acm-header
Sign In

Communications of the ACM

ACM News

The New Face of Biometrics


View as: Print Mobile App Share:
Iris scans have been in use for decades.

Biometric technologies are maturing, and their adoption is accelerating.

Credit: iStock

Over the years, governments, businesses and others have used a variety of methods to authenticate people and keep files, systems, and data secure. In the physical world, the list of these measures includes signatures, fingerprints, and physical tokens such as passports and tickets. In the digital world, verification typically involves usernames, passwords, and personal identification numbers (PINs).

It is increasingly apparent these methods are now woefully inadequate. As databases and records swell, breaches proliferate, cybercrime soars, and security and privacy concerns escalate, there is a growing focus on biometric technologies. Although the field is not new—digital fingerprints, iris scans, voiceprints, facial recognition, and other methods have been around for decades —the technology is maturing and adoption is suddenly accelerating.

"There is a growing recognition that we need more sophisticated authentication," states Anil Jain, University Distinguished Professor at Michigan State's College of Engineering. Already, more than 100 countries have introduced digital passports that often rely on biometric authentication methods, such as fingerprints and facial recognition. Smartphone manufacturers have built fingerprint recognition into phones and tablets. Banks, retailers, and others are now tapping into biometric technology to authenticate users at ATMs and verify retail transactions.

Ontario, Canada-based market research firm Biometrics Research Group reports 650 million people were using biometrics on mobile devices by the end of 2015.

"We are seeing a proliferation of different biometric technologies," explains Stephen Elliott, director of the International Center for Biometric Research at Purdue University.

Beyond the Password

Today, it is clear that ink, paper, and passwords cannot handle the task of security. For one thing, "It's impossible for humans to manually match millions of fingerprints and other types of records as people initiate electronic transactions and cross international borders," Jain says. For another, passwords have devolved from a solution to a problem. A recent study conducted by security firm Gigya found that 25% of consumers have had an online account hacked in the past 12 months, and nearly seven in 10 give up when creating an account because password requirements are too vexing.

Enter biometric technologies, which use spatial data and statistical analysis to identify and validate a person. These systems may bypass the need for a password or replace them entirely. Elham Tabassi, an electronics engineer and biometrics specialist with the U.S. National Institute of Standards and Technology (NIST), points out that the technology has advanced to the point where errors are relatively rare. "Much progress has happened with the core algorithmic capability of recognition algorithms. Systems have become faster and more robust," he states.

Not surprisingly, smartphones have become a nexus point for the technology. For example, Apple's Touch ID, introduced in 2013, reads a fingerprint to unlock a phone or tablet, but also allows users to make purchases through apps and at physical stores via Apple Pay. In addition, financial institutions such as Bank of America and JPMorgan Chase are now testing Touch ID and other fingerprint biometric systems as a way to replace plastic cards and PINs at ATMs. Others, such as financial services firm USAA, allow customers to log in using facial recognition within the company's app.

Jain says the elegance of this approach is that the phone offers a high level of security. Banks, retailers, and others do not have to retrofit ATMs to accept fingerprints or other biometric technology. Elliott points out that smartphone-based biometrics essentially require no learning, training, or knowledge to use. Moreover, the system can fill in all necessary information for an online transaction and process the payment.

Biometrics Gets Real

Behavioral biometrics also promises to revolutionize the field. For example, Google's Project Abacus studies how a person moves, types, and speaks in order to generate a "trust score" that determines whether a password or secondary form of biometric authentication is required. At some point in the future, Jain believes phones and other devices will learn how we behave and validate a user, perhaps without the primary need for a fingerprint or face scan.

Yet, Jain also believes passwords will not disappear anytime soon. "They serve as a fallback mechanism if your fingers are wet or the biometric system doesn't work properly." And, naturally, biometric systems are not perfect, or without potential problems. For example, it is possible to trick systems using replica fingerprints. Recently, Jain unlocked a murder victim's Samsung Galaxy S6 phone using old fingerprints and a $500 high-definition printer.

This, in turn, represents a bigger problem. If someone steals raw biometric data, an individual cannot generate a new fingerprint or face; it is permanently compromised.

Jain adds that concerns about privacy and the unethical use of biometric data also exist. However, "If multi-factor biometric authentication or behavioral biometrics are used, the raw data may be useless alone," he says.

Concludes Elliott: "There is still research to do and the field is continuing to advance. But, from a security perspective, biometrics solves a lot of problems." 

Samuel Greengard is an author and journalist based in West Linn, OR.


 

No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account