Biometrics: Your questions answered
Iris scanning and fingerprinting - your concerns put to the experts...
Last week we asked you to submit questions to our panel of experts on all aspects of biometrics.Whatever your concerns about fingerprint or iris recognition technologies and implementations our expert panel was able to answer your questions.
Below is a list of the best and most interesting questions submitted. Click on one to be directed to the answer.
Q. How long ago was the government's biometric project started?
Q. What is the potential for biometrics to be used as digital verification in companies?
Q. Isn't it the case that a Japanese biometrics student was able to make false fingerprints?
Q. How long will it take to provide all this information?
Q. How do I opt out of the government's biometric plans?
Q. I already have fingerprint-based access to my laptop, if that laptop was stolen could an expert who had access to the stolen laptop access my fingerprint from the software files?
Q. How will the proposed procedures cope with measurement errors?
Q. If we start using biometrics to enter our office, use our bank, buy things from the shops, access the country - isn't there an inherent disparity between the security measures different merchants and organisations will use?
Q. What amount of data will be required for the biometrics for one individual?
Q. How is the iris scanning going to affect or be affected by people who have light-sensitive eyes, detached retinas or cataracts?
Q. My main worry about biometrics, other than the astronomical cost, is what would happen if the scan came up negative for some reason?
Q. How long is the authentication process expected to take - seconds, minutes?
Simon Green asks: "How long ago was the government's biometric project started?"
Andy McCue, senior reporter at silicon.com and member of the UK biometric trial, answers: "ID cards have been mooted by many governments since the war and few would have thought it would be a Labour Home Secretary who would finally introduce them. Mindful of potential opposition to them, David Blunkett first proposed a national 'entitlement' card back in early 2002, saying it most definitely wasn't an ID card. The aim at the time was to crack down on illegal immigrants and terrorism, according to Blunkett. As the public became more used to the idea the government finally came out and admitted it was in fact an ID card scheme and published a draft ID card bill last year. Once the biometric enrolment trials finish in September and the results are published it is expected Blunkett will move to give the bill a speedy passage through Parliament." Back to questions
Clive Walker asks: "What is the potential for biometrics to be used as digital verification in companies, on networks, on shared drives etc. If somebody knows my password and user name and knows the security guard they can access my office and my machine. But if biometrics was used as well then they would also HAVE TO BE me in order to access my machine. Therefore if I'm not in the office my data should be safe. Will companies - and hardware manufacturers - start to adopt this approach?"
Simon Perry, VP security strategy at CA, answers: "This is the '64 Million Dollar Question'!
"Firstly, 'yes' on the surface biometrics presents a reasonable alternative to user ID and password. There are however some important caveats that will mean that we will not see widespread or rapid adoption of biometrics in this way in the near to medium term.
It will require all the hardware to provide a means to do a scan. This either needs to be built in to the hardware, or added as a peripheral. Vendors continue for the most part to play the 'chicken and egg' game as far as building it in and are saying there's not enough demand. Perhaps because they don't offer it, eh? You might want to ask why the same vendors keep giving us a floppy drive and a serial port.
So, perhaps a peripheral add-on is the answer. Indeed some mouse vendors have added it as a built in. In reality people tend to be slow to add new peripherals and replace ones that work already. Either way, there will be a significant time delay until all the legacy hardware cycles out of the system and is replaced by new hardware even if biometric support were built in tomorrow.
For hardware vendors to build in, we need to adopt a standard. Are we having fingers, eyes, facial, voice, other? Which vendor are we going to adopt as the standard? What about anti-competition issues therefore? It's a tricky one indeed.
Then what about the software? Almost all the software out there will require some sort of rework to support something other than user ID and password as the authentication mechanism. Again, there is a cost and a lifecycle to consider here.
Does that mean biometrics is doomed to the same scrap heap as universal use of PKI, just to the left of betamax, and around the corner from that huge field of unbought Segways? Not quite. Biometrics must be put into perspective of what it is good at:
In the short term, replacing the current method of identifying someone where the physical presence of someone is already required.
In the medium term, providing a replacement for user ID and password for highly secure systems where access is in a fairly controlled environment.
In the longer term, as we solve some of the problems I raised above, it becomes a more ubiquitous solution." Back to questions
Liam Devaney asks: "Isn't it the case that a Japanese biometrics student [Matsumoto] was able to make false fingerprints and wear false retinal contact lenses to fool all the best biometric detection equipment approximately two years ago?"
Nicola King, senior consultant, government services division, PA Consulting answers: "Matsumoto is one of a range of researchers who have developed methods that have been proven to fool a range of biometric readers for each of the main biometric characteristics - face, iris, hand geometry and fingerprint. The method that received the most press coverage was the 'gummy finger' - where he created fake fingers from the material used to make the children's sweets 'Gummy Bears'.
