Everyone needs security. It may not count as a basic human need, but sense of security is an essential element and even animals need it. We need security for ourselves, our physical belongings as well as digital security of information. Unfortunately security is not a measurable property and it can also depend on your state of mind. You may not have best home security system, yet can feel secure, vice versa is also true. However, we have to follow best practices of implementing security. We do many things to feel secure. Lock our doors, put passwords on online accounts, scan fingerprint or face to lock smartphones, etc.
The security measures we take can be largely divided into two major categories: Traditional security and biometric security. This article takes a comparative approach to discuss traditional and biometric approaches of security and tries to draw a conclusion which one can do a better job for you.
What is security?
Security is either the absence or the resilience against potential harm or unwanted change. Security often takes specific context when discussed. There is emotional security as well as financial security and it takes many more forms. However, our discussion will be focused on physical and information security, the two of crucial realms of today’s era.
Physical security is a strategy to protect facilities, assets, resources and people from the incidents or actions that may cause loss or damage these entities. Implementation of physical security makes use of several approaches and controls depending on the criticality of the event of loss or damage. Objective of physical security is to stop or deter physical access to the beneficiaries. For example, fencing, locks, security guards, security dogs, surveillance cameras, locks, fingerprint access control, etc.
Information security, on the other hand, is a strategy to protect information with digital security. Physical security can be deployed to implement information security, for example locking the door of a server room or installing a biometric recognition system to protect network access. The beneficiary in information security is the information that is being protected.
Biometrics is comparatively newer practice, which is being used to implement physical as well as information / digital security. It can lock / unlock your PC as well as the door of the facility it is kept in. Biometric has evolved steadily but have taken over the world very quickly. Let’s take a brief look at the journey of biometrics so far.
History of biometrics
Human beings have natural ability to recognize each other by distinguishing apparent physical and behavioural characteristics. Most animals do the same thing with smell. Facial characteristics, physical features, voice and many behavioural characteristics (e.g. gait, way to talk/behave) can help us recognize an already familiar person.
When this ability is given to information technology powered devices, it is called biometrics. Biometric technology, however, goes beyond human ability and can make use of many more physical and behavioural characteristics to identify them. It can identify individuals by their fingerprints, iris patterns, gait, keystroke dynamics and many more characteristics that remain unidentifiable to human eye otherwise.
Many associate history of biometrics with its usage for personal identification in forensic applications. However, history of biometrics is much older than that, as old as Babylonian age. Babylonians recorded business transactions on clay tablets and used fingerprints of the involved parties for authenticity of the transaction as well as to prevent forgery. Biometrics makes use of technology to identify individuals but Babylonian age did not have any technological advantage. This part of history is more about fingerprinting than biometrics.
No systematic efforts for biometric identification took place until mid to late 1800s. Need of “absolute identification” led law enforcement to biometrics. During the ending years of 18th century, early attempts like Bertillon System took place, which used detailed measurement of physical characteristics and body parts to identify subjects. Bertillon system was proposed by Alphonse Bertillon, a French police officer. This system, however, found to be undependable later.
By the end of 18th century, law enforcement agencies were experimenting with different approaches of identification, for trustworthy identification of criminals, which cannot be manipulated. Sir Francis Galton and Sir Edward Henry contributed in developing early classification systems for fingerprints in 1890s. In 1891, Juan Vucetich, a law enforcement officer in Argentina, started cataloguing criminal fingerprints.
Use of iris pattern for personal identification was first proposed by Frank Burch in 1936. He was an ophthalmologist by profession. By the end of 1960s, efforts to automate fingerprint and face recognition were underway with some success. In 1974, First hand geometry system became commercially available. However, deployment of first semi-automated facial recognition did not take place until 1988. In 1994, patent for first iris recognition algorithm was awarded to Dr. John Daugman.
In 2002, ISO/IEC standards committee on biometrics was established to standardize the different aspects of the technology. The first decade of 2000s saw early efforts of mobile biometrics and a couple of manufacturers introduced mobile phones with fingerprint sensors. However, true mobile biometrics breakthrough did not happen until 2013, when Apple introduced its mobile phone device with a fingerprint scanner. Later, mobile biometrics extensively levered iris, face and voice recognition for identity authentication, device security as well as convenience.
