Home / Columns / Beyond security: the future of biometrics is behaviour
Bernadette Dorizzi Biometrics
π Science and technology π Digital

Beyond security: the future of biometrics is behaviour

Bernadette Dorizzi, Emeritus Professor at Télécom SudParis

Bio­met­ric iden­ti­ty ver­i­fi­ca­tion is not new. We all know, of course, that fin­ger­prints were used as far back as the ear­ly 20th Cen­tu­ry by police as a way of iden­ti­fy­ing crim­i­nal sus­pects. Unique to each indi­vid­ual, even twins, fin­ger­prints are still wide­ly used by the police today. How­ev­er, the mod­ern move­ment in bio­met­ric iden­ti­fi­ca­tion owes thanks to the progress made in both com­put­er pro­cess­ing pow­er and AI over the past decade.

Today, the algo­rithms used are pow­er­ful enough to process bio­met­ric data on a nation­al or even inter­na­tion­al lev­el. To give an idea of scale, the EU is cur­rent­ly using a fin­ger­print archive sys­tem to track migrants across Europe 1, and India is even run­ning a scheme to col­lect bio­met­ric data for their nation­wide cen­sus 2 – a first for a coun­try with a pop­u­la­tion of over 1 bil­lion people.

Secu­ri­ty purposes

Whilst bio­met­ric data can (and is) being used for gath­er­ing pop­u­la­tion met­rics, their main appli­ca­tion remains secu­ri­ty. An ini­tial game-chang­er for this type of soft­ware was the abil­i­ty to dig­i­talise fin­ger­prints. Putting them onto a com­put­er sys­tem is one thing, but there are also fac­tors involv­ing how the pro­gramme uses that infor­ma­tion. That is to say, the capac­i­ty to both search and make pre­dic­tions capa­ble of match­ing up fin­ger­print data from those archives.

The cur­rent trend towards wide­spread use of bio­met­rics has been dri­ven by web giants like Face­book, Google and Microsoft. They see this type of iden­ti­fi­ca­tion sys­tem as a poten­tial mar­ket; espe­cial­ly since they are the only enti­ties with the nec­es­sary resources to sup­port the enor­mous data­bas­es required. Our small lab­o­ra­to­ries can­not deal with that side, so we work on the reli­a­bil­i­ty and secu­ri­ty of the sys­tems – leav­ing big oper­a­tional aspects to the giants!

Seek­ing this mar­ket has dri­ven the new uses of bio­met­rics we have seen take hold, such as fin­ger­print or face iden­ti­fi­ca­tion in smart­phones and oth­er per­son­al devices. It should be said that the stakes here are less dras­tic, though. In a crim­i­nal inves­ti­ga­tion fin­ger­prints can play a deci­sive role in charg­ing a per­son with a crime; a mur­der con­vic­tion is a life sen­tence in prison. Where­as an attack­er get­ting into a tele­phone could – at worst – result in the loss of sen­si­tive data. So, in that way qual­i­ty required for day-to-day use is less strict than those use for crim­i­nal investigations.

Fur­ther­more, a new sec­tor has opened up, which we are research­ing at Tele­com Sud­Paris (a top French engi­neer­ing school) cov­er­ing behav­iour­al bio­met­rics. As such, devices could be used to iden­ti­fy a per­son based on the way they walk or type on a com­put­er key­board. Here, the ben­e­fits are more about per­son­al­i­sa­tion of envi­ron­ment than secu­ri­ty. Imag­ine a detec­tion sys­tem in a home, which recog­nis­es the way a per­son walks, using sen­sors under the car­pet; that in turn relays those details to an auto­mat­ed sys­tem linked to tem­per­a­ture or light­ing set­tings set to per­son­al pref­er­ences etc. We are also see­ing this type of tech for health­care set­tings, focused on well-being of elder­ly or dis­abled peo­ple to improve com­fort or safety. 