At the time this research was speculated to be proof that biometric technologies were inherently unsound as they could be so easily tricked. However what I actually believe this highlighted was the immaturity of the biometrics market and in particular the lack of public applications of biometric technologies. Any product that comes into contact with the public enters an 'arms race' where the producers increase the number of security features which are constantly being tested and sometimes breached by those who believe that there is gain to be made from doing so. A good example of this is the security features in bank notes. Over time the issuing banks have added a whole range of features including holograms, special inks, watermarks and sophisticated printing techniques.
Biometric device manufacturers are going through this same process - and indeed they couldn't go through this process if people didn't test their devices with a view to spoofing them. As a result most scanners now include a range of additional tests such as tests to ensure that the characteristic is three dimensional and not a two dimensional photograph; 'liveness' tests which check that the person is actually alive; and pupil depth tests in iris readers to make sure that the eye presented to a biometric reader is not just a photograph. Overtime these tests will become more and more sophisticated and robust making it harder and harder to spoof. "
Steven Pilz, associate director at LogicaCMG, adds: "It is important to remember that, ultimately, any system that has been designed by people can be fooled by people - it's only a matter of having the right resources and time available. However compared to their human counterparts these identification/verification systems are very accurate." Back to questions
Paul Walker asks: "How long will it take to provide all this information? And surely, even if they get it down to a few minutes or so, to get everybody signed up will take years."
Andy McCue, senior reporter at silicon.com and member of the UK biometric trial, answers: I took part in the Home Office biometric ID card trial earlier this month where three kinds of biometrics are taken. That whole process took 15 minutes and the plan is that just one will be used for the real thing. The government is also looking at plans to extend where the biometric enrolment could be done to places such as post offices and police stations as well as the passport office. If the technology works then enrolling is likely to be easier than the current passport application process." Back to questions
Simon Atkins asks: "How do I opt out of the government's biometric plans?"
Andy McCue, senior reporter at silicon.com and member of the UK biometric trial, answers: "Basically you can't – or at least in a few years you won't be able to. Under the timetable revealed last year by Home Secretary David Blunkett in his draft ID card bill, the biometric ID cards will be combined with passports and driving licences, which will have a biometric element by 2008. Carrying one won't be compulsory although the government will have the power to force it to be produced when using certain public services. If you want to opt out your best bet is to move country." Back to questions
Iain Henderson asks: "I already have fingerprint-based access to my laptop, if that laptop was stolen could an expert who had access to the stolen laptop access my fingerprint from the software files and copy it for use elsewhere?"
Simon Perry, VP security strategy at CA, answers: "This is a Catch-22 situation. If the machine requires you to authenticate with the fingerprint, how could someone who physically stole the laptop get access to it without the fingerprint, which is stored on the machine (thus needing you to access the machine to get it to then use it to authenticate which you can't do without the fingerprint... I am getting dizzy).
Any good software storage method for the 'hash' is going to protect the 'hash' via encryption and also ensure that the contents of the hard disk can't be accessed via a backdoor. Also, it is going to ensure that you can't circumvent it all by moving the HD to another machine." Back to questions
Ben Elliot asks: "How will the proposed procedures cope with measurement errors? Will it be possible for the client to choose a suitable level of certainty for their purposes? How can you ensure a 'gold standard' reference is collected? How strongly does the size of safety margin for measurement errors affect the number of false-positives?"
Nicola King, senior consultant, government services division, PA Consulting answers: "No systems are 100 per cent perfect and those that include biometrics are no exception. The standard measures of error rates for biometric devices are the False Match Rate (FMR) and False Non-Match Rate (FNMR). In the case of a False Match the system confirms the identity of someone, which it shouldn't as they are the wrong person; and for the false non-match the system cannot confirm the identity of the real person.
All biometric systems are designed to allow the thresholds for false match and false non-match errors to be set by those managing the system. As a result they can set a rate that is acceptable to them in that particular use of the technology. For example the error rate acceptable at a theme park would be very different to that acceptable at a high-security establishment. The 'level of certainty' needs to be linked to a cost of an error occurring and that is a difficult thing to do." Back to questions
Chris White asks: "If we start using biometrics to enter our office, use our bank, buy things from the shops, access the country - isn't there an inherent disparity between the security measures different merchants and organisations will use? Can my bosses really protect my biometrics as robustly as the Home Office for example?"
Simon Perry, VP security strategy at CA, answers: "Yes, we can expect that different organisations will all implement biometrics in a slightly different fashion, after all there are competing methods, differing implementations and also competing vendors for the same method. Also, remember that many biometric implementations will use two factor authentication - something you have (your finger for instance) and something you know (a PIN for instance). Both must be entered or presented to get access. Also, almost certainly it will be implemented to replace alternate forms of authentication where your physical presence is also required - for example at the bank where you need to physically sign a form, or enter the country where you currently need to show a passport.