Introduction of biometrics on mobile devices has helped biometrics gain some level of ubiquity. After biometrics on mobile devices, face, voice and fingerprint biometrics is expected to become a norm in vehicles. Biometrics in automobiles will not only be a convenience features but will also patch the loopholes of current vehicle security measures.
Static vs. behavioural biometrics
There are many human body and behavioural characteristics that can be utilized for personal identification and authentication. Some of these characteristics stay “static”, while others are behavioural in nature, which are only visible in movements of the subject. Static biometrics makes use of these static characteristics to identify individuals. Fingerprint, iris pattern, facial structure, etc. count as static biometrics as these characteristics are static.
On the contrary, behavioural biometrics makes use of in behavioural patterns which are only visible during movements of an individual. Gait biometrics, signature dynamics, key stroke dynamics and even the way you use your touch screen mobile devices, are some of the examples of behavioural biometrics.
Biometrics vs. passwords
Passwords, PINs, secret codes, etc. have been widely used for protecting digital information since the inception of modern computing. Be it your home PC, phone, online account, or mobile apps, PINs and passwords are already ubiquitous and they have attained this ubiquity a long ago. Even physical access control in many cases (e.g. door locks with numeric code) have been laid with PINs.
Passwords are great, an easy and straight forward way to implement information security. Implementing password security does not require any additional hardware and can be done all in the code.
When people engaged in practice of using simple passwords for the sake of remembering them, developers pushed password policies to avoid the risk. It not only made passwords hard to crack but also hard to remember, adding more friction to already rough authentication process.
Biometrics came to rescue, first on mobile devices it proved its usefulness, now on PCs and even for cloud and web applications, biometrics is on its way to improve authentication and patching security loopholes. People can just touch the sensor or perform a quick face scan to unlock their device or login into an app or even perform a financial transaction.
Biometric authentication security: What is stopping it?
Passwords are hanging on past the expiration date because biometrics still has many shortcomings to address. Security issues in biometric authentication are discussed in subsequent sections. This is not to say that biometric authentication security is inadequate. It can be as good as passwords, even better, but fraudsters always find their way to play around the systems and completely replacing passwords with biometrics will happen gradually.
One of the major difference between password and biometric authentication security and password based security is that complexity is a matter of choice with passwords, while with biometrics, complexity is predetermined.
However, biometrics makes more sense in today’s fast paced connected world. We are about to enter in Internet of Things era and 5G, the fifth generation of cellular networks and connected-everything is soon to become a reality. These connected systems, devices, appliances and vehicles will need to perform authentication and identification several times a day (we are already doing it on mobile devices). In such an environment, will you be trying to recall your password before starting your internet car’s engine?
What would you do if being in continuously authenticated state is a necessity? In such connected and high paced world, your unique physiological and behavioural characteristics will be enough to prove your identity. Identity authentication will become completely frictionless, where you will not have to spend even a second. Frictionless continuous authentication with biometrics is already a reality in mobile apps, which is expected to expand even further to IoT and more.
Now when biometrics is being considered as the future of authentication and IoT systems are knocking the door. Day is not far when your car and even refrigerator will be able to identify you as you hold the handle to open the door.
Problems with biometrics security
No security system can be 100 percent secure. Technology based systems can be vulnerable to flaws and loopholes as people keep coming with new methods to circumvent their security. On the other hand, digital security systems update more rapidly. For example, a system software update can fix a few vulnerabilities but can also introduce new ones and biometric authentication security systems are no exception to it.
Human dignity and social issues
In traditional personal identification applications, say in an ID card based approach, the ID card can be distributed to everyone in target population regardless of condition of his physical or behavioural traits. But in case of biometrics, not everyone in the target population can be fit for biometric identification, which will lead to discrimination and exclusion.
Biometrics perceives human being as subjects of biometric data collection, which offends human dignity. Biometrics not only dehumanizes the person, it also infringes bodily integrity, leading to human indignity. Deploying biometric recognition can also lead to discrimination and exclusion.
Fingerprint recognition has been and still used for forensic, law enforcement applications and criminal identification applications, making people suspicious about government organization biometric data collection campaign like voter registration of biometric national ID.
