Risk Factors Associated with Biometric Identification

Recently, a friend of mine returning from India looked impressed with the country’s centralized biometric verification system. “It is now incredibly easy to verify identity for many services you want to avail out there. I had a very tight schedule and needed a prepaid mobile phone SIM during my stay there.” He shared the trouble with his local associate “They just verified his fingerprint against government biometric database and SIM was activated instantly, which used to take 2-3 days. It was great, helped me stick to my schedule.”

Having been associated with biometrics for more than a decade, I knew what he meant. He is not the lone appreciator of this technology. Frequent flyers, who have seen transition of passenger identification process at the airports from traditional ID cards to biometrics, will tell you how fast, convenient and efficient this technology is. Once being stranded in queues waiting for their turn, passengers can now verify their identity instantly, print boarding passes on their own and can print baggage tags with self-service kiosks at biometric enabled airports. Not just at the airports, biometrics is making people skip lines wherever identity verification is a necessity. Biometric technology is changing the way people are identified. It has experienced incredible growth in the last decade across the globe, helping billions of people save time and businesses serve better.

Biometrics has taken over traditional identity practices in many areas. Many private outfits that have chosen to replace its identity and access practices with biometrics. Government organizations, national identity applications, banking and financial institutions and even in high security facilities, biometrics is now a proven way of identification and authentication. When people go through biometric identification for the first time, specially for the same purpose they have been using traditional identification methods, they cannot help but notice its competence. Biometrics might look flawless from a layman’s perspective but security experts know that like other systems, biometrics has its limitations. Biometric technology facilitates faster, efficient and reliable identification, however all these adjectives can be very subjective.

All systems have their shortcomings and biometric technology is not an expectation. There are risk factors associated with this technology which needs to be understood before deploying its applications. Future of identification can only be risk-free with biometrics only if it is taken responsibly in present.

Despite overwhelming rate of adoption of biometrics, it is yet to improve in many areas. Performance of biometric systems, immunity against spoofing attacks, and security of biometric data are major areas that need to be improved. Biometrics makes use of human anatomical or behavioral patterns; these patterns can be fabricated by criminals, and can be presented to a biometric system to bypass the security. Biometric systems should be robust enough to identify fake patterns and deny access. Risk factors associated with the use of biometric identification can also be dependent on the biometric modality employed. For example, gravity of risks with facial recognition may differ from risk presented by fingerprint biometrics.

Imposter attacks can pose a significant risk to a system/facility that employs biometric technology for logical or physical access. Imposter attacks try to exploit a biometric system’s limitations. Biometric systems have a very slight possibility of treating an imposter as an authorised user. This possibility is expressed with a biometric performance metric called FAR (False Acceptance Rate). Though biometric systems have minimal as possible FAR, however, it is never zero and always poses a risk of an imposter gaining access. This imposter attempt may be intentional to harm data or property. Since this risk is associated with performance of a biometric system, it can be mitigated with technological advancement. Lowering FAR value can also increase other biometric performance matric called FRR (False Rejection Rate), in which a biometric system denies access to an authorized user.

Biometrics is increasingly getting acceptance in banking, financial and other high value transaction. Spread of biometrics has attracted criminal minds as well, who keep looking for vulnerabilities to hack into a system and steal money. It has increased risk of spoofing, specially on older or low security biometric systems. Spoofing attack is carried out with a replica of an authorized user’s biometric identifiers. On fingerprint recognition systems, fingerprint replicas made out of silicone or other flexible material can be presented to bypass security. People leave their fingerprints behind on door handles, coffee mugs and basically on any surface they touch. These prints can be collected and misused by spoofers. High quality photographs can reveal iris pattern, which can again be collected and misused by imposters. Photographs themselves can be used to spoof a facial recognition system.

In more severe form of spoof attacks on face recognition systems, video clips or masks of an authorized user’s facial features can be used. Risk of spoofing is higher where monetary transactions are authenticated with biometrics. Money being involved, such transactions are always in risk of biometric spoof attacks. Current generation of biometric systems have enhanced protection against spoofing, however, criminals keep looking for ways to exploit systems and eventually all countermeasures fall short. This risk can be mitigated by identifying ways and patterns of spoof attacks and implementing technological countermeasures.

Risk involved with storage of biometric data is another critical issue with biometric identification. Increasing numbers of information security incidents compromise data of millions of users every year. Personal details, financial data, and even passwords are revealed in such attacks. In present scenario, efforts to avoid data security incidents seem like efforts to avoid the inevitable. Despite the fear of data security efforts falling short, they have to be carried out. Information systems containing a lot of biometric data of employees, customers or citizens are a potential target of cyber-criminals. Loss of biometric data can be disastrous. Unlike passwords, biometric identifiers of an individual cannot be changed if compromised. If cybercriminals are somehow able to generate pattern out of biometric templates, people can lose their biometric identity permanently.

Rise of mobile biometrics has also presented newer form of risks. Service providers are gradually integrating biometrics to authenticate user access for their services. Many banks and financial institutions around the world have integrated fingerprint or face recognition ability in their mobile banking apps. Biometric recognition technology used on mobile devices offers sub-standard security than dedicated biometric systems. For example, fingerprint recognition on mobile devices uses partial fingerprint recognition algorithm. The sensor itself is so tiny that it cannot accommodate the whole fingertip. These risks with mobile biometrics can only be mitigated with continuous research and development.

Every system has its limitations and biometrics identification is not an exception. Despite the risk factors associated with biometric identification, it is undoubtedly the future of identification and authentication practices. Current risk factors like spoofing, false acceptance by biometric systems, security of biometric data, etc. are addressable with the improvements in underlying technology. It is not wise to put all your eggs in one bucket. Multi-factor authentication that includes biometrics as well as password can be a potential solution until all shortcomings of biometrics is addressed.

Technology has always proven to be a double edged sword. Tech enthusiasts advocate biometrics as the futuristic solution for personal identification, however risks associated with them cannot be ignored entirely. Restricted accesses to biometric data, multi-factor authentication and implementation of physical as well as cybersecurity measures for the security of biometric data, etc. are some of the countermeasures enterprises can employ to protect its assets as well as customers.