Biometric Technology: could it replace passwords & RFID?
In 2013 the facial recognition market was valued at $1.17 billion and it is expected to grow at a continual annual growth rate (CAGR) of 9.5% from 2014 to 2020, to hit $2.19 billion by 2019. This increased investment clearly demonstrates the security industry’s growing confidence in biometric solutions, as do moves to replace passwords to access everything from smartphones to bank accounts with fingerprints, facial recognition and iris scanning. We’ve been finding out how key leaders in the field are seeing biometrics being used.
Gary James, Head of Sales & Customer Relations, Aurora, explained what he believes is driving investment in technology like facial recognition, saying, “After years of being the subject of far-fetched sequences in movies, where subjects are recognised in crowded streets from satellites, the key to growth has been a combination of improved technology but also the realisation that there are a range of verification tasks (matching one to one, or one to a few) for which facial recognition is perfectly suited. As a biometric method, facial recognition is hard to beat because its hygienic (being totally non-contact), very fast and most of us remember to take our face with us wherever we go!”
Simon Gordon, Chairman of Facewatch, added, “I think that within three years we will expect our mobiles/cars/houses and even our favourite shops to recognise us, whether that is purely by face recognition or more likely by a combination of at least two measures where the data is important. We all rely on passwords and keys at the moment but this is inconvenient and insecure as can be seen by the constant ID theft and the fact that you can now apparently buy a device to unlock pretty much any modern high end car for £25!”
However, despite predicting that passwords will be replaced by biometrics, Gordon doesn’t think the existing technology we’re seeing in action on tools like smartphones is up to the job – not quite yet anyway.
“Within the next year or so I am sure it will be though,” he said, “I for one cannot wait to get rid of my passwords, but I do think where the authorisation is for high value transactions it will be necessary to have dual verification rather than rely on one biometric measure.”
James believes that the success of these kinds of deployments depends on a combination of the robustness of the technology and the compliance of the user.
“Last year we processed over 14 million facial recognition events at Heathrow for self boarding,” he said. “The experience would seem to indicate that as long as the application is well judged, the technology is more than up to the task and will only get better.”
The biggest objection within the industry to biometrics taking the place of our passwords is the question of what happens if your biometric data is stolen. Changing your fingerprints is slightly trickier than changing a password. Gordon is realistic about the threat this poses, but he also raises a valid point that although a fingerprint can be forged, a facial recognition algorithm cannot be utilised to recreate someone’s face.
“There will always be clever people trying to break whatever security measures are built unfortunately,” he said, “however, a facial recognition algorithm cannot be used to recreate a picture of a face so no matter how good the algorithm (and each system will be different) there is only one face. If the detection is smart enough to recognise that the face is not a picture and combines it with, say, voice recognition, I think it will be pretty hard to fool. As least your face goes with you so no one can steal it without you knowing about it! No doubt it may eventually be possible to build some kind of mask and voice generating system as in Mission Impossible, but this is beyond the scope of most criminals!”
James is inclined to agree that perhaps fooling a biometric based system isn’t as simple as some critics make it sound. He said, “Most serious biometric systems are extremely adept at knowing whether they are being asked to process data from a ‘live’ being or not. We ensure this by using highly specialised sensors rather than ordinary CCTV cameras so people cannot present photographs, masks etc to impersonate others. I’m sure manufacturers of other types of biometric readers will have overcome this challenge too.”
Another question critics of mass use of biometrics solutions have raised is managing insider threat and protecting databases that store biometric information. Aurora has worked security for the information it stores into its systems, James explained.
“Once individuals are enrolled into a biometric system, their identity exists as a ‘template’ rather than an actual picture or image of their fingerprint for another type of system,” James said. “This can only be interpreted by the biometric system which created it, making it useless to a third party. These templates are stored on computer servers so normal data security rules should apply too – there is nothing different about the steps we need to take to protect this type of data. If you somehow managed to steal my biometric template, you would still need my actual face to use it anywhere. This is why biometric is the way forward for access control and many other verification applications.”
Gordon agrees that the threat to stored biometrics data is not all that different to the threat to any other sort of personal information, saying “Data will always be valuable if it can be used to gain value or advantage. If you could steal the biometric data used to authorise payments and somehow reverse engineer a product that would enable you to hack into bank accounts (say) then of course there is a threat. But this is no different to the threat of breaking in and finding passwords – the biometric data is like the lock but the real live face of an individual is the key so it’s no use stealing the lock, you want the key!”
Facewatch is an online digital crime and incident reporting system, linking businesses and police as well as the CPS seamlessly. It also in terms of crime prevention acts as a secure central database that stores watch lists for groups in a Data Protection compliant manner. Gordon explained that Facewatch is being linked to facial recognition and automatic number plate recognition (ANPR) systems to enable business users to receive alerts when a match occurs. For example, when someone walks into a bar or shop who has been banned an alert will be pushed via a mobile app to the appropriate staff members. By acting as a central hub, Facewatch can enable businesses to share watch lists in a compliant manner no matter which biometric system they wish to use.
Aurora offers a product called FaceSentinel, which James told us, is the first application of Deep Learning (DL) in the security industry. DL is a form of artificial intelligence in which a computer ‘brain’ can be trained to recognise characteristics patterns by processing large amounts of data. DL has recently been applied to many tasks that are familiar to us in everyday life. In this application, DL manifests itself in increased recognition accuracy, wide ranging tolerance to the way subjects present to the sensor and overall speed.