acm-header
Sign In

Communications of the ACM

ACM News

A Touch of Security


View as: Print Mobile App Share:
Biometrics are automated methods of identifying a person, or verifying a person's identity, based on a physiological or behavioral characteristic.

Apple's newest iPhone model features a fingerprint sensor, which could indicate the start of a trend towards greater use of biometric technologies.

Credit: Dakota State University

When Apple introduced the latest model of its iPhone in September, perhaps the most buzz-worthy new feature was a fingerprint sensor, giving users an alternative to unlocking their phones with a passcode. So is Apple—which successfully popularized the smartphone, the table, and the digital music player—about to bring biometrics into the mainstream?

This certainly could be the beginning of a trend. Michael Barrett, president of the Fast Identity Online (FIDO) Alliance, recently told USA Today he expects to see fingerprint sensors on Android phones within the next six months. The FIDO Alliance is an industry group developing a standard for the use of biometrics in devices, and Android owner Google signed onto the organization in May, joining companies such as Lenovo and PayPal.

One Android-based phone, Pantech’s Vega-LTE-A, available in South Korea, already has a fingerprint reader. In October, the Korean mobile payment company Danal and fingerprint scanner maker CrucialTek launched an app to allow the phone’s users to make payments based on their fingerprints.

Last year, the U.S. National Institute of Standards and Technology published a standard that would allow devices such as PCs and smartphones to access biometric scanners over the Web.

Arun Ross, associate professor of computer science at Michigan State University, says it makes sense that biometrics might find their way into popular use on mobile phones, which now provide access to email, social media accounts, bank accounts, and other potentially sensitive information. "It’s becoming quite clear that PINs and passwords can no longer be a viable standalone solution," Ross says. "It’s too much of a risk."

The most secure approach, he says, is to use passwords and biometrics together. "You can’t rely on a single modality."

Even biometric approaches, though, are vulnerable to attack. Two days after the iPhone’s release, the German hacker group Computer Chaos Club claimed it had managed to fool the fingerprint sensor. The club’s approach was somewhat complicated, however, requiring a high-quality fingerprint, a high-resolution camera, a laser printer, and glue.

Android’s software, which uses facial recognition to unlock a phone, has also been fooled by photographs of the user.

At the same time, biometrics experts are aware of such potential vulnerabilities and have come up with countermeasures. "These attacks are possible and realistic," Ross says. "Researchers have developed methods to detect these attacks and alert the system to them."

For instance, an algorithm might look for patterns of perspiration to decide whether it was dealing with a living finger, or measure textural patterns to distinguish between an actual face and a photograph of a face. Google recently patented a system that enhances facial recognition by requiring that it be accompanied by some sort of facial gesture, such as a wink. Software might also notice "replay" attacks, in which it sees an identical biometric image every time; in the real world, there should be some variation each time a person tries to access the system, because a finger is placed a little differently or the lighting on a face varies.

Hardware solutions are also possible. A pulse oximeter, a medical device that monitors the oxygen saturation of a patient's blood and changes in blood volume in the skin, for instance, could tell whether a fingerprint were attached to a living finger. However, adding hardware adds costs, which might be acceptable for secure access to a facility, but perhaps not for a smartphone.

James Wayman, a research administrator at San Jose State University and former director of the school’s Biometric Identification Research Program, is skeptical about whether biometrics will be adopted for consumer use, mostly because it hasn’t already been. "It’s been around for 50 years, and people haven’t taken it up," he says. "Something’s wrong with the concept, I would think, or people would have taken it up by now."

One problem is that a given biometrics approach may not work for all users. It has been established, for instance, that the quality of fingerprints change over a person’s lifetime; aging reduces the amount of collagen in the skin, leaving it loose and dry, so a fingerprint reader may not work for some people. A bank that used fingerprint scanners for access to its ATMs couldn’t tolerate a 1-percent failure rate, Wayman argues; even if it works for 99 percent of customers, "for that one guy in 100, this a 100-percent failure."

There’s also a question of how valuable the technology is; a British bank, Nationwide Building Society, introduced iris scanners at its ATMs back in 1998, but soon discontinued their use. Customers said in surveys they were happy with the scanners, the bank decided the cost of the system outweighed any benefits.

Companies continue to pursue biometrics as a means of accessing personal devices and accounts. For instance, Bionym, of Toronto, Canada, is developing a wrist band that identifies a user by his heartbeat, and transmits a signal to unlock computers, phones, or whatever else the user wants access to. Ross calls that "very cool," but cautions that it’s not yet known how well heartbeat identification works.

Another approach, popular in Japan, is vasculature pattern recognition, in which near-infrared light is used to take an image of the veins.

Ross says while face, voice, iris, and fingerprint detection have all been tested for years, with peer-reviewed literature spelling out how well they work and how they can fail, there’s been less vetting of such other techniques. "No security measure is foolproof," Ross says. "The question is, do we understand the limitations and the strengths of a biometric modality?"

Wayman thinks biometrics are most successful when applied to the right situations. "Let’s get away from biometrics for access control, where PINs and passwords work fine," he says.

The Unique Identification Authority of India, for instance, has introduced fingerprint scanning to provide citizens with their own Unique Identification Numbers to be used when accessing public benefits, in an effort to reduce losses due to corruption. Passwords wouldn’t accomplish the goal, because they could be stolen or traded. Similarly, Disney’s theme parks have long scanned customers’ fingers to verify that the user of a pass is the person who bought it.

Also, last year in South Africa, MasterCard started issuing debit cards that store fingerprint and other personal data to recipients of state benefits. The South African Social Security Agency estimated that the cards would reduce fraud and cut operating costs by $375 million over five years. Mastercard, which Wayman says first explored biometrics several years ago, also joined the FIDO alliance just this month.

The use of biometrics to access consumer devices may yet take off. Whether the iPhone tips the scales will depend on how well it works for Apple’s customers, says Ross. "There’s never been a great example of consumer electronics and biometrics," he says. "We have to have one very strong success story, and until that happens, we will be waiting."

Though skeptical, Wayman agrees that it just might work. "Just putting the name ‘Apple’ on something could make what was not previously attractive, attractive," he says. "Maybe it really does change things."

Neil Savage is a science and technology writer based in Lowell, MA.


 

No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account