From bank accounts to personal profiles, passwords have become the default option for verifying a user’s identity. In fact, many of us are so inundated with passwords, both at our jobs and in our personal lives, that we face a disturbing set of choices: Record all passwords on paper, use "basic" passwords that we'll remember easily or use the same password for everything. (None of which is optimally secure.)
Then there’s the annoying "password maintenance," in which password-protected systems hound us to come up with yet another set of characters. But while businesses, governments and organizations are working to make sure that traditional password systems remain strong and secure, a new kind of digital authentication is coming – one that may solve these problems altogether. New biometric identification programs are getting a lot of attention these days. And for good reason – they may just drive future commerce and civic life. (To learn about other security methods, see The 7 Basic Principles of IT Security.)
What Is Biometrics?
The definition of biometrics might seem simple, but a technical description is actually a little involved. While biometrics just refers to the collection of any kind of information about any biological organism or system, the term has come to be used almost exclusively for specific kinds of programs within many parts of the IT world. These programs use data about humans to identify specific individuals. They are used for various kinds of security in different applications. To make things more clear, most of us agree to restrict discussions about biometrics to these kinds of projects.
New Biometric Designs: We Know Who You Are
Most of those who don’t work in biometrics or a related area of IT usually think of biometric programs as either based on fingerprint data or iris scanning. While these (as well as computer image processing of facial features) have been the mainstays of biometric security advances, they are not the only ways to collect and use data about a specific person. Some new biometric programs are now using information that’s more abstract, what you might call "physical-behavioral" information, to pick someone out of a crowd.
A great example is the new development of a seat that can tell who is sitting in it by measuring the weight balances and other signals that come from a sensor-equipped pad showing data related to spinal alignment, body mass and balance, and positioning tendencies. While the "intelligent seat" might sound like a joke, it’s really an idea that can help us to explore new ways to make biometrics work. Just imagine if a seat in a car or airplane could adapt the environment based on your physiological responses! (Want to make sure only the right people are accessing your systems? See What Enterprise Needs to Know About Identity and Access Management (IAM).)
Limitations of Conventional Biometrics
While some of the downsides and limitations of established biometric methods like fingerprint ID or iris scanning are evident from a cursory look at Tom Cruise in "Minority Report" (and the plastic baggie where he keeps a set of eyeballs to scan for security purposes), impersonation is only one of the many problems that come with some of the most common biometric methods. Some of these relate to privacy.
Despite all of the new advances in the field, fingerprints remain the most common type of biometric identifiers, partly because of their essential uniqueness and permanence, and partly because, even before modern biometric technologies were available, law enforcement kept fingerprint identifiers on file.
For a look at how biometrics pioneers are dealing with privacy issues in fingerprint identifier programs, we consulted the team at James Madison University’s Infosec program. Xunhua Wang, Brett Tjaden and M. Hossain Heydari study biometrics and their applied uses at JMU. Wang noted that although fingerprints are useful for a range of crime investigation, immigration and heavy security projects, they do have some inherent challenges. One is the issue of partial fingerprints; the other is security and privacy and how likely it is that a fingerprint record can be compromised in any given application. Wang said this is a significant issue in industries that use these products, since a fingerprint does not change much over time.
As an example of this risk, an abstract on a paper co-authored by Wang and a graduate student, Benjamin Rodes, includes an interesting description of hacking a fingerprint-protected USB drive through "black-box reverse engineering and manipulation of binary code in a DLL."
Fuzzy Extractors: Advances in Fingerprint Biometrics and Security
Recent research on biometrics, said Wang, revolves around how to safeguard a reference template, the data taken from a fingerprint that is stored on a server. One way to deal with security risks is with something called a fuzzy extractor, a design that could fundamentally address the security and privacy concerns about biometrics, although Wang pointed out that there are still some issues that have to be worked out in terms of applying this concept to modern biometrics programs. Because of the method of data collection and use, information from fuzzy extractors cannot be used to reconstruct a fingerprint or trace a user (for more on these principles, see fuzzy logic.) Wang said the JMU team is dedicated to pursuing solutions for the remaining barriers to making fuzzy extractors a part of more functional biometrics applications.
Potential and Problems
Because biometrics is such a rapidly advancing IT field, and because it offers so many potential applications, you can expect to see much more of this kind of new design in future years. With any luck, tomorrow’s devices and sign-ons will give us an easy biometric security feature to use. After all, there must be something between the password problems we face now, and the privacy issues posed by some biometric identification techniques.