Get Ready For More Biometrics

Part 1: What’s after fingerprints, where it will be used, and when it will become pervasive.


Security involving scans of fingerprints, palms, faces, or some other variant has been common in movies for years, and many phones and computers now offer fingerprint scans instead of a password login. But as security risks rise with the rollout of the Internet of Things/Internet of Everything, that technology will need to become much more pervasive and sophisticated.

“Today we don’t see any real different issues for biometric security for the IoE than for biometric security in general,” says Hagai Bar-El, Sansa Security’s chief technology officer. “But biometrics will develop at different paces for the critical applications vs. lower-end devices like what we may find in the IoE.”

Biometrics is has been touted as the successor to the clumsy password technology that is currently the mainstay of security. It can be used for identification and authentication for any number of cases, from logging on to a computer to premise access to ultra-high safekeeping for homeland security. The technology has come a long way in the last decade.

At present, government agencies are the largest and primary implementer of biometrics—mostly the DoD, homeland security, FBI and other agencies within the government secret security wheelhouse. Of late, consumer electronics has come under the biometric umbrella, especially in light of the IoT. There also is interest in financial, healthcare and the business enterprise markets. And as the technology advances and it becomes more plug-and-play, and as costs cost come down with economies of scale, other market segments are expected to get on the biometrics train, as well.

But as promising as biometrics for security may seem, there are some fundamental challenges that need to be addressed. “One of them is that there is not really anything secret about someone’s biometric attributes,” says Paul Kocher, president and chief scientist at the Cryptography Research Division of Rambus. “You are constantly displaying your face, eyes, other physical traits, as well as leaving your fingerprints everywhere.”

There are other unique problems with this type of technology, as well. “For example, there is really no way to ‘revoke’ a fingerprint,” notes Kocher.

Different planes
At present, the playing field isn’t level, either. “There is a big difference between government and consumer systems at present,” says Dimitrios Pavlakis, research analysts for digital security at ABI. “It is not that the consumer systems are not secure, but the government systems have to be more fail-safe—especially in areas such as their automatic fingerprint identification system (AFIS), which is used by law enforcement worldwide. If a biometric system doesn’t work on a smartphone, the manufacturer will lose a few clients and come back with a fixed version. But in the governmental sector, it is usually a matter of national security, even life and death, so they have to be extremely accurate and reliable.”

Governmental systems have to meet certain standards and pass specific certifications. So do critical business and health care. As a result, at least until the technology is more mainstream, there will be two levels of biometric applications – ultra-secure for government, financial and health care, and secure for consumer applications.

The technology is the same, whether it is the high-end, or the consumer platform. It is the design, accuracy, and reliability of the technology that differentiates the two applications. But in both cases, biometrics has the ability to be a widely implemented security platform. The reason is that there are so many human elements that can be used as biometric markers. Unique biometric signatures can be found in body chemistry, structure, physical elements, psychology, traits, even behavior. This diversity allows biometrics to be a very effective identifier.

These signatures make biometrics very good at two things—identification and verification—which are the two most important elements in any security profile. The diversity of signature, alone or in conjunction with other markers, can be used to build a very accurate identification model. Once the model is built, the verification platform can be fine-tuned with little margin for error.

In a biometric system setting up a biometric profile takes a number of processes, each with a specific function. It is worth noting here that the premise for all systems is that they are secure, both in the storage of identifying data and the access to such data. Moreover, the general process is the same for all types of biometric technologies.

Identification starts with a base model of the desired identification element, such as a fingerprint (See Figure 1 below). The initial stage is called enrollment. This is the phase where the specific biometric information is captured, cataloged and placed into storage. Once the data has been processed, verified, and is deemed reliable, the biometric template is available for identification going forward. That part is simply comparing the captured data (fingerprint from a scanner, for example) to the stored data.

fingerprint sensor 2

Fig. 1: Block diagram of a fingerprint scanner. Courtesy of Texas Instruments.

To have a high rate of success, identification uses a number of steps to get the most reliable “true” identity. Biometric scans, while highly accurate, still need a bit of verification and post-processing to make sure the image scanned is the same as the image stored. This is one of the metrics that determines high-end systems from consumer systems, for example.

Scanning will introduce artifacts—environmental data that isn’t relevant or accurate, such as dirt or other contaminants on the lens or the finger, light reflections/refractions, minute movement during the scan, or other noise. The processor needs to analyze such artifacts and remove them from the image.

Finally, the processing has to extract only the required features. In fingerprint recognition, for example, only certain characteristics are considered valid data for comparison.

The second element of biometric identification is verification. This process is where the actual authentication takes place. The system is ultimately trying to find the one-on-one match of the scanned image. The system searches for a set of possible matching templates, based on reference models, from which the matching algorithms generate a set of possible matches. These matches have a “score” that puts them into the ballpark. Then the images go through a series of “tests” where they are eliminated, one by one, until the final image is verified to be the “best” match. While the best case may seem a bit chaotic, it is really very accurate. In high-end systems, this step uses many more samples and algorithms to match the exact template.

Looking to the future, we can expect to see a lot of development happening in the biometric space. For example, with ultra-high-end systems, multimodal technology can be employed. The operational methodologies are the same but these systems use multiple sensors to capture the image. This is useful where extremely high accuracy is required, such as for identifying terrorists. This technology can overcome the limitation of unimodal systems that may not be able to recognize scarred fingerprints, for example. And for iris-type recognition, it can compensate for aging within the eye. It also can combine various biometric metrics such as fingerprint, iris, and voice, to form a more complete “image” via sequential, parallel, hierarchical, and serial integration modes. These are the systems that are used in the most critical applications.

One possibility, though, is to stack up security in blocks—basically to add what you need rather than buy everything pre-integrated. Qualcomm has been working on this with NXP with what amounts to bolt-on security using standard interfaces and near-field communication technology.

“Frameworks building on a platform allow for multiple levels of authentication,” said Neeraj Bhatia, director of product management at Qualcomm. “And that transaction can be done locally or remotely with an ultrasonic fingerprint sensor or other biometrics.”

Exactly how this will all shake out is still a bit fuzzy. And not all experts agree on just how deeply a role it will play in the IoT, or just how secure we can make it.

“There are claims made by vendors that they can prevent people from making prosthesis or duplicating biometric images, but those claims have not, generally, held up,” says Kocher.

On a low level, the present technologies work pretty well. But one of the major problems is revocation or reissuance of attributes that biometric analyze. One just can’t change their fingerprint.

Part two will examine some of the tools and techniques of biometrics, and an in-depth review of the significant metric that determines accuracy and the issues around it.