Cybersecurity

Is Biometrics ID Security Good Enough?

United Airlines this week announced that it would begin rolling out Clear’s biometric prescreening at its hub airports, including Newark Liberty International and Houston George Bush Intercontinental. The system works by verifying a flier’s fingerprints or eye scan.

Clear is already available at about 60 locations throughout the United States. It offers a system that utilizes biometrics to speed up pre-approved travelers to the front of the security lane and even ahead of TSA Pre-Check fliers.

United Airlines joins Delta Airlines in offering the service to fliers — and Clear’s technology also is in use at participating stadiums and arenas that require an ID check for entry. However, Clear is just one of several companies to begin developing this biometric screening technology, and airports already have been struggling with how to deal with competing but not compatible systems.

There now are at least 53 biometric systems used just by the aviation industry and dozens more by other industries, according to the World Travel & Tourism Council. Most don’t see eye-to-eye in that their respective databases aren’t shared.

Getting all the competing systems to work together is just one of the challenges that biometric screening companies will have to deal with in the near future to make this technology universally embraced as an alternative to traditional identification.

History of Biometrics

It is easy to think of technology that can recognize a unique fingerprint instantly as being a modern marvel of the 21st century, but its roots actually go back to the end of the 19th century. Argentine anthropologist Juan Vucetich first cataloged fingerprints in 1891, and just two years later, that helped Inspector Eduardo Alvarez identify Francisca Rojas as the actual killer of her two sons.

Then there is the story of Will and William West — two men who were unrelated yet nearly identical in appearance. Each was serving a prison sentence at Leavenworth Penitentiary, but Will West was convicted of a minor crime, while William West was already serving a life sentence for first-degree murder. The prison had almost no way of telling the men apart but then turned to new technology — fingerprint identification.

French handwriting expert and early biometrics researcher Alphonse Bertillon had already created an identification system that included a “mug shot,” along with a detailed description of an inmate’s facial features. Normally that system was enough to differentiate individuals from one another. However, given that the West men looked so similar, something else was needed.

As it happened, Bertillon also made a breakthrough in the advancement of dactyloscopy, which can analyze the patterns of fingerprints. As each individual’s fingerprints are unique, it was enough to determine which West was which!

“Biometrics have been around as identifiers and authentication means for over 100 years, with the most well-known case being that of police/law enforcement use of fingerprints,” noted Ralph Russo, director of the School of Professional Advancement Information Technology Program at Tulane University.

Advances in Biometrics

This system of fingerprint identification is just one of the unique identifiers that can tell individuals apart. In the century since Bertillon developed dactyloscopy technology, there have been many advances that also can scan an individual’s retina — something that is as unique as fingerprints. In addition, there also have been great strides in facial recognition as well.

Both fingerprints and facial recognition scanning have been adopted in recent years as a way to unlock smartphones. Supporters of the technology have suggested they offer a greater level of security over passwords, which easily can be forgotten.

“The main advantage of the biometric authentication is its ease of use for the end user,” said Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies.

“Simplicity in information security is not always good,” she told TechNewsWorld. “The face and fingerprints are always with you. You will not forget them as a password, but you cannot change them either,” Galloway added.

Biometric Advantages

The advantages of using digital biometrics — including fingerprints, iris scans or facial recognition — to manage access to applications and devices include fast and reliable access to information tied to a specific person, as well as relatively high accuracy, suggested Tulane’s Russo.

In addition, biometrics as a password can’t be lost or forgotten, and therefore businesses do not have to manage the flood of forgotten password changes, while passwords can be relegated to a secondary option. Biometrics also can be used as part of a multifactor authentication process, and they can replace cards and other physical devices that can be lost or stolen.

The latter “results in thousands of incidents of lost identification each year as people try to manage the ID along with their luggage, and following TSA procedures,” Russo told TechNewsWorld.

There is also the convenience factor and the fact that no type of password is truly perfect.

“All methods of identifying people have risks and drawbacks; to avoid forgetting passwords for a multitude of sites, people write them down, store them in plaintext — not encrypted — or trust them to third-party password managers, which present a risk that the password manager could be hacked,” said Russo.

“Expect the use of biometrics to increase at an increasing rate going forward, and this is for many reasons, including convenience to the user, lower cost for the business to scale and manage, and a relatively frictionless user experience,” he added.

“Once users have chosen their type of biometric authentication, there is no typing on tiny keyboards, no phone calls, and no one leaves home without their hands or face — just comparatively fast and easy access,” Russo noted.

Privacy and Security Concerns

The other side of the issue is one of privacy and the fact that biometric technology could be used for nefarious reasons. That is why the city government of San Francisco has instituted a blanket ban on face recognition technology. Just this week, California became the first state to consider a state-wide ban on face recognition technology.

