Biometric log on could be the answer to security threats

Imagine logging on to your eBay account with your fingerprint. Or perhaps accessing your Facebook account via an iris scan.

Secure: using a biometric scanner at George HW Bush Intercontinental Airport in Houston, Texas
Secure: using a biometric scanner at George HW Bush Intercontinental Airport in Houston, Texas

Imagine logging on to your eBay account with your fingerprint. Or perhaps accessing your Facebook account via an iris scan.

It might seem a bit much for the average computer user, but it may not be that far off if an initiative is successful.

The use of biometric data as an added security measure is just one of the solutions being proposed by a consortium of firms who have come together to form the Fast Identity Online (FIDO) Alliance.

Iris scan - one of the main biometric security methods. Photographs: Dave Einsel/Getty images and istockphoto
Iris scan - one of the main biometric security methods. Photographs: Dave Einsel/Getty images and istockphoto

Security is a contentious issue, particularly when it comes to biometrics. While everyone accepts the need for a certain level of security to protect a person and their property, biometric methods, which include everything from fingerprints to iris scanning, is often viewed with suspicion by the public at large.

READ MORE

Perhaps it is the thought of being watched by multiple cameras wherever you go, or the fear that sensitive data will be leaked by those who place a lesser value on privacy. But regardless of the perceptions, it seems that companies keen to keep private data away from prying eyes are turning to such methods of authentication to ensure that only authorised users can access the information.

The latest to look at such methods are online firms who are seeking to secure the private and personal information of their users. With scams like phishing refusing to die out, and users ignoring accepted best practice in favour of convenience when choosing passwords, additional methods of authentication are being sought.

PayPal is among the founding members of FIDO, which was formally established this month after being announced in July 2012, aiming to revolutionise online authentication. The group, which also includes organisations such as Infineon technologies, Agnitio and Lenovo, is hoping to eventually replace passwords used online with more secure authentication methods.

It is aiming to create an industry-supported open protocol based on agreed standards, and the founders are already developing the specification and FIDO-compliant products. Among the technologies supported will be fingerprint scanners, and voice and facial recognition.

Trusted platform modules, USB security tokens, near field communications and one time passwords are also among the other security options being considered by the alliance as a potential way to keep hackers out and information in.

“An open standard approach such as the FIDO alliance could help to improve biometric solutions which in the future could be used to improve security online or indeed in other systems,” says security consultant Brian Honan.

Humble password

PayPal and its cohorts are not the only companies to voice dissatisfaction with the humble password. Earlier this year, Google said it hoped to eventually do away with the humble password, saying it was no longer sufficient to keep users safe. It is working on a new form of authentication with a small USB key to replace it.

With FIDO, the companies are hoping it will become the industry norm, encouraging others to use it, add to it and to keep it open to future innovation.

“The internet – especially with recent rapid mobile and cloud expansion – exposes users and enterprises, more than ever before, to fraud. It’s critical to know who you’re dealing with on the internet,” said Michael Barrett, FIDO Alliance president and PayPal chief information security officer. “By giving users choice in the way they authenticate and taking an open-based approach to standards, we can make universal online authentication a reality.”

But biometrics isn’t only being considered for use by private sector companies. The technology has already found its way into everyday life, with biometric passports and visas to help with border management, and new technology being used to help with crowd control.

Accenture has been working in this area for some time. Its specialised unit has worked on large programmes such as the US visitor scheme, which includes taking the fingerprints of every traveller that crosses into the US. More recently it has been involved in its largest project to date, with India’s UID programme, which is giving a biometric ID to 1.2 billion people.

One of its innovations designed to help with managing crowds is a tool known as “face in the crowd”, which can identify faces from live videostreams and match them to a database containing thousands of images. It’s designed to match faces even under challenging lighting conditions, or from less than optimal angles, with shadows obscuring facial features for example.

At present anyone who has travelled through Heathrow Airport has seen some of this technology in action. The airport has automated passport control gates that require biometric passports to activate. The technology is set to roll out in Amsterdam soon, and it’s likely to pop up in a few more airports before long.

“That’s been quite interesting. There’s a bank of three gates in each terminal in Heathrow and more than seven million people have come through the gates since it went live,” explained Ger Daly, managing director of Accenture’s Defence Public Safety practice. “In Schiphol, they’re rolling out a much higher number of gates as part of a next generation solution.”

He believes that gaining an understanding of biometric systems is key to accepting them. “I think there’s an image there that still has to be dealt with,” he said. “I firmly believe that the technologies we’re talking about can be used to make the streets safer. If my identity is my name and address, it’s actually very easy to steal. If it’s my face, my iris, my fingerprints – that’s harder to steal. That’s not an argument that is made often enough. There are important civil liberty and data protection issues here, but it’s shining much more of a light on that.”

Systems such as these make it harder for an identity to be stolen, he argued.

Daly believes that although the application of the technology in airports shows how it can work, it is to public safety that the technology will move next. This means using the video analysis to identify potentially problematic crowds gathering, looking at crowd density and help to understand what is happening in a specific area at one point.

Potential uses

“It has a prevention value as well,” he said, citing the potential use of the technology on the buses to identify gang members congregating.

As police budgets shrink, being able to police smarter rather than harder will be a major driver for the technology.

“This is a place where you have got to do more with less,” Daly said.

Accenture’s technology will allow police to search the footage automatically, extract the valuable data in a far shorter time period. It is particularly useful for policing football matches, where watch lists may exist for banned supporters.

But security consultant Brian Honan warns that while biometrics can be more secure than passwords, the technology can also create a false sense of security.

“By that I mean people will assume there is a higher level of security when in reality that level of security may not be there. Unlike passwords which can be easily changed people may find it hard to change their biometrics, eg their fingerprints, should they be compromised,” he said.

“There is also the issue that some people’s biometrics may change over time as a result of aging, diseases or injury. So if they are depending on biometrics alone to provide security then those situations need to be factored into the solution.

“If implemented properly with proven and mature solutions, biometrics used in conjunction with other security mechanisms can help improve security. However, it should not be viewed as a silver bullet.”

Ciara O'Brien

Ciara O'Brien

Ciara O'Brien is an Irish Times business and technology journalist