Biometric authentication moves beyond science fiction

Aug. 27, 2014
Examining the strengths and weaknesses of current methods, technologies

It is a tenet of modern security that the identity of an individual who has undergone a security clearance process must be uniquely associated with that individual, and only that individual, in order to obtain access to secure facilities or systems.  It has been obvious for years, however, that simple identification tokens such as a driver’s license and photo ID cards do not adequately fulfill this requirement. Computer systems typically use knowledge-based identification systems requiring a password or personal identification number (PIN). However, human nature being what it is, passwords and PINs can sometimes be guessed, stolen or, with the proper software tools, easily determined.

Biometric identification methods involve analyzing physiological and/or behavioral characteristics of the body, both classes of which would be presumably unique to an individual, and thus more reliable than traditional methods of verifying identity.  These characteristics are then compared to information contained in a database linked to that person’s identity.  Common to all biometric identification modalities is the need to choose a characteristic that is common to each individual, yet which has unique parameters.  For example, having five fingers would itself not be a useful identifying feature, but the fact that fingerprints are not shared (even by identical twins) makes them a viable identification tool.  Other physiological parameters include palm prints, facial recognition, iris and retinal recognition, hand, finger and wrist vein pattern recognition, electrocardiogram analysis and DNA.  Behavioral characteristics include voice recognition, signature analysis, gait recognition and even keystroke dynamics. 

Biometric methods must also not be amenable to falsification.  Yet, as far back as 1937, the Journal of Criminal Law and Criminology described how ridge patterns of fingers could be deposited at a crime scene by rubber stamps.  The Internet today abounds with instructions explaining how to duplicate fingerprints using cyanoacrylate, digital photography and even gummy bears. While creating an identifiable fingerprint is not a trivial exercise, the television show “Mythbusters” was able to forge fingerprints using latex and ballistics gel that were accurate enough to fool both a computer fingerprint scanner and a digital lock.  Most recently, a European hacker group has reportedly been able to trick the iPhone 5S fingerprint scanner into accepting a photographed fingerprint that was applied to latex. Perhaps more significant is the concern that fingerprint information stored on the phone could be stolen and used for identity theft.

Although fingerprint analysis is quick and non-invasive other techniques are less so.  DNA biometrics has begun to be considered as a method of identification that is highly specific and accurate.  It has been estimated that the chance of two individuals (other than identical twins) sharing the same DNA profile is less than one in one hundred billion.  However, as accurate as DNA is, there are currently major weaknesses.  DNA matching (checking the sample versus a

reference) cannot be done in real time, and an actual physical sample must be obtained, whereas other biometric modalities can use an image or a recording.  The current most rapid testing method for DNA is about 90 minutes. Additionally, there are issues related to privacy and public perception.

One of the most rapidly evolving areas of biometrics is that of facial recognition since photographs or digital images can be easily converted into a mathematical code that describes a person’s face.  The code is created by computer analysis which looks at facial landmarks, called nodal points, such as position, size and shape of the eyes, nose and cheekbones.  Each person’s face contains about 80 nodal points, but identification is typically effected by analyzing about 20 points in the area between the temple and the lips.  This means that identification is generally not compromised by a beard, the aging process, or glasses.  Since the area being scanned is created by photograph, it is completely non-invasive.  Most recently, 3D facial recognition methods have been developed that are less susceptible to differences in lighting, facial expression and orientation of the head during imaging. In some instances, 3D imaging can be combined with skin texture analysis to increase image accuracy.

Beginning in January 2012, the Federal Bureau of Investigation began to collect facial recognition photographs of all suspects arrested and booked. Should all facial databases (such as driver’s licenses and passports) eventually be combined, it would be possible to find and track virtually anyone in the U.S. Here too, privacy infringement is a concern since photographs can be taken without a person’s knowledge.

One of the most accurate, rapid and reliable methods of biometric authentication is iris recognition, which is based on high-resolution images of a person’s eyes.  These photographs are converted to digital format yielding a mathematical representation of an iris that can be compared to an enrolled sample in a database.  Iris recognition is generally not affected by glasses or contact lenses and iris topography is stable (barring physical injury) over a lifetime.  Iris scanning is sometimes confused with retinal scanning which involves examining the pattern of blood vessels at the back of the eye.  In a retinal scan, the individual must look through the scanner’s eyepiece and measurements can be affected by cataracts or astigmatism.  In contrast, an iris scan can be conducted from a short distance away and, because the iris structure is determined randomly during embryonic development, even genetically identical individuals have different patterns.

The movies would have us believe that eye recognition biometric methods can be readily defeated.  In the film “Minority Report,” access is gained to a security facility by using an eye that has been removed and kept in a plastic bag.  Reality is much different.  Removal of an eye would immediately cause loss of blood flow and irreparable deterioration of the blood vessels within the retina rendering a scan useless, not to mention that a person must actively focus on a specific point for the time (10-15 seconds) that it takes to complete the scan.  In “Red,” a character gains access to the Central Intelligence Agency by inserting a contact lens with an iris image presumably embossed on it.  While this scenario might be feasible using an inexpensive iris scanner, the best iris scanners have the ability to detect whether the iris contains oxygenated blood (“liveness” detection), which an embossed image would not.

Some of these technologies can be combined with more traditional methods of access control.  For example, San Jose State University is implementing a system whereby students will carry a device, such as a mobile phone, which stores their biometric information securely.  They will then be able to enter a residential dining hall by placing their finger on a biometric reader.  The reader compares the signature to data stored in the device via mid-range contactless technology.

In last year’s shooting at the Washington Navy Yard, the perpetrator had valid and authentic identification.  This demonstrates that, even though biometric identification has advanced significantly over the years and continues to become more accurate, in all instances, no matter how effective the biometric screening and authentication process, it is obvious that the individual being admitted to the system or facility must have been thoroughly and appropriately vetted and cleared.

About the AuthorDr. Steven Hausman is president of Hausman Technology Keynotes (www.HausmanTech.com).  He speaks professionally and conducts briefings on a wide array of topics related to technology, science and security that include nanotechnology, robotics, 3D printing, bionics (artificial limbs and organs) and radio frequency identification (RFID).  He can be contacted via his website or his LinkedIn profile at http://www.linkedin.com/in/stevenhausman.