Ditch The Password: Your Fingerprint Is About To Control Your Life
By Chris Fruitrich
Biometrics—the use of unique human characteristics to identify an individual—and the Internet of Things are each furiously speeding toward the future, though not necessarily in lock step.
If the two have one trait in common it is convenience.
The global biometrics technology market is expected to grow significantly in the next seven years—to more than $24 billion by 2020—as biometric data works its way into our every day lives, according to Grand View Research. And so we can all plan to live euphoric, secure lives with our linked-in things and our fingerprints or whatever marker we desire, right?
Well, not so much.
But let's back up. There are some concepts we need to grasp as we lurch ahead into a largely unmapped future.
Just what is biometrics?
As noted above, biometrics uses our own built-in body parts to identify us. In most cases the actual marker (fingerprint, etc.) is not stored but its characteristics are held as a vector image. Some of the markers that can be scanned into a device's memory and used to verify the device's user include:
Fingerprints: This identifier has been around for decades. Our fingerprints do not change from birth to death and their use by law enforcement has advanced the science greatly. Many smart phones and computers have had fingerprint identification built into their operating systems for years.
Iris or retina scan: Like fingerprints, our eye muscles and network of blood vessels are unique to each individual. Eye-scan technology has come a long way from the early secret agent movies where the user had to push his/her eye against a socket in the wall. Today accurate eye scans can be done from up to 90 feet away. Details from the FBI.
Facial recognition: In the best of circumstances, facial recognition is able to look at a face and record its nuances such as distance between the eyes, shape of the cheekbones and width of the nose. Taken together, these elements sketch a unique portrait of each individual. See explanation here.
Auditory verification: Our voices also can be used to identify us. Speech authentication is not the same as speech recognition. The former uses a "voice print" created for the use of secure authentication while the latter simply allows a device to understand its user's commands – think Cortana or Siri.
Vascular imaging: The array of our veins also provides a unique identifier. Scans of the palm or fingers are typical uses of vascular imaging for security purposes. (Details here.)
The list continues with the shape of ears, lip prints, footprints, odor, sweat pores and DNA. Few, if any however, are likely to become part of everyday security authentication.
Behavior can also be used to identify us. Gait (how we walk), our signature (handwriting), or even the way we type on a computer keyboard is unique to each one of us.
These unique characteristics are scanned into a computer and stored as a master reference for later comparison to anyone claiming to be the source, just as one would scan and store a photograph, for later comparison to the person depicted in the photograph. For instance, a fingerprint scan would record all the loops, whorls and arches—even in 3D in some instances—and software would then compare the tiny details of the fingerprint scan to those of any finger presented for authentication.
Your iris has unique identifying marks, similar to a fingerprint, and is some cases is being at military checkpoints.
Where will we see biometrics in the IoT?
Biometrics are already in use for laptops and smart phones but the promise is for much more.
Many of the largest IoT players—Microsoft, Google, Samsung and Apple—are already offering biometric authentication as a feature in some products, and are working on more that will extend even further into our households and businesses.
The Amazon Echo and Alexa heeds voice commands to deliver music, answer questions, control lights or thermostats and tell you what new tasks it can perform if you ask it. The ASUS Zenbot and Google Home also use voice-based user input. Similar products from other companies are in the works.
In the not-terribly-distant future you may stand in the middle of your living room, gain access to your home-control system via voice authentication, allowing you to set up lighting, heating/cooling, entertainment and security systems with just a few verbal commands.
Do biometrics assure security?
In two words, yes and no.
To be sure fingerprints or eye scans cannot be duplicated as easily as username/password combinations. They cannot be found written on a sticky note or caught up in your cache.
"There is other information associated with the biometric marker that is stored somewhere in the root of the computer," says Erik Berg, a long-time law enforcement and Defense Department consultant in biometrics. Thus, hackers can build an application that can find where the biometric information is stored and get in that way. When that data is linked to biographic or behavioral data the computer becomes vulnerable to hackers.
One also must consider the fact that fingerprints and faces can be reproduced by determined thieves. Marc Goodman writes in his book Future Crimes: Everything is Connected, Everyone is Vulnerable and What We Can Do About It that decent fingerprint replicas can be made with gelatin or even Play-Doh and these have fooled authentication scanners up to 90% of the time. The good news is that newer technology is expected to render this kind of hack more difficult.
However, the security situation actually can get very serious with biometrics. With the old username/password paradigm, a stolen credit card or password can be reversed by simply changing the password or replacing the card. If your fingerprint is stolen, you can't get new one so your identity will be out there in someone else's hands forever (no pun intended).
By way of example, my gym uses fingerprint authentication and so do several of the nation's hospital systems. If my print becomes someone else's property, that thief becomes me with all the privileges I enjoy. The financial ramifications would be even more dire.
On the plus side, biometrics using behavioral markers may someday help us avoid Internet scammers entirely. NuData is working on a program that will recognize suspicious online behaviors and warn users to block the applications where possible.
Who has your fingerprint?
Besides my gym, your employer may have those details. Also your medical provider and even Universal Studios Hollywood which now collects finger scans for some ticket holder when they enter the park.
Not a surprise, the FBI collected biometric data as well—and wants the millions of records it holds under lock and key. That may sound great, but the agency actually doesn't even want people to know if it's their own fingerprints, palm prints, facial scans or DNA in the FBI's database. And it's not just criminals who get the honor of having their details held by the FBI. While the system holds nearly 71 million criminal records, according to the FBI's own data, there are also more than 38 million civil records: these can include fingerprints taken for an employer's background check.
A proposal made by the FBI in May, to allow the agency to keep secret what biometric data it has—and on whom—has been met by dozens of groups who penned a letter in June protesting the potential decision including the American Library Association, Amnesty International USA and the Electronic Frontier Foundation.
You may run your thermostat, home security system, sprinklers and even your TV through your fingerprint or retinal scan.
So, what's next?
On the business side, as the competition for biometric business ramps up, and more devices—and companies—use these identifying markers for security, a big piece of the industry puzzle may be missing.
Consultant Berg says one of the big challenges for the industry is a similar one facing smart home products today—finding a way to standardize biometric devices so they can work together.
"We are really in the (biometrics) infancy," Berg says. "And nobody is making any serious effort to coordinate devices."
Berg says it's easy to understand that competitors are unwilling to share their technology with each other. However, they may be shortchanging the consumer if they don't.
According to Berg, biometric security could be ubiquitous across all platforms if a cloud-based third party held the authentication information and served it up when requested. In that case, Google Home, for example, would have to give up information on one of its clients so that person could access an Apple device.
Berg takes it one step further to point out that if neighbor A had a burglary and caught a photo of the thief on a security camera, that image could be spread throughout the neighborhood or city and perhaps someone else's smart doorbell application would spot him or her on its facial recognition software.
While the federal government is working to establish biometric standards for its own use, at the consumer level, biometrics are, if not in their infancy, then certainly in the toddler stage. Our finger, iris and palm prints still don't run our lives. But like every other technology, it's coming like the proverbial freight train to a household near you.
Keep that fingerprint handy.