For decades, biometrics were seen as futuristic and impractical. Only over the past decade or so has technology caught up to fantasy, bringing down the cost to a point where we can realistically start using biometric identification in everyday life.
Apple has a track record of bringing new technologies to the mainstream, so it wasn’t a surprise when it introduced biometric identification in 2014 to iPhones and began the “biometrics race”. Touch ID made it easy to unlock your phone by scanning your fingerprint — no passcode required.
But fingerprint scanning is only the tip of the iceberg.
The Basic Types of Biometrics
According to Dictionary.com, biometrics is “the process by which a person’s unique physical and other traits are detected and recorded by an electronic device or system as a means of confirming identity”.
As each person is unique, it follows that the best means of identifying an individual is by their physical characteristics. While there are numerous physical traits that could be used, some of the most commonly used are fingerprint recognition, voice recognition, facial recognition, and DNA verification.
Fingerprint Recognition: The most widely recognized form of biometric identification is fingerprinting. Its employment in law enforcement dates back to 1901 in the UK’s Metropolitan Police Service and its usage revolutionized criminal investigations.
Voice Recognition: Voice recognition is used to verify your identity based on the characteristics of your voice. This is commonly confused with speech recognition, which is the act of recognizing what has been said rather than who said it.
Facial Recognition: While voice recognition uses audio data, facial recognition uses visual information to verify your identity. Visual markers on the size and shape of your face are compared against a verified image.
DNA Verification: DNA verification isn’t something you’d likely use to unlock your phone. Widely popularized by shows like CSI, DNA verification is most commonly used in law enforcement. Each person’s DNA is unique, so even a small sample can be enough to verify the identity of an individual against a known sample.
What’s on the Horizon?
Iris and retina eye scans are already being used in high security environments, such as secure areas in government buildings or at Airport Border Controls. However, as the cost of implementing this technology comes down, it is more likely to wind up in our mobile devices, potentially opening up eye scanning technology to a far greater audience.
While signature verification has been around for quite some time, the digital equivalent is starting to be developed more as there are more people who try to hide who they are online, and they often don’t realize that they are giving away their identity by the unique way that they type.
So What’s Holding Biometrics Back?
1. Fear of Surveillance
Currently one of the largest uses of biometric identification is in law enforcement.
Facial recognition in particular is becoming standard practice in proactive policing, with police in England using it at a music festival in 2014 to scan each attendee’s face and compare it against a database of known criminals.
This was certainly not the first time that facial recognition had been used on a large scale, but it was one of the most invasive as there was little justification given at the time as to why this specific festival was targeted.
One of the most common justifications for this kind of surveillance is protection against terrorism. However, as George Orwell made clear in his book 1984, total government surveillance can lead to an oppression of a country’s citizens, which we all recognize to be a bad thing.
One of the latest controversies over the government use of biometric data is the FBI’s Next Generation Identifier (NGI) database. The privacy group EFF is campaigning for more transparency on how this information is used, especially the facial recognition aspect.
2. Fear of Privacy Breaches
While you may or may not agree with government surveillance, most people are still very uncomfortable with the idea of private companies tracking their location and behavior, mainly because there is little in the way of transparency in how this information is actually stored and used.
Secure storage of data has become a sore point in recent years as most companies have allowed poor or non-existent security to grant hackers access to secure personal data. If we can’t trust them to protect our personal information, why would we trust them with our irreplaceable biometric information?
While there are concerns about government surveillance, the idea of private companies tracking our every move tends to make people even more nervous. Retail personalization specialists RichRelevance recently did some research into how customers felt about tracking and personalization:
It’s clear from those results that the erosion of privacy is mostly what people find “creepy”, with facial recognition topping that list. If customers don’t like a certain type of biometric identification, then shops are unlikely to adopt it for fear of losing business.
There has been a stir going on in Russia recently around a site called FindFace, which uses facial recognition to crawl profiles on the Russian social network VKontakte to find any person you are looking for. It’s just one of many examples.
While a lot of the information is public, it’s the way that data is used that causes great unease.
3. ID Unreliability
Fingerprint scanners have become the go-to form of mainstream biometric identification because of their reliability compared to other methods. For example, facial recognition currently requires good lighting and positioning to give accurate results.
Voice recognition on the other hand suffers from too much audio noise. It may work well in very quiet conditions, it absolutely fails when you’re out on a busy road or in a loud nightclub. The results are inconsistent at best, but mostly just wrong.
These environmental factors limit where authentication can reliably be confirmed, limiting their convenience and usefulness. Compare this to passwords, which can be used at any time on any device under any conditions.
4. ID Theft
ID theft is one of the most stressful and worrying things that can happen. Having your identity stolen can be tough to prove, and it’s made worse by the fact that ID theft rates are increasing all over the world.
Hacks are a big obstacle for any ID verification system because once your credentials are exposed, anyone can use that information to pretend to be you.
But what if your unique physical attributes are stolen in a hack? It’s not like you can head to your local DMV and request a new face or fingerprint. It’s much easier to just log into Twitter or Facebook and change your password.
Another complicating factor is that changing a password on multiple sites is relatively trivial, and you can increase your security by using different passwords on each account.
Your biometric data, on the other hand, will be the same across all sites — the only way to prevent unwanted access would be to change the authentication method altogether.
If a large scale hack were to happen to biometric data, it would be really difficult for people to verify their true identity, especially with data-linking becoming more common (i.e. all forms of identification including browsing habits, biometric data, passwords, and advertising profiles are interlinked).
5. Poor Standards
Digital standards are the reason why we can use any web browser to access the internet or any phone to make a phone call — they make sure that everything works together seamlessly.
The same can’t be said for biometrics. To date, no government has created standards for the creation, use, or storage of biometric information. Fast Identity Online (FIDO) is in the process of writing some standards, but with the current rapid proliferation of biometric consumer devices, it could end up being too little, too late.
Standards can also be used to make sure that methods of biometric identification are consistent. Fingerprints can change depending on the amount of oil in the skin or a cut on the finger. Normally, a fingerprint is turned into a small segment of data, but it doesn’t allow for changes to one’s fingerprint.
6. Biometrics Alone Aren’t Enough
India is currently in the middle of an incredibly ambitious project to catalog identification information on every single one of its 1.2 billion citizens. The system, known as Aadhaar, includes biometric information along with text information such as name, date of birth and address.
The idea behind the scheme is to make identifying individuals for benefits and government services much faster and easier.
One of the ways they are tackling biometric issues is by using multi-factor authentication where a user is identified by “who you are” (biometrics) and “what you have” (mobile device, laptop, etc). By using this system, they have created a two-factor authentication for biometric information.
The solution still suffers the pitfall of normal two-step verification: if an individual is being specifically targeted, then it may be possible to bypass both authentications.
However, if a hack were to happen and expose the data, it would certainly be a lot harder for criminals to use the information to access private information as they lack the second step needed for verification.
Too Many Issues, Right to the Core
While biometrics may not be the long term alternative to passwords, they are safer to use. Rather than seeing them as separate methods to identify that you are who you say you are, they should instead be viewed as complementary methods that can be used together to verify an individual.
Are biometrics the be-all-end-all of personal identification? Likely not. There are just too many fundamental problems to solve.
While the question of identity verification will live on for the foreseeable future, the best we can do for the meantime is to make sure that we proactively protect our security with strong passwords, two factor authentication and good security hygiene.
What do you make of biometrics — exciting or over-hyped? What do you think will replace passwords in the future? Or do you even think passwords need replacing? Let’s discuss in the comments below.