The Ponemon Institute recently published the results of a survey commissioned by Vodafone and F-Secure: Return on prevention study: Measuring the value of security technologies, controls and governance practices. In reality, it’s a survey on attitudes towards cost-effective security for mobile devices, and its relevance here is that biometrics just doesn’t figure into the equation. Not that biometrics provide a poor return on investment for security, but that biometrics are not even considered for security at all. Although this particular survey was about mobile devices, this attitude is arguably indicative of the public’s general perception of biometrics.
What’s right with biometrics?
The use of biometrics for user authentication is a seductive argument, and is often described as the third factor in user identification. The first is something you know (like a password or PIN). The second is something you have (like a smart card or other token). The third is something you are – a unique metric from a universal characteristic, such as your fingerprint, your iris pattern, or your voice characteristics. CESG (the information assurance arm of GCHQ) defines biometrics in authentication as “the automated means of recognising a living person through the measurement of distinguishing physiological or behavioural traits”.
| "Biometrics will succeed providing they offer continuing, transparent and positive identification in a non-intrusive manner" |
| Andrew Cardwell, security consultant |
The biometric argument is that if we have a secure record of the user’s biometric feature (called the template) and can verify the current user against that template, then we can be 100% certain that this user is the authorised user. At first glance, this argument is irrefutable and almost irresistible; and there are many examples of biometrics already in use. International travellers are becoming increasingly aware of the value of biometric verification for rapid transit through the airport, and biometrics is increasingly being mandated for national passports.
A lot of research is in progress to find cheaper and more effective approaches to biometric authentication. An example of current research is Manchester University’s work on facial recognition specifically for mobile devices. “A video of your face contains useful information such as who you are, where you are looking, and how you are feeling. If we can extract this information from the video, it potentially paves the way for automatic face verification (i.e., determining whether you are who you claim to be)...”, claims Philip A. Tresadern at Manchester University.
Security consultant Andrew Cardwell believes that such research could lead to wider adoption of biometrics: “Biometrics will succeed providing they offer continuing, transparent and positive identification in a non-intrusive manner. One such system perhaps is a camera on your PC that is programmed to check the operator identity every 30 seconds. It opens a five-second window to acquire a good picture and if it can’t acquire the data, or doesn’t authorise the individual, the screen can be locked. This is ideal if someone else sits down at a PC or an individual gets up for a coffee because as soon as the individual comes back, the system authenticates a valid user once more and provides access.”
What’s wrong with biometrics?
The adoption of biometrics, however, can be problematic. “Biometrics are often seen as costly and overkill for most applications”, says Cardwell. Remember the Nationwide ATM iris-scanning trials in Swindon? More than a decade ago (1998), biometric access to building society ATM trials were started and soon abandoned as they were too expensive, with too little business benefit.
“People also tend to distrust individuals or corporations holding biometric details on them and I think these two arguments are the main reasons for lack of take up”, he adds. Most people’s practical knowledge of biometrics is limited to police fingerprint databases and national identity registers – neither of which offers a very reassuring view on the use of the technology.
Phil Booth, the national co-ordinator for No2ID (the organisation that has led the fight against the National [biometric] Identity Register) thinks there is another problem: over-hyping by the industry. “‘Over-claiming’ or allowing others, say the Home Office, to over-claim for you is something I’ve been warning the industry about at the biometrics conferences for several years now.”
| "The risk exposure has shifted from the internet channel to the voice channel; and this has been the motivation for the banks to say we’ve got to find some way to make our telephone banking more secure" |
| Chuck Buffum, Nuance Communication |
Right on cue comes an example: “In the future, whether it’s entering your home, opening your car, entering your workspace, getting a pharmacy prescription refilled, or having your medical records pulled up, everything will come off that unique key – [including] your iris”, says Jeff Carter, CDO of biometrics research firm, Global Rainmakers. “Every person, place, and thing on this planet will be connected [to the iris biometric database system] within the next 10 years”, he says. Such claims, and similar claims that biometrics are infallible, are patently absurd and do nothing to increase confidence in the technology.
