With iPhone and laptop fingerprint access, facial scanning and fingerprint border controls, DNA crime scene analysis, biometrics are all-pervasive. In the recent popular BBC series, The Night Manager, Tom Hiddleston uses facial recognition on his phone to access a bank account. As the trend is increasing utilisation of biometrics for identification and authentication, we need to examine security implications.
Biometrics, the factor of “something you are”, has the advantage of always being present – you can never forget to take your fingerprints or face with you. Some unique physical attributes, such as an iris, are less invasive to collect than others such as retina capillaries. Society needs to debate whether and under what conditions it is acceptable to collect biometric data without permission.
The sensitivity of biometric measurements is a variable that should be determined for each application. Only applications where high security is imperative, require high accuracy. High sensitivity leads to false rejection errors, where individuals who should be accepted are rejected. Low sensitivity leads to false acceptance errors, where those who should not be accepted are. We measure these errors as the False Rejection Rate (FRR) and the False Acceptance Rate (FAR), where the Crossover Error Rate (CRR) is the sensitivity level at which the two are equal. iPhone’s Touch ID for example, does not need the highest sensitivity – it is less desirable to have many false rejections rather than the possibility of a false acceptance.
Biometrics can be anatomical or behavioural. Anatomical biometrics include fingerprints, palm prints, palm vein patterns, facial recognition, iris, retina, and ear cavity measurements. Behavioural biometrics include keyboard typing, voice, gait, brain waves, and heartbeats. When phoning the New Zealand tax office recently, I was asked to say my name three times for voice recognition purposes. Next time I call, they can authenticate me from my voice.
Some authentication methods utilise enhancements to the body, however these are not strictly biometrical as they are not “something you are”, but something added later which may be impermanent. Examples include a digital tattoo, and an authentication pill which reacts with stomach acid when swallowed.
Security of a biometric measure is affected where the physical attribute is not private, but on public view, such as measurements from the face. While monitored biometric access systems, such as building access supervised by security personnel, are more difficult to circumvent, online or unmonitored systems can be far less secure. Being on public view, the physical attribute can be stolen and used to replicate the original. Most facial recognition systems are circumvented using a photograph to authenticate. The same applies to iris scanners. Fingerprints can be lifted off surfaces such as glass (with gummi bears, or play-doh). A demonstration of the iPhone Touch ID hack is here. In more extreme instances, thieves have also been known to chop off a finger in order to commit crime, such as these Malaysian car thieves.
Once entered into a system, biometric data is represented in a digital file, and this can be stolen and replayed. A demonstration of intercepting and replaying a digital representation of biometric data is here. In the 2015 Office of Personnel Management (OPM) data theft, digital representations of 5.6 million fingerprints were stolen. Earlier this month we found out about the data breach of 55 million voters in the Philippines – it is believed that biometric information is amongst the stolen data. The implications of biometric data file theft are far more severe than username/password data theft, as with biometrics there is no reset function. You can change your password but you can’t change your fingerprint or iris.
Potential negative consequences are compounded when biometric data is stored centrally on a server rather than only on the endpoint device. The Unique Identification Authority of India for example, collects biometric data on its 1.2b citizens which it stores in a central database. Personal biometric data from different body parts should never be stored on the same database or server.
Society needs to debate where the limits should be regarding the use of biometrics for commercial purposes. Should the car dealership know details of your financial position, the minute facial recognition technology identifies you walking onto the premises? Will we end up wearing sunglasses even on a cloudy day?
Because of the security risks and severe consequences of breach, biometric authentication should only be used where absolutely necessary.