Dou­ble-fac­tor identification

In par­tic­u­lar, the smart­phone sec­tor pushed fin­ger­print detec­tion through so as to pro­vide a sol­id secu­ri­ty iden­ti­fi­ca­tion sys­tem for online bank­ing. Since bio­met­rics are most­ly unfal­si­fi­able – with­out steal­ing your face, fin­ger­print or voice – they are much more secure for bank trans­ac­tions than a pass­word or pin num­ber, which can rel­a­tive­ly eas­i­ly be stolen or dis­cov­ered. Also, a per­son takes their bio­met­ric infor­ma­tion around them wher­ev­er they go.

Fol­low­ing Sep­tem­ber 11th, there was a real boost in devel­op­ment of bio­met­ric secu­ri­ty in light of the ter­ror­ist attacks because they were thought to be infal­li­ble iden­ti­fi­ca­tion meth­ods. In real­i­ty, cer­tain sys­tems tech­ni­cal­ly can be spoofed. An intrud­er can steal fin­ger­prints from a sur­face in a home/office or recon­struct a face based on images found online. But these things would involve the vic­tim being specif­i­cal­ly tar­get­ed rather than mass cyber-attacks by hack­ers involv­ing per­son­al data breach­es of thou­sands of peo­ple at a time.

As such, this can be coun­ter­act­ed by a dou­ble-ver­i­fi­ca­tion sys­tem. Hence, why many sys­tems use both fin­ger­prints and pin code. Now we can add oth­er per­son­al traits such as face, eyes or voice, to name a few. There are a great num­ber of pos­si­bil­i­ties of col­lect­ing oth­er phys­i­o­log­i­cal traits: face, iris, voice, lip move­ments… They are more or less reli­able, but that’s not nec­es­sar­i­ly the deter­min­ing fac­tor. Rather it is the acqui­si­tion of the data which can require the most effort. Iris detec­tion, which is one of my areas of exper­tise for exam­ple, relies on a spe­cial camera.

The prob­lem of acceptability

A big chal­lenge in the field is reas­sur­ing the gen­er­al pop­u­la­tion of the safe­ty of bio­met­ric data. The issue of per­son­al data is not treat­ed the same way depend­ing on where you are in the world. In Chi­na, the State keeps DNA records of each cit­i­zen from birth. The USA is more relaxed than Europe, too. Where­as in France, the idea of a bio­met­ric iden­ti­ty card [every cit­i­zen has one] comes back on the table again and again – but the French pop­u­la­tion have great dif­fi­cul­ty accept­ing it so it has been refused every time.

To deal with issues around accept­abil­i­ty, it would help to offer an expla­na­tion about how bio­met­rics real­ly works. If you com­pare fin­ger­prints with DNA, it’s not the same type of infor­ma­tion. Your DNA can be used to learn things about you – pre­dis­po­si­tion to dis­eases or ori­gins, for exam­ple. Where­as your fin­ger­print is just a unique iden­ti­fy­ing fac­tor that doesn’t car­ry any spe­cif­ic infor­ma­tion about you in itself.

1https://​ec​.europa​.eu/​h​o​m​e​-​a​f​f​a​i​r​s​/​w​h​a​t​-​w​e​-​d​o​/​p​o​l​i​c​i​e​s​/​a​s​y​l​u​m​/​i​d​e​n​t​i​f​i​c​a​t​i​o​n​-​o​f​-​a​p​p​l​i​c​a​n​ts_en
2https://​eco​nom​ic​times​.indi​a​times​.com

Contributors

Bernadette Dorizzi Biometrics
Bernadette Dorizzi
Emeritus Professor at Télécom SudParis

A graduate of the Ecole Normale Supérieure, Bernadette Dorizzi obtained the agrégation in mathematics in 1978 and her state thesis in theoretical physics at the University of Orsay (Paris XI-France) in 1983, on the study of the integrability of dynamic systems. In the field of pattern recognition and machine learning, she is a specialist in biometrics and has coordinated the European network of excellence BioSecure (Biometrics for Secure Authentication). Her research has been published in more than 230 international journals and she has supervised more than 20 PhDs. Bernadette Dorizzi was Director of the Electronics and Physics Department and then Director of Research and Doctoral Training at Télécom Sud.