Finally, we should mention another problem: the security of biometrics itself. With voice biometrics, could someone record your voice and use that? With facial biometrics could you fool the system with a mask – or your doppelganger? With fingerprints, could an imprint fool the system? But even where ‘fooling’ the system isn’t an option, biometrics remains as susceptible to hacking as anything else. The template of the biometric used still has to be digitised and stored electronically, and it then becomes as open to alteration or misappropriation as any other stored data.
The future
Many feel that the arguments against the use of biometrics for the majority of current applications tend to outweigh the arguments in favour; and that, quite simply, is why biometrics are only used in specific niche areas (airports), or where mandated by a higher authority (passports). Is this, then, the future for biometrics: a technology that remains a solution looking for the right problem?
Possibly, but many think otherwise. Chuck Buffum, vice president of authentication solutions for the mobile and enterprise division of Nuance Communications, explains that “there is a new angle that is motivating biometrics in the enterprise, and making security people take a fresh look at it: banking”. Nuance has the platform that lies behind much of the world’s speech recognition technology that is increasingly used for voice-based user authentication.
The demand is clear – mobile banking has exploded. “Over the last three or four years we have a new growth in the number of people doing telephone transactions. In the largest banking institutions it’s hundreds of millions of phone calls per year, and in many institutions it is tens of millions of phone calls per year”, Buffum says. “The risk exposure has shifted from the internet channel to the voice channel; and this has been the motivation for the banks to say we’ve got to find some way to make our telephone banking more secure.”
Nick Ogden was the original founder of WorldPay, but now runs The Voice Commerce Group. “It’s very much what it says on the tin”, he explains, “looking at how the voice and the use of mobile phones and various other devices are going to change the way that we interact with a range of different services”.
VCG’s first product was VoicePay, which allows you to use your mobile phone to make a purchase. VoicePay “guarantees all payments made on an account against fraud or personal information loss and offers a simple and secure way to issue transactions”. The problem, explains Ogden, “is how we know that it is Nick Ogden on the end of this phone and that Nick Ogden is authorising us to make a payment on his behalf?”
| "Every person, place, and thing on this planet will be connected [to the iris biometric database system] within the next 10 years" |
| Jeff Carter, Global Rainmakers |
He started to look at voice biometrics. “Initially I was one of the biggest cynics of this technology, but we went and looked at a range of different suppliers and ended up partnering with Nuance, who had developed a voice biometric platform. Interestingly, we found that not only did it work, it had never been hacked, even though Rory Bremner had tried to hack it – so I grew from being a cynic to a passionate adopter of this technology.
“One of the real benefits that voice biometrics has in identity and verification”, he continues, “is that it will work today on the 4.7 billion handsets that are in circulation because we don’t need to install any software – all we need is the ability for people to talk.” In fact, mobile technology specialist Goode Intelligence believes that “by the end of 2010, there will be over 6.9 billion mobile phone subscribers in the world”, and all of these will be able to use voice biometrics without any further hardware costs. In most cases, of course, the same argument will apply to Manchester University’s facial biometric approach.
Good products sell themselves
So what do we need to do to sell biometrics to the masses? Probably nothing. Perhaps it will happen anyway, courtesy of mobile devices. Consider the comments of Ric Merrifield, sometimes known as the ‘Business Scientist’ at Microsoft: “Our mobile devices will be the ‘credit card’ of the future. You would ‘beam’ some information to the merchant about yourself (it could even be your PayPal account – which, at a restaurant you could include in your OpenTable reservation and skip the ‘beam’ step). They then transmit to you the amount you owe, you click some sort of ‘agree to pay’ button and that’s it. It would also ask you if you want to pay a gratuity, which you could also have pre-programmed to calculate percentages so you don’t have to do that math in your head after a glass of wine.”
Nick Ogden is already working on this. “What we’re doing is designing systems whereby the consumer decides how much money, effectively cash, they’re going to put onto their mobile phone – let’s say £20 because I’m going into town and will want some coffee at Starbucks. With RFID ‘pay and wave’ capability – which might not meet the security rigours that some professionals might demand, but remember that this is just £20 and has to be as safe as the £20 note in my wallet – I can spend it straight off my phone.”
The banks will demand at least three-factor authentication for this process – and that means biometrics. Voice and possibly facial biometrics are a particularly easy and inexpensive way of introducing the third factor to mobile devices. This will make biometrics finally acceptable: mobile banking will change biometrics from a cost without benefit to a positive enabler without cost.