So just having the 'hash' value won't be useful for a hacker. Lastly, there are ways to protect the hash value or key - place it physically on a smart card, protect its use with two factor authentication, combine it with a hardware module implemented time stamp that shows when the finger scan (for instance) was done." Back to questions
Colin English asks: "What amount of data will be required for the biometrics for one individual? And how much will this equate to for the entire UK population?"
Andy McCue, senior reporter at silicon.com and member of the UK biometric trial, answers: "Estimates on this vary according to which IT vendor you speak to this week but the plan is for the ID card to contain one piece of biometric information for each individual – most likely an iris or fingerprint scan. This will add about £35 to the cost of a passport but opponents of the scheme, such as the FIPR, claim it would need to be £100 to cover the cost of it. The current ID card trial being carried out by the government is testing facial recognition, iris scanning and fingerprint scanning to see which is the most reliable and easy to use. Assuming within a decade everyone in the UK will have to have one of these cards and the current population is almost 60 million then 'do the math' as they say." Back to questions
Lynda Craney asks: "How is the iris scanning going to affect or be affected by people who have light sensitive eyes, detached retinas or cataracts?"
Steven Pilz, associate director at LogicaCMG, answers: "The IRIS scanning is actually IRIS photography. The iris camera uses a standard CCD chip which can also be found in an ordinary household video camera. The only difference is that the IRIS camera takes a high resolution black and white picture. Low power infrared light is used to illuminate the object. This IR light has this same power rating as an ordinary TV remote control unit. People who' have an iris that is very small or damaged may have problems enrolling on an IRIS based recognition system."
Nicola King, senior consultant, government services division, PA Consulting adds: "There is a range of ailments that affect the ability of iris recognition systems to capture an adequate image of the eye. Organisations that are planning to implement a system based on iris recognition that might be affected by this problem have to make sure that they build in redundancy. They must ensure there is a second method of identifying these people. This could be a second biometric characteristic or some administrative process. Only customers who fail to provide a suitable image of their iris should be allowed to follow this back-up process which means that the lack of a certain biometric characteristic is treated as information in its own right." Back to questions
James Walters asks: "My main worry about biometrics, other than the astronomical cost, is what would happen if the scan came up negative for some reason, faulty scanner, error in reading, debris or grease from a previous scan, your finger print or eye have been damaged or the card or passport was damaged. How do you prove you are who you say you are?"
Nicola King, senior consultant, government services division, PA Consulting answers: "I guess the process for resolving this problem would be different depending on the service you are trying to access, but a generic solution would be to first re-test you after cleaning the reader. Scanner error could then be ruled out if it was possible to verify the identity of other people against their documents. Next they could try matching you against one of the other characteristics which have been enrolled in the system, assuming it's a multi-biometric scheme. Then if the system had a central database containing all enrolled customers they could then try to match you to your record on the central database - if you matched then the problem could be identified as being something to do with the card or token containing your biometric which may mean that they have to reissue your documents. If you still don't match on any of your biometric characteristics then there is two most likely situations: that you are a genuine person but your biometric characteristics have changed so much that the system cannot verify you; or, you are trying to claim to be someone else.
As it is very unlikely that all your characteristics would have changed significantly without you realising it then logic says the second situation is most likely. In the case of the first situation, most schemes will have a requirement in the terms and conditions that you should get your biometrics recaptured if you know that your characteristics are likely to have significantly changed e.g. you have developed cataracts and lost a finger." Steven Pilz, associate director at LogicaCMG, answers: "This is more a philosophical question than a technical one. The question of what determines 'who' a person is has given philosophers food for thought for centuries. Traditionally police and other government agencies answer these questions through their own investigative methods. Nowadays people receive an electronic identity based on this determined identity. The problems arise when you lose this identity or when it gets damaged or stolen, especially as trust and dependency on these electronic identities increases. We therefore strongly advise customers to pay a lot of attention to the processes surrounding enrolment on a biometric programme and the issuing of electronic identities. Fall-back procedures, random checks and human supervision must remain part of a good security concept. "Back to questions
Colin English: "So you have this biometric ID card. To prove your identity at, for example a bank, you hand it over to the teller, put your finger on a fingerprint reader and put your eye in front of the iris scanner. How long is the authentication process expected to take - seconds, minutes? Will it slow down if thousands of authentications are requested simultaneously? What sort of security and bandwidth would be required on the links into the central government servers?"
Steven Pilz, associate director at LogicaCMG, answers: "This depends strongly on the solution concept you are using. If you are using one-to-one based verification system (for example, a fingerprint stored on a bank card), verification will be done in less then a second. However if you are using an identification system based on one-to-many matching, (for example, you show your iris to an ATM which is then looked up in a central database), it requires a lot of processing power and will take more time. This will also require very secure data communication lines. That said, it is not very different from current ATM systems which also sends a template (in this case, a PIN) to a central system which is then looked-up and validated in a very large database. All in all, from a performance and privacy perspective it's more attractive to use one-to-one solutions, but from a maintenance and security point of view, centralised identification is the preferred option." Back to questions