Assembly Bill 1215, known as the Body Camera Accountability Act, has proposed a ban on facial recognition software in police body cameras due to privacy concerns. Similar concerns are being echoed regarding the use of fingerprints as a method of identification.

Even travelers who see the benefits of the Clear or similar biometric screening systems may want to consider if the cons may outweigh the pros.

“Although it can shave a few minutes off of travel times, we’d recommend that travelers spend the extra few minutes in line to maintain sovereignty over their personal data,” said Sean McGrath, privacy advocate at ProPrivacy.

“Both private companies (United and Clear) and the government have proven, time and time again, that they can’t be trusted to keep this data secure,” he told TechNewsWorld.

Another concern is that once a fingerprint or eye scan is in the system, it isn’t easy to get it back out again.

“As travel authorities shift from using traditional technologies to biometrics, travelers are having less of a say of how their biometric data is used,” McGrath added.

Is It a Perfect System?

There is another issue to consider, and that is the reliability of biometrics. Faces change with weight loss or gain, and people do look different as they age. Fingerprints, while unique to individuals, do have similarities as well. And what about cuts or burns to a finger –is it really such a perfect system for identification?

“Reading sensors and fingerprint processing algorithms have a certain threshold for sample compliance,” explained Positive Technologies’ Galloway.

“Considering possible damage or impurity of a finger, this threshold makes it possible to compromise the print,” she added.

Thus the higher the threshold, the more false negatives are possible; the lower, the more false positives are possible.

“While injury can interfere with the reading of a fingerprint — for comparison against a differing image file stored in the database –most biometric systems encourage a second or tertiary print to be stored as well to allow access in these type situations,” added TulaneUniversity’s Russo.

“In serious organizations, biometrics must be combined with other user verification tools, for example, finger plus eye plus password,” said Galloway.

“Biometrics is not a ‘perfect’ means of identifying users of applications and systems; like anything involved with security, there is a balance between too much security and too little security,” said Russo. “Dial up the percentage to declare a match and get more failures — false negatives — and user frustration. Dial down the percentage and get more false positives and weaker security. This is as opposed to passwords, which are 100 percent matches or not.”

Protecting the Biometrics

The biggest consideration in biometrics is whether this information can ever be secure enough. In 2015 the Office of PersonnelManagement (OPM) was hacked, and the personal information of more than 5 million people — including fingerprints — was compromised.

“The biggest danger is the impossibility of changing your biometric data,” warned Galloway.

“Hacks and leaks have happened and will exist. There are no ideal systems; the biometric data used in our time isn’t a secret,” she added.

“Fingerprints can be restored by photo; voice, by calling and recording a sample; and the shape of the face, by collecting photos of a target from social networks,” Galloway explained.

“If your password is hacked, you can always create a new one, but if biometric data is stolen, you couldn’t realistically change your fingerprints, face, or irises, so that data could be used to attempt to fool devices and allow unauthorized access,” said Russo.

“However, this is not as easy to do as one might think, and while people have successfully replicated fingerprints and voice prints to fool systems, face ID-secured systems are much harder to fool,” Russo added.

“In all, the incidents of using hacked biometrics to successfully gain access to systems have been minimal,” he noted.

Another consideration is that “protecting biometric databases is not much different from protecting other forms of data stored within a given network, except perhaps in how governments’ accumulation of such data is rapidly outpacing their ability to secure it,” said Christopher Whyte, assistant professor of homeland security and emergency preparedness at Virginia Commonwealth University’s L. Douglas Wilder School of Government and Public Affairs.

“As recent breaches here in Tennessee and abroad have shown, massive leaks involving this kind of data are far from fantasy,” he told TechNewsWorld.

Even when it is protected, the question comes back to how well some of it works.

“Biometric data actually does bring with it an added obstacle to security in that you need to actively work with the data to account for variations in the nature of relevant information,” said Whyte.

“I, for instance, grew a beard last year, and I have a friend that lost 80 lbs. two years ago — both would have to be controlled for by a facial recognition algorithm,” Whyte added. “This prevents at least some amount of standard practice when it comes to minimizing the information stored by a company or organization that could actually be stolen or leaked.”

Peter Suciu

Peter Suciu has been an ECT News Network reporter since 2012. His areas of focus include cybersecurity, mobile phones, displays, streaming media, pay TV and autonomous vehicles. He has written and edited for numerous publications and websites, including Newsweek, Wired and FoxNews.com.Email Peter.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Peter Suciu
More in Cybersecurity

Technewsworld Channels