Biometrics: Better than passwords but not bulletproof
Connecting state and local government leaders
Government and industry experts think biometric authentication is poised to take off, but fingerprints, iris scans and voice recognition are not foolproof forms of ID.
Government has been the driving force in the adoption and use of biometrics. Law enforcement has used fingerprints for forensic identification for more than a century, and more recently the U.S. government has required biometrics for identify management through smart government ID cards. Internationally, governments around the world are adopting biometric standards for passports and border controls.
But a panel of government and industry experts told legislators that biometrics might be poised to take off as a consumer technology. Like so many other recent changes, it could be driven by the evolution and convergence of the laptop and smart phone.
“Acceptance will be driven by providing added value,” said Charles H. Romine, director of the IT Laboratory at the National Institute of Standards and Technology.
And where will that added value come? Stephanie Schuckers, director of the Center for Identification Technology Research, a federally funded cooperative research center, is clear about that. “The killer app is the mobile payment system, and the driver is the customer,” she said. The convenience of using a smart phone or other mobile device for fast, secure transactions will create a market for convenient biometric authentication.
John Mears, a board member of the International Biometrics and Identification Association trade group, said rumor has it that Apple’s new iPhone 5S, which might or might not be released this summer, will come with a fingerprint reader. And if Apple can’t build a market for new technology, who can? With an expected capacity of 128G, the new phone could have the capacity to handle biometric templates.
These statements were made at a May 21 hearing of the House Science, Space and Technology subcommittees on research and technology. Given the rapid expansion of life online and the inadequacy of the current user-name-and-password paradigm, the legislators wanted to know why biometrics hasn’t been adopted more rapidly.
There are a number of reasons. For all of its promise, biometrics still is a maturing technology, and although it is practical it is not yet broadly interoperable. And for all of the recent attention paid to online threats, the public is notoriously unwilling to inconvenience itself in the name of better security.
These things will change, and maybe soon. But the legislators seemed to be working with the assumption that biometrics is rock-solid secure technology. It isn’t. There are weaknesses, trade-offs and concerns, just as with all forms of identity verification.
The experts pointed out that for a biometric, such as a fingerprint or a voice analysis, to be effective it must be unique (or close to it) and persistent. And although agencies have been using biometrics for decades, to date there is precious little research on just how unique and unchanging these features are. This is necessary before those accepting biometrics can decide if the features provide the level of certainty they require for a given purpose.
And despite the common idea that a biometric is absolute, matching has always been on a “close enough,” basis. Maybe no one else has your fingerprint, but print-matching applications use only a sampling of data picked up from a reader and stored in a template. How detailed that data is and how closely two scans must match in order to be accepted depends on the level of security an application requires. More security requires more computing capacity, more expense and possibly more inconvenience.
None of this means that biometrics can’t be a big improvement over user names and passwords. But once the technology matures organizations still will have to decide what levels of risk they are willing to accept in given situations and what expense — in terms of money, time and resources — they are willing to trade for it.