Is Biometrics ID Security Good Enough?

United Airlines this week announced that it would begin rolling outClear’s biometric prescreening at its hub airports, including NewarkLiberty International and Houston George Bush Intercontinental. Thesystem works by verifying a flier’s fingerprints or eye scan.

Clear already is available at about 60 locations throughout the UnitedStates. It offers a system that utilizes biometrics to speedpreapproved travelers to the front of the security lane, and evenahead of TSA Pre-Check fliers.

United Airlines joins Delta Airlines in offering the service to fliers — and Clear’s technology also is in use at participating stadiumsand arenas that require an ID check for entry. However, Clear is justone of several companies to begin developing this the biometricscreening technology, and airports already have been struggling with how dodeal with competing but not compatible systems.

There now are at least53 biometric systems used just by the aviation industry, and dozensmore by other industries, according to the World Travel & Tourism Council. Most don’t see eye-to-eye, in that theirrespective databases aren’t shared.

Getting all the competing systemsto work together is just one of the challenges that biometricscreening companies will have to deal with in the near future to makethis technology universally embraced as an alternative for traditional identification.

History of Biometrics

It is easy to think of technology that can recognize aunique fingerprint instantly as being a modern marvel of the 21st century, butits roots actually go back to the end of the 19th century.Argentine anthropologist Juan Vucetich first cataloged fingerprints in 1891, and just two years later that helped Inspector Eduardo Alvarez identify Francisca Rojas as the actual killer of her two sons.

Then there is the story of Will and William West — two men who wereunrelated yet nearly identical in appearance. Each was serving aprison sentence at Leavenworth Penitentiary, but Will West wasconvicted of a minor crime, while William West already was serving alife sentence for first-degree murder. The prison had almost no way oftelling the men apart, but then turned to a new technology — fingerprint identification.

French handwriting expert and early biometrics researcher Alphonse Bertillon already had created an identification system that included a “mug shot,” along with detailed description of an inmate’sfacial features. Normally that system was enough to differentiateindividuals from one another. However, given that the West men looked so similar, something else was needed.

As it happened, Bertillon also made a breakthrough in the advancement ofdactyloscopy, which can analyze the patterns of fingerprints. As eachindividual’s fingerprints are unique, it was enough to determine whichWest was which!

“Biometrics have been around as identifiers and authentication meansfor over 100 years, with the most well-known case being that ofpolice/law enforcement use of fingerprints,” noted Ralph Russo,director of the School of Professional AdvancementInformation Technology Program at Tulane University.

Advances in Biometrics

This system of fingerprint identification is just one of the uniqueidentifiers that can tell individuals apart. In the century sinceBertillon developed dactyloscopic technology there have been manyadvances that also can scan an individual’s retina — something that isas unique as fingerprints. In addition, there also have been great stridesin facial recognition as well.

Both fingerprints and facial recognition scanning have been adoptedin recent years as a way to unlock smartphones. Supporters of the technology have suggested they offer a greaterlevel of security over passwords, which easily can be forgotten.

“The main advantage of the biometric authentication is its ease of usefor the end user,” said Leigh-Anne Galloway cybersecurity resilience lead at Positive Technologies.

“Simplicity in information security is not always good,” she told TechNewsWorld. “The face and fingerprints are always with you. You will notforget them as a password, but you cannot change them either,” Galloway added.

Biometric Advantages

The advantages of using digital biometrics — including fingerprints,iris scans or facial recognition — to manage access to applications anddevices include fast and reliable access to information tied to aspecific person, as well as relatively high accuracy, suggested Tulane’s Russo.

In addition, biometrics as a password can’t be lost or forgotten, andtherefore businesses do not have to manage the flood of forgottenpassword changes, while passwords can be relegated to a secondaryoption. Biometrics also can used as part of a multifactorauthentication process, and they can replace cards and other physicaldevices that can be lost or stolen.

The latter “results in thousands of incidents of lost identificationeach year as people try to manage the ID along with their luggage, andfollowing TSA procedures,” Russo told TechNewsWorld.

There is also the convenience factor, and the fact that no type ofpassword is truly perfect.

“All methods of identifying people have risks and drawbacks; to avoidforgetting passwords for a multitude of sites, people write them down,store them in plaintext — not encrypted — or trust them to third-partypassword managers which present a risk that the password manager couldbe hacked,” said Russo.

“Expect the use of biometrics to increase at an increasing rate goingforward, and this is for many reasons, including convenience to theuser, lower cost for the business to scale and manage, and arelatively frictionless user experience,” he added.

“Once users have chosen their type of biometric authentication, thereis no typing on tiny keyboards, no phone calls, and no one leaves homewithout their hands or face — just comparatively fast and easyaccess,” Russo noted.

