March 6, 2007
In a previous essay, I introduced the problem of identity theft and reviewed some of the authentication technologies that are being used to prevent it. In this essay I will focus on biometric authentication systems, which includes systems based on fingerprints, hand or finger scans, and iris, voice, and face recognition. Biometrics are receiving a lot of attention during discussions about identity theft because of the possibility of uniquely identifying people in a reliable way. Although biometrics offer great potential, they have serious limitations and their use may sometimes increase, rather than decrease, risks of identity theft.
Roles for Biometrics
Traditionally, identifications are verified using distinguishing characteristics of the person, such as appearance or behavior. So, in small groups we might rely on body and facial characteristics, voice, birthmarks, tattoos, etc. Today, where we interact in larger groups, we also use various kinds of documents, such as birth certificates, Social Security Numbers (Social Insurance Numbers in Canada), and passports. Each of these methods of identification can fail, however, if people attempt to deceive by covering their distinguishing characteristics, wearing disguises, or forging identity documents. Biometrics (Greek for “measure” and “life”) refers to attempts to find physical or behavioral traits that can uniquely and accurately recognize people. The classic examples are fingerprints, which appear to be unique among individuals and relatively easy to capture and analyze. Biometric technologies are automated systems designed to assess physical or behavioral traits so that recognition decisions can be made automatically.
Authenticating an identity claim is difficult
There are two critical stages when attempting to avoid identity theft. The first stage is when a person first establishes a relationship with an organization, such as a bank. We will call this stage service enrollment, and the task is identifying who the person is out of all the possible people who might interact with this organization. Identification, then, involves a claim or statement about being a specific individual. The actual form of the identity will differ depending on the relationship with the organization, but it typically involves real world information such as name, address, etc. Authenticating an identity claim is difficult because there has been no prior relationship between the person and the service provider. During simpler times, identifications might be confirmed by calling on other people who know the person. Today, however, we have to rely on other, usual multiple, forms of authentication, such as a birth certificate, driver’s license, or Social Security Number.
Once a relationship has been formed, the person may then use the service to conduct transactions. This second stage is service use, and the organization is asked to recognize the customer who enrolled previously. Here the task is one of authenticating the previously established relationship. During service enrollment, the credentials used for authentication (e.g., birth certificate, driver’s license, etc.) are not something that the service provider can control. During service use, on the other hand, the credentials used for authentication can be something provided by the service provider (e.g., a bank card, credit card, or account number).
Service enrollment is harder than service use
Regardless of who provided it, the types of information used during authentication are usually classified as something you have, something you know, and something you are. Birth certificates, driver’s licenses, and credit cards represent something you have, passwords and PINs are examples of something you know, and fingerprints or other biometric information are something that you are.
Biometric information can be used to verify claims of identity at service enrollment, and to authenticate claims of a relationship during service use. These two uses of biometrics are quite different, and each presents special challenges and opportunities. As we will see, using biometrics during service enrollment is much harder than using it for service use.
Biometrics for Service Enrollment
Biometric technologies can do a good job at recognizing an individual, although we will discuss some performance limitations later, but there must be some form of information already available to be recognized. So, to use a fingerprint recognition system, an initial recording of the fingerprint must already be stored somewhere. Moreover, that stored fingerprint must already be associated with the correct identity. For a bank trying to establish the identity of a new customer during service enrollment, they must have access to some database of fingerprints that can be used for authentication. Without such a large database, which would have to include every individual who could possible want to form a relationship with this bank, the role of biometrics for identification is limited.
The best-known example where biometrics are used for identification is forensic applications. For example, the FBI’s Integrated Automated Fingerprint Identification System (IAFIS) is a large, national database containing fingerprint and criminal history information for over 47 million people. Using only fingerprints, either collected from a person or found at a crime scene, investigators are usually able to identify a specific individual, if their fingerprint is stored in the database. Most of the search and recognition processing is done automatically in IAFIS, although human experts are usually called upon to make the final recognition decisions that involve latent fingerprints found at crime scenes.
