Biometrics are Like Passwords You Leave EVERYWHERE

Biometrics are like passwords, but worse.

Biometrics are like passwords that you leave everywhere (fingerprints, facial recognition, voice patterns), except that unlike passwords, you can’t change them when they’re lost or stolen. It’s easy to change your password, a bit harder to get a new retina. Like passwords, risk goes up as they are stored globally (in the cloud) versus locally (on a physical device).

In addition to the biometrics mentioned above that most of us have come to accept as commonplace, there are many other methods in use or under exploration:

  • hand geometry
  • vascular pattern recognition (analyzing vein patterns)
  • iris scans
  • DNA
  • signature geometry (not just the look of the signature, but the pen pressure, signature speed, etc.)
  • gait analysis
  • heartbeat signatures

At the 2014 Annual International Consumer Electronics Show, inventors displayed dozens of devices using biometrics, some of which will become just as commonplace as fingerprints in the near future, some of which will not catch on and be replaced by something even more amazing.  Some of the hot biometrics items this year:

  • Tablets that measure pupil ­dilation to determine whether you’re in the mood to watch a horror movie or a comedy.
  • Headbands, socks and bras that analyze brain waves, heart rates and sweat levels to help detect early signs of disease or gauge a wearer’s level of concentration.
  • Cars that recognize their owner’s voice to start engines and direct turns and stops, all hands-free.

(Do a search for “current biometric uses” if you want to be entertained for a while!)

Some less outlandish examples that are currently in place:

  • Barclays Bank in Britain utilizes a voice recognition system when customers call in.
  • Some A.T.M.s in Japan scan the vein pattern in a person’s palm before issuing money
  • World Disney World in Orlando, Fla., uses biometric identification technology to prevent ticket fraud or illegitimate resale as well as to avoid the time-consuming process of photo ID check.
  • Biometric passports contain a microchip with all the biometric information of holders as well as a digital photograph
  • Law enforcement agencies, from local police departments, to national agencies (e.g., the FBI) and international organizations (including Europol and Interpol) use biometrics for the identification of suspects. Evidence on crime scenes, such as fingerprints or closed-circuit camera footage, are compared against the organization’s database in search of a match.
  • Child care centers are increasingly requiring parents to use biometric identification when entering the facility to pick up their child.
  • And, of course, the most popular example has to be the use of fingerprint sensors on the iPhone to unlock the devices.  It will also increasingly be linked to mobile payment services.

So, the million-dollar question is: Are Biometrics a Better Way to Protect Your Personal Identification?

The answer is yes…and no.

  • Biometrics are hard to forge: it’s hard to put a false fingerprint on your finger, or make your iris look like someone else’s.

BUT…

some biometrics are easy to steal.  Biometrics are unique identifiers, but they are not secrets. You leave your fingerprints on everything you touch, and your iris patterns can be observed anywhere you look.  If a biometric identifier is stolen, it can be very difficult to restore.  It’s not as if someone can issue you a new thumbprint as easily as resetting a new password or replacing a passport. Remember, even the most complex biometric is still stored as ones and zeros in a database (and is therefore imminently hackable). 

  • A biometric identifier creates an extra level of security above and beyond a password

BUT…

if they are used across many different systems (medical records, starting your car, getting into your child’s day care center), it actually decreases your level of security.

  • Biometrics are unique to you

BUT…

they are not fool-proof.  Imagine the frustration of being barred by a fingerprint mismatch from access to your smartphone or bank account.  Anil K. Jain, a professor and expert in biometrics at Michigan State University  says (emphasis mine), “Consumers shouldn’t expect that biometric technologies will work flawlessly… There could and will be situations where a person may be rejected or confused with someone else and there may be occasions when the device doesn’t recognize people and won’t let them in.”

The scariest part of the biometrics trend is how and where the data is stored.  If it is device specific (i.e. your fingerprint data is only on your iPhone), it’s not so bad.  But if the information is stored on a central server and unauthorized parties gain access to it, that’s where the risk increases.  A 2010 report from the National Research Council concluded that such systems are “inherently fallible” because they identify people within certain degrees of certainty and because biological markers are relatively easy to copy.

I also feel compelled to mention the inherently intrusive nature of biometrics.  While it’s true that using facial-recognition software can help law enforcement agencies spot and track dangerous criminals, we must remember that the same technology can just as easily be misused to target those who protest against the government or participate in controversial groups.  Facebook already uses facial recognition software to determine whether photos that users upload to the site contain the images of their friends.  Retailers could use such systems to snoop on their customers’ shopping behavior (much like they do when we shop online already) so that they could later target specific ads and offers to those customers.

How long before we have truly entered into Tom Cruises’s Minority Report world where we are recognized everywhere we go?   “Hello Mr. Yakamoto and welcome back to the GAP…”

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.