Home Secretary, David Blunkett told us that biometrics “will make identity theft and multiple identity impossible. Not nearly impossible. Impossible”. That is the commonly held view. It may be the commonly held view, but is it correct? Not everyone agrees. Dr Tony Mansfield and Mr Marek Rejman-Greene, for example, opened their February 2003 report to the Home Office by saying the exact opposite, “biometric methods do not offer 100% certainty of authentication of individuals” (para.4). Tony Mansfield and Marek Rejman-Greene’s report makes the distinction between two different jobs for biometrics – identification (section 2.1) and verification (section 2.2). Identification is the job of proving that each person has one and only one entry on the population register. Professor John Daugman, the father of biometrics based on the iris, demonstrates easily that that job is not feasible for large populations. Suppose that there were 60 million UK ID cardholders. To prove that each person is represented by a unique electronic identity on the population register, each biometric would have to be compared with all the rest. That would involve making 1.8 x 1015 comparisons. Suppose further that the false match rate for biometrics based on either facial geometry or fingerprints was one in a million (1 x 10-6). It isn’t. It’s worse than that. But suppose that it was that good, then there would be 1.8 x 109 false matches for IPS to check. It is not feasible for IPS to check 1.8 billion false matches. It is therefore not feasible for these biometrics to do their identification job. Verification on the other hand, according to Tony Mansfield, is millions of times easier, and requires only that your facial geometry match the photograph recorded on your ID voucher (whether a passport or an ID card or a biometric visa) or that your fingerprints match the templates recorded on the voucher that you proffer to an immigration control officer, for example, or to a bank manager or to a GP, to underpin your transactions and interactions with them. It may be millions of times easier, but can the biometrics chosen for the NIS achieve even the job of verification [2]? Apparently not. Biometrics In 2004, the UK Passport Service (UKPS, now IPS) conducted a biometrics enrolment trial. 10,000 of us took part and a report of the trial was published in May 2005. Under the heading Key Findings (para.1.2), sub-heading Verification success rates (para., the report says that 31% of people could not have their identity verified using facial recognition technology – they were told that they did not match the photograph of them taken only five minutes before. That was just the able-bodied participants. For the disabled, the false non-match rate was 52% – everyone would do better to toss an unbiased coin. And, using flat print fingerprinting technology [3], 19% of the able-bodied participants could not have their identity verified, and neither could 20% of the disabled [4].


What happens if you want to change your bank? or your "credit card" number?

Editor's Picks