Unlocking the Promise of Biometrics

June 23, 2014

When Apple’s latest iPhone was released, there was a lot of excitement over its fingerprint scanner, heralded as another example of Apple’s focus on innovation. While including a fingerprint scanner on a phone is new (and certainly adds a “cool” factor to the iPhone 5), it is just one of many kinds of biometric security solutions that are increasingly being used across numerous industries. The applications, as well as the implications, are enormous. 

As I’ve written previously, the human body is a data-making machine. From our genetic code to our eating and sleeping habits, everything about us generates troves of information. Part of this includes physiological data (aka biometrics) that are unique to the individual, such as the shape of your fingerprints, your retinas and irises, the lines on your palm, and the component features of your face. 

Technologies that can scan, record and compare these biometric data points promise to revolutionize how we live, shop and secure our possessions. Imagine a world where our bodies are the keys that open our doors, unlock our computers and access our bank accounts. This not some distant, far-fetched goal; it is already happening in countries around the world.

Lund University engineering student Fredrik Leifland worked with classmates to put vein-scanning technology into 15 stores and restaurants near the university campus, allowing customers to pay simply by resting their hand on a scanner. The device shines light against the customer’s hand, sensing the unique layout of their veins and matching it with a bank or credit account stored in the system. One major benefit (aside from the convenience) is that it makes fraud difficult, if not impossible, since no two hands are alike. While the vein-scanning device already existed, it had not been integrated into everyday commerce. 

"We had to connect all the players ourselves, which was quite complex: the vein scanning terminals, the banks, the stores and the customers,” says Leifland. “The next step was finding ways of packaging it into a solution that was user friendly.”

Similar technologies are being used in the banking industry. Japanese companies Hitachi and Fujitsu have separately developed vein-scanning systems that are already being used by major banks around the world, such as in Brazil, Poland and Turkey. U.S. banks are also preparing to add biometric technology to ATM machines, although with 425,000 machines in the United States (and a good dose of cultural resistance), this will take time and a lot of money.

Biometrics also include predictable behaviors. The Silicon Valley-based company Behaviosec has developed a program that reads the way a person uses their computer hardware (such as the mouse and keyboard) and compiles a unique user profile. With this as the baseline, if another person with different behavior attempts to use a computer, their access is removed. Behaviosec’s system is being used by Danske Bank in Denmark and by some e-commerce companies.

The commercial applications are many, but in the United States, much of the biometrics discussion has focused on building a system that can track U.S. visitors and visa-holders. The Department of Homeland Security’s Office of Biometric Identity Management already collects and checks biometrics of everyone attempting to enter the United States, running their data against a list of people we don’t want coming here (e.g., terrorists, criminals, etc.). A larger challenge (one mandated by law but many years behind schedule) is the development of a “biometric entry and exit data system,” the exit tracking being the bigger challenge. One reason to think a more robust biometric system is on the horizon is that today’s technology is far faster and cheaper than in years past.

Janice Kephart writes on Security Debrief that “the cost for technology implementation and integration is low. Our estimate, using industry numbers and key essentials from a 2008 DHS economic impact study, is a total of $400 million to $600 million to deploy at the top 50 airports and top seaports.”

Kephart also notes that the kinds of biometric technologies the country needs have already been used successfully in other countries. Will the lower cost and proven effectiveness be sufficient to move Congress and DHS to action? Even as the debate continues, the rest of the world is not standing still.

Indeed, it’s not just immigration where the United States seems to lag behind other industrialized countries in terms of biometric technology integration. South Africa has used fingerprint scanning at ATM machines since 1996. Brazil uses similar biometric technology at more than 55,000 ATMs, and, as noted, the country’s banks are slated to begin using vein-scanning technology (as are Turkey’s and Poland’s).

One reason for the slow integration of biometric technology in the United States is our widespread cultural concern over security and privacy. Every technological system has vulnerabilities, as we have seen of late with frequent reports of major companies encountering data security breaches. Biometric technologies can also be compromised. Within days of the release of the iPhone 5, for example, hackers found ways to get around Apple’s fingerprint scanner.

Yet, the bigger security issue is not so much a threat to the biometric device itself but to the database storing the physiological markers of thousands or even millions of people. A compromise of this information would be devastating. You can change a password; you cannot change your fingerprints and other body features.

While we are not yet at a point where biometrics are a fool-proof method of authentication, the potential these technologies present for innovation and advancement are huge. Just one more example of how data and technology are changing the world for the better.