Why you should care about biometrics

From UK ID cards to new passport technology, biometrics is becoming harder to ignore and should be included in every IT department's security strategy
Written by Tom Espiner, Contributor

Biometrics can be described as either the study of biological measurements, or the use of those measurements to identify people or verify them. Voice, fingerprints, hand geometry, face, signature, iris and gait can all be measured and used for identification and authentication.

Surely a lot of this stuff is still theoretical?
Different technologies are at different stages of development. Fingerprint biometrics are well established; iris recognition has been around for a decade; but other systems, such as gait recognition — how a person moves — are still emerging. Other technologies at different stages of commercialisation include vascular pattern recognition, ear structure, odour and palm prints. There is an ongoing debate as to whether DNA can be used as a biometric, as identical twins split from the same fertilised egg share DNA.

Why should I care about it now?
Once the stuff of science fiction, biometrics are very much science fact as anyone who has flown to the US recently will know. The US recently introduced fingerprint scanning for all foreign visitors. For businesses, the proliferation of passwords has led to the development of single sign-on systems providing access to multiple applications. To reduce the security risk of having one point of access — for example, a single password that replaces multiple passwords — biometrics can be used instead. Some financial and military organisations institutions already use biometric recognition for identification.

Government schemes focusing on authentication have also driven biometrics development. The UK Government passed the Identity Cards Act this year and aims to introduce ID cards by 2008. Biometrics technology is also being used by the US Government in its US-VISIT border-control programme.

How do I collect biometrics?
Most biometrics are collected using sensors, which capture the biological information — an electronic thumbprint scan, for example — and convert it to digital form. When the thumbprint is captured, a template made up of a map of specific points of that feature is created. That template is then compared with a database of templates using algorithms, and a decision about the identity of the user can be taken when there is a close enough match between templates.

How reliable is biometric authentication?
Biometrics technology doesn't work in absolutes. The way to get a comparable match isn't by comparing stored pictures. The complexity of biometric data means there are instances of false positives — where an individual is identified incorrectly as someone else — and false negatives, where a person is incorrectly rejected by the system. Rather than saying absolutely whether two images of a biometric match, most systems work by calculating if the images are similar enough based on set limits. Each biometric system can be set with higher or lower authentication threshold, depending on the level of security necessary.

How could a criminal get around a biometric system? Could they cut off a finger and use it to gain entrance to a building?
That's a bit James Bond. Some biometrics systems can detect whether there is a pulse in the body part being presented, and your average security guard would probably notice if you started waving severed fingers around.

What are the privacy concerns around biometrics?
Privacy campaigners claim that it is difficult to control when, where and how biometric information is used. Biometric data showing medical information can be passed through to commercial systems or insurance companies, for example.

Identity theft is also a concern. If a password is stolen, it can be re-set, but if a biometric template is stolen, it is much more difficult to suspend use of the compromised information. Security experts claim that to a certain extent, biometric details are already compromised through being in the public domain, and design biometrics systems accordingly.

Editorial standards