Privacy and Security Concerns

The other side of the issue is one of privacy, and the fact thatbiometric technology could be used for nefarious reasons. That is whythe city government of San Francisco has instituted a blanket ban on facerecognition technology. Just this week California became the first state to consider a state-wide ban of face recognition technology.

Assembly Bill 1215, known as the Body Camera Accountability Act, hasproposed a ban on facial recognition software in police body camerasdue to privacy concerns. Similar concerns are being echoed regardingthe use of fingerprints as a method of identification.

Even travelers who see the benefits with the Clear or similarbiometric screening systems may want to consider if the cons mayoutweigh the pros.

“Although it can shave a few minutes off of travel times, we’drecommend that travelers spend the extra few minutes in line tomaintain sovereignty over their personal data,” said Sean McGrath,privacy advocate at ProPrivacy.

“Both private companies (United and Clear) and the government haveproven time and time again, that they can’t be trusted to keep thisdata secure,” he told TechNewsWorld.

Another concern is that once a fingerprint or eye scan is in thesystem it isn’t easy to get it back out again.

“As travel authorities shift from using traditional technologies tobiometrics, travelers are having less of a say of how their biometricdata is used,” McGrath added.

Is It a Perfect System?

There is another issue to consider and that is the reliability ofbiometrics. Faces change with weight loss or gain, and people do lookdifferent as they age. Fingerprints, while unique to individuals, dohave similarities as well. And what about cuts or burns to a finger –is it really such a perfect system for identification?

“Reading sensors and fingerprint processing algorithms have a certainthreshold for sample compliance,” explained Positive Technologies’Galloway.

“Considering possible damage or impurity of a finger, this thresholdmakes it possible to compromise the print,” she added.

Thus the higher the threshold, the more false-negatives possible; the lower, the more false-positives are possible.

“While injury can interfere with the reading of a fingerprint — forcomparison against a differing image file stored in the database –most biometric systems encourage a second or tertiary print to bestored as well to allow access in these type situations,” added TulaneUniversity’s Russo.

“In serious organizations, biometrics must be combined with other userverification tools, for example, finger plus eye plus password,” saidGalloway.

“Biometrics is not a ‘perfect’ means of identifying users ofapplications and systems; like anything involved with security thereis a balance between too much security and too little security,” saidRusso. “Dial up the percentage to declare a match and get morefailures — false negatives — and user frustration. Dial down thepercentage and get more false positives and weaker security. This isas opposed to passwords, which are 100 percent matches or not.”

Protecting the Biometrics

The biggest consideration in biometrics is whether this information ever can be secure enough. In 2015 the Office of PersonnelManagement (OPM) was hacked and personal information of more than 5million people — including fingerprints — was compromised.

“The biggest danger is the impossibility to change your biometricdata,” warned Galloway.

“Hacks and leaks have happened and will exist. There are no idealsystems; the biometric data used in our time isn’t a secret,” sheadded.

“Fingerprints can be restored by photo; voice, by calling andrecording a sample; and the shape of the face, by collecting photosof a target from social networks,” Galloway explained.

“If your password is hacked, you can always create a new one, but ifbiometric data is stolen you couldn’t realistically change yourfingerprints, face or irises, so that data could be used to attempt tofool devices and allow unauthorized access,” said Russo.

“However, this is not as easy to do as one might think, and whilepeople have successfully replicated fingerprints and voice prints tofool systems, face ID secured systems are much harder to fool,” Russoadded.

“In all, the incidents of using hacked biometrics to successfully gainaccess to systems have been minimal,” he noted.

Another consideration is that “protecting biometric databases is notmuch different from protecting other forms of data stored within agiven network, except perhaps in how governments’ accumulation of suchdata is rapidly outpacing their ability to secure it,” said Christopher Whyte, assistant professor of homeland security and emergency preparedness at VirginiaCommonwealth University’s L. Douglas Wilder School of Government and Public Affairs.

“As recent breaches here in Tennessee and abroad have shown, massiveleaks involving this kind of data are far from fantasy,” he toldTechNewsWorld.

Even when it is protected, the question comes back to how wellsome of works.

“Biometric data actually does bring with it an added obstacle tosecurity in that you need to actively work with the data to accountfor variations in the nature of relevant information,” said Whyte.

“I, for instance, grew a beard last year and I have a friend that lost80 lbs. two years ago — both would have to be controlled for by a facialrecognition algorithm,” Whyte added. “This prevents at least someamount of standard practice when it comes to minimizing theinformation stored by a company or organization that could actually bestolen or leaked.”

Peter Suciu has been an ECT News Network reporter since 2012. His areas of focus include cybersecurity, mobile phones, displays, streaming media, pay TV and autonomous vehicles. He has written and edited for numerous publications and websites, including Newsweek, Wired and FoxNews.com.Email Peter.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Should employers consider job seekers' social media posts when hiring?
Loading ... Loading ...

TechNewsWorld Channels