Will biometrics measure up to the future?

Who could forget the scene from John Woo's 1993 B-movie "Hard Target," where an imprisoned Jean-Claude Van Damme burns off the skin on his index finger, attaches it to an impromptu mechanical contraption and booby-traps it to hit the scanner at precisely the scheduled time each morning, so that his captors don't notice his escape?

Indeed, biometric identification systems are a bit harder to fool than simply getting the password right. And as this technology advances, so do people's concerns over its true effectiveness.

"Public acceptance of biometrics has been slow to grow, and will continue to be an issue until issues of privacy and security of data have been brought up to a level acceptable by the majority of people," says Isabelle Moeller, general manager of the Biometrics Institute.

The concept of biometric identification systems actually dates back to 1879, when French police clerk Alphonse Berthillon suggested that individuals could be identified through precise measurements of the body.

Argentina was one of the first countries to widely implement fingerprint records.

By 1976, Argentine police were using a system that combined scanned fingerprints with digital processing and radio technology to send biometrical information from the police cars to a central database, in order to track down suspected individuals in Buenos Aires.

Today, fingerprints are used not only for forensic investigation, but also commonly for passports, ID cards, border surveillance, access control, and even shopping.

The German company IT-Werke, specializing in biometric applications, has successfully implemented its digiPROOF system of payment by fingerprint in 120 Edeka stores in Germany. In June 2008, it launched a six-month trial of a similar system in collaboration with the payment processor Equens, in the Dutch supermarket chain Albert Heijn.

One to many

Besides fingerprints, other physiological biometrics include face recognition, iris scan, retina scan, hand geometry, facial thermogram, body odor, hand or finger veins, footprints and palm prints.

Of these, iris scanning is the most accurate -- with an average of approximately 250 distinctive characteristics in an iris, the odds of two people having the same pattern are 1 in 7 billion. And as it is relatively difficult to copy, it's also considered of one the most secure biometrics.

However given the complexity of the process, it's also the most costly, and its accuracy depends on the cooperation of the subject. (For example, criminals have been known to use eye drops to dilate their pupil, thus masking the majority of their iris.)

Conversely, face recognition is technically the least intrusive, as faces can be scanned at a distance by surveillance cameras (although this also poses privacy issues), but its accuracy varies greatly according to light, exposure, etc.

Another biometric identification system currently under development by Hong Kong Polytechnic University's Biometrics Research Center is tongue scanning.

"The tongue shapes of different people are different, and thus the tongue can be used to tell different subjects," says Lei Zhang, assistant professor at the university.

"Our system uses laser scanning to construct the 3-D shape of the tongue. The tongue shape information can be collected in about two-three seconds. Then after feature extraction and matching, the person's identity can be determined."

Other biometric identification systems, which require capturing the subject in action and similarly comparing it to a database of samples, are behavioral. These include voice print, signature or handwriting dynamics (the way a person writes), keystroke dynamics (the way a person types, most often used as an extra layer of security over a password) and gait (the way a person walks).

Recent progress on most face recognition, voice recognition or speech recognition algorithms has been made and proved in laboratories," says Professor Hanseok Ko, director of the Intelligent Signal Processing Laboratory at Seoul's Korea University, "but the deployment of such products has been limited to criminal investigations, as opposed to individual personal identification. Commercial products are still primarily limited to fingerprint ID technologies applied to door locks and PC/laptops."

Taking it further one step at a time, electronics manufacturer Fujitsu is selling peripherals such as the PalmSecure PC Login Kit with functional mouse, which authenticates users' identity by analyzing the veins under their palm.

Meanwhile, Motorola, an active developer of Automatic Fingerprint Identification Systems (AFIS) for over 30 years, is now marketing its own Mobile AFIS device, which captures both fingerprints and facial images, connects to wireless networks to upload data, runs on Windows Mobile, integrates bar code scanners, a smart card reader/writer, GPS, phone, and can be held in the palm of a hand.

Security in numbers

So it is only natural that the protection of this highly personal data is taken very seriously. While biometrical identity theft is much more challenging than forging a credit card signature, illegally accessing and copying archived prints, which can then be used to produce artificial models, is still possible.

"In general, those systems where biometric data is readily obtained (stolen) are expected to be more vulnerable, since the availability of such data increases the number of ways in which a system may be attacked," says Moeller at the Biometrics Institute.

"We have tested face and fingerprint systems, which fall into this category. Speaker recognition, which we are testing at present, is also of this type. It is slightly more difficult to 'steal' biometric data from hand geometry, iris and DNA, and more difficult still for palm/finger vein and retinal scans, so we would expect decreasing vulnerability for these biometrics."

With the aim of applying research to real situations, the Biometrics Institute recently announced its proprietary Biometrics Vulnerability Assessment Service (BVAS).

"The customer submits the system to us for independent testing," explains Moeller. "The testing will be conducted in an independent laboratory where biometric devices can be sent to have their vulnerabilities investigated, assessed and reported. The laboratory will then collaborate with the contracting organization to work out how any vulnerability uncovered could be addressed through appropriate countermeasures."

One method of increasing security is to ensure that the data is transferred and stored with a strong encryption. Another technique is to use multimodal biometrics (using more than one biometric system simultaneously to confirm identification).

At the Biometrics Research Center, Zhang says they are working hard to make counterfeiting as difficult as possible: "We have already developed a 3-D palm-print system, which has a much higher anti-counterfeit capability than the 2D palmprint system. We also have developed the near-infrared palmprint system, which can do liveness detection."

"Anti-hacking techniques are being introduced in the form of laboratory algorithms," adds Professor Ko at Korea University. "For example, impersonation by using fingerprint/palm molding in plastic form can be prevented by tying it to a heat sensor to confirm that an actual human specimen is being presented for verification."