Beyond security: the future of biometrics is behaviour

Bio­met­ric iden­ti­ty ver­i­fi­ca­tion is not new. We all know, of course, that fin­ger­prints were used as far back as the ear­ly 20^th Cen­tu­ry by police as a way of iden­ti­fy­ing crim­i­nal sus­pects. Unique to each indi­vid­ual, even twins, fin­ger­prints are still wide­ly used by the police today. How­ev­er, the mod­ern move­ment in bio­met­ric iden­ti­fi­ca­tion owes thanks to the progress made in both com­put­er pro­cess­ing pow­er and AI over the past decade.

Today, the algo­rithms used are pow­er­ful enough to process bio­met­ric data on a nation­al or even inter­na­tion­al lev­el. To give an idea of scale, the EU is cur­rent­ly using a fin­ger­print archive sys­tem to track migrants across Europe ¹, and India is even run­ning a scheme to col­lect bio­met­ric data for their nation­wide cen­sus ² – a first for a coun­try with a pop­u­la­tion of over 1 bil­lion people.

Whilst bio­met­ric data can (and is) being used for gath­er­ing pop­u­la­tion met­rics, their main appli­ca­tion remains secu­ri­ty. An ini­tial game-chang­er for this type of soft­ware was the abil­i­ty to dig­i­talise fin­ger­prints. Putting them onto a com­put­er sys­tem is one thing, but there are also fac­tors involv­ing how the pro­gramme uses that infor­ma­tion. That is to say, the capac­i­ty to both search and make pre­dic­tions capa­ble of match­ing up fin­ger­print data from those archives.

The cur­rent trend towards wide­spread use of bio­met­rics has been dri­ven by web giants like Face­book, Google and Microsoft. They see this type of iden­ti­fi­ca­tion sys­tem as a poten­tial mar­ket; espe­cial­ly since they are the only enti­ties with the nec­es­sary resources to sup­port the enor­mous data­bas­es required. Our small lab­o­ra­to­ries can­not deal with that side, so we work on the reli­a­bil­i­ty and secu­ri­ty of the sys­tems – leav­ing big oper­a­tional aspects to the giants!

Seek­ing this mar­ket has dri­ven the new uses of bio­met­rics we have seen take hold, such as fin­ger­print or face iden­ti­fi­ca­tion in smart­phones and oth­er per­son­al devices. It should be said that the stakes here are less dras­tic, though. In a crim­i­nal inves­ti­ga­tion fin­ger­prints can play a deci­sive role in charg­ing a per­son with a crime; a mur­der con­vic­tion is a life sen­tence in prison. Where­as an attack­er get­ting into a tele­phone could – at worst – result in the loss of sen­si­tive data. So, in that way qual­i­ty required for day-to-day use is less strict than those use for crim­i­nal investigations.

Fur­ther­more, a new sec­tor has opened up, which we are research­ing at Tele­com Sud­Paris (a top French engi­neer­ing school) cov­er­ing behav­iour­al bio­met­rics. As such, devices could be used to iden­ti­fy a per­son based on the way they walk or type on a com­put­er key­board. Here, the ben­e­fits are more about per­son­al­i­sa­tion of envi­ron­ment than secu­ri­ty. Imag­ine a detec­tion sys­tem in a home, which recog­nis­es the way a per­son walks, using sen­sors under the car­pet; that in turn relays those details to an auto­mat­ed sys­tem linked to tem­per­a­ture or light­ing set­tings set to per­son­al pref­er­ences etc. We are also see­ing this type of tech for health­care set­tings, focused on well-being of elder­ly or dis­abled peo­ple to improve com­fort or safety. 

In par­tic­u­lar, the smart­phone sec­tor pushed fin­ger­print detec­tion through so as to pro­vide a sol­id secu­ri­ty iden­ti­fi­ca­tion sys­tem for online bank­ing. Since bio­met­rics are most­ly unfal­si­fi­able – with­out steal­ing your face, fin­ger­print or voice – they are much more secure for bank trans­ac­tions than a pass­word or pin num­ber, which can rel­a­tive­ly eas­i­ly be stolen or dis­cov­ered. Also, a per­son takes their bio­met­ric infor­ma­tion around them wher­ev­er they go.

Fol­low­ing Sep­tem­ber 11^th, there was a real boost in devel­op­ment of bio­met­ric secu­ri­ty in light of the ter­ror­ist attacks because they were thought to be infal­li­ble iden­ti­fi­ca­tion meth­ods. In real­i­ty, cer­tain sys­tems tech­ni­cal­ly can be spoofed. An intrud­er can steal fin­ger­prints from a sur­face in a home/office or recon­struct a face based on images found online. But these things would involve the vic­tim being specif­i­cal­ly tar­get­ed rather than mass cyber-attacks by hack­ers involv­ing per­son­al data breach­es of thou­sands of peo­ple at a time.

As such, this can be coun­ter­act­ed by a dou­ble-ver­i­fi­ca­tion sys­tem. Hence, why many sys­tems use both fin­ger­prints and pin code. Now we can add oth­er per­son­al traits such as face, eyes or voice, to name a few. There are a great num­ber of pos­si­bil­i­ties of col­lect­ing oth­er phys­i­o­log­i­cal traits: face, iris, voice, lip move­ments… They are more or less reli­able, but that’s not nec­es­sar­i­ly the deter­min­ing fac­tor. Rather it is the acqui­si­tion of the data which can require the most effort. Iris detec­tion, which is one of my areas of exper­tise for exam­ple, relies on a spe­cial camera.

A big chal­lenge in the field is reas­sur­ing the gen­er­al pop­u­la­tion of the safe­ty of bio­met­ric data. The issue of per­son­al data is not treat­ed the same way depend­ing on where you are in the world. In Chi­na, the State keeps DNA records of each cit­i­zen from birth. The USA is more relaxed than Europe, too. Where­as in France, the idea of a bio­met­ric iden­ti­ty card [every cit­i­zen has one] comes back on the table again and again – but the French pop­u­la­tion have great dif­fi­cul­ty accept­ing it so it has been refused every time.

To deal with issues around accept­abil­i­ty, it would help to offer an expla­na­tion about how bio­met­rics real­ly works. If you com­pare fin­ger­prints with DNA, it’s not the same type of infor­ma­tion. Your DNA can be used to learn things about you – pre­dis­po­si­tion to dis­eases or ori­gins, for exam­ple. Where­as your fin­ger­print is just a unique iden­ti­fy­ing fac­tor that doesn’t car­ry any spe­cif­ic infor­ma­tion about you in itself.