Mass surveillance and state sponsored tracking of citizens is another problem with biometric security. There are biometric recognition systems that can track you in public places with face and gait recognition techniques. Face recognition systems deployed for mass surveillance can identify a subject without his/her knowledge, which infringes the privacy. Use of these systems by the government for mass surveillance is a concerned often raised by the privacy advocates. However, governments keep on tracking people on the name of security.
Biometrics severely infringes privacy. It is way more complicated that tracking your online activity or placing cookies on your phone or computer. Business organizations have already been collecting biometric data of its users and fate of this data remains uncertain without strong biometric privacy laws.
Standalone systems (like employee identification systems) can work without this dependence, however, large scale identification and portable scanners like police scanners depends a lot of other systems like cellular connectivity, backend servers, database servers and many more systems to be up and running. Any system or sub-system going down will render inability to perform biometric identification or authentication.
Biometrics is a technology based identification and authentication approach, which may require several other systems work together to stay operational. Despite all technological advancement, downtimes and system failures are still a reality.
Today’s biometric systems are faster, better and more efficient than ever. They are more tolerant to environment conditions as well as user behaviour, but they are still not perfect. They have their own set of shortcomings which may come on the way when you will least expect them. Cases of false positives and false negatives (FRR and FAR) on today’s biometric systems are lower than ever, but they are still not zero.
Not all individuals in the target population may have their biometric identifiers in usable condition. For example, distorted voice, worn off fingerprint due to heavy work, facial deformity may lead to failure in enrollment. In this case, use of multi-modal biometric approaches can offer help.
Your old school physical lock can get wet, take abuse and still function perfectly, but that is not the case with most biometric systems. Biometric systems can be delicate and may not be ready to be deployed in harsh environments; a little improper handling can adversely affect their performance and can even leave them unusable. For example, a few scratches on your fingerprint door lock sensor surface can make you look for your backup key.
Security issues in biometric authentication
It is important to remember that absolute security does not exist. Given funding, will, and the proper technology, nearly any security system can be compromised and biometrics is not an exception.
Biometrics systems are based on technology and like other IT systems, they are a combination of hardware and software. Programs and algorithms used in a biometric systems may not be perfect and can have unfound or unidentified vulnerabilities. On the other hand, these systems keep evolving and coming up with their newer versions. New versions and updates may have bugs and vulnerabilities which can be exploited a potential intruder with technical knowledge of the system.
Spoofing or imposter attacks are one of the issues in biometric authentication security, which is not found in password based systems. Password based systems can be attacked with password guesses (like brute force attacks) but there is nothing like attacking the system with a replica.
This issue is specific to biometric authentication security. An unauthorized individual may try to bypass the biometric authentication security by presenting an image or replica of the biometric characteristics of an authorized individual. For example, a fingerprint pattern of an authorized user engraved on a flexible material (like silicone, latex, etc.) presented to a biometric authentication system is a spoof attack.
Unalterable nature of biometric identifiers
Unlike passwords, IDs or any possession or knowledge based identification or authentication factors, which can be reset or reissued if compromised, biometric identifiers cannot be changed. Biometrics identifiers are stored in secured encrypted digital format in most biometric security systems, but in the world where hackers keep looking for system vulnerabilities, nothing can be certain.
Permanence is considered to be feature of a biometric identifier. Longer a biometric feature can persist, better it is. A biometric feature has to be unalterable so that a subject, whose identity has been established, cannot alter it. However, this unalterable nature of biometric identifiers becomes a problem if your biometrics is compromised or stolen.
Traditional ways of physical as well as information security have been doing their job since a very long time. They are proven methods, which have been deployed in all sorts of applications. Traditional ways of implementing physical and information security are largely based on possession or knowledge based authentication factors. However, now they seem overstrained to match today’s expectations of authentication and security.
Owing to its efficiency and speed, biometric authentication security is being seen as a potential solution to the many shortcomings associated with traditional security.
Biometric security patches many loopholes of traditional security but also introduces its unique flaws such as spoofing. Be it traditional or biometric, no security can be perfect, however, in today’s fast paced digital era, biometric security makes more sense.