A bank trying to identify a new customer does not have access to IAFIS or any equivalent biometric database, and many of its customers would not have fingerprints stored in the database anyway. Instead, banks tend to rely on databases of consumer information, such as those maintained by credit bureaus. These databases do not contain biometric information, but they do contain names, addresses, social security numbers, and credit histories. This information can be useful for verifying identities, and some methods have been developed to automatically assessing the likelihood of identity theft based on the patterns of information (e.g., ID Analytics, Inc.).
So, using biometrics during service enrollment is limited by the lack of biometric databases. Biometrics can be used, however, for authenticating any documents that are used to support an identity claim. If a document, such as a driver’s license, is linked with biometric information, such as a fingerprint, then an authentication decision can be made about whether a particular customer’s fingerprint matches the one associated with the driver’s license. This really represents someone using the driver’s license service as a form of authentication, and we will discuss using biometrics for service use below.
Biometrics are useful for duplicate detection
One area where biometrics can be useful during service enrollment is duplicate detection. If an organization or program needs to ensure that the same individual is not allowed to register or enroll again, than biometrics may have a role. One application area where duplicate detection is important is preventing double-dipping, or using a resource more than once. Welfare fraud, for example, occurs when someone receives multiple benefits by presenting more than one identity and establishing more than one relationship with the agency. Various jurisdictions are implementing or considering using biometrics to prevent double-dipping and welfare fraud. Each person who attempts to register for the government service provides biometric samples, such as fingerprints, which are compared to all other previously registered people. If a matching fingerprint is found in the database, it suggests that this is a possible case of double-dipping.
The cost of double-dipping can be large:
The Government Accountability Office recently reported that the Federal Emergency Management Agency (FEMA) may have improperly disbursed more than $1 billion by not validating the identity of aid registrants in the wake of hurricanes Katrina and Rita. The GAO cited the example of one person receiving $139,000 in aid by registering 13 times using different Social Security numbers. Other recipients altered their own names or addresses or borrowed names from children or prisoners to obtain extra aid.
Purdue developing biometric technology to counter hurricane relief fraud
The state of California, and others, are using biometric technologies to prevent such fraud. The California database used for social programs contains 6 million fingerprint images and photographs (2004 data) and is believed to be responsible for annual savings of $68 million.
Using biometrics for duplicate detection is not easy, however. Each comparison of biometric information has a chance of producing an error. Errors can come about by failing to match a database record when there should have been a match (a false non-match), or by matching a database record when there should not have been a match (a false match). Vendors of biometric systems strive to have the lowest possible error rates, but no system is perfect. Moreover, as the size of the database grows, the chances of making errors can increase.
A human component is needed
The result is that for serious biometric applications, such as detecting welfare fraud, there needs to be a human component added to the automatic biometric matching. In California, for example, all cases where a new applicant is matched to an existing record in the database, which could be fraud or a false match, are referred to a trained Fraud Investigator. The investigator does a side-by-side comparison of the fingerprints, photographs, and demographic information before making any conclusions about possible fraud. The same process is also done in cases where an apparent returning applicant fails to match their existing record in the database, which could be fraud or a false non-match. Depending on the system error rates, the fraud investigations can be time-consuming and costly.
Biometrics for Service Use
Using biometrics for service use is often simpler than enrollment. During service use, a person is making a claim about an existing relationship, and the task is to determine if that claim is authentic. Instead of comparing biometric information to every record in a database (1:N comparisons), service authentication can be done by comparing biometric information with one stored record (1:1 comparison). The biometric information, such as a fingerprint, can be stored in a centralized database, or it could be stored with the individual, perhaps on a smart card.
This form of authentication is often being used to verify the accuracy of some kind of document or credential. So, for example, biometric passports (or e-passports) can contain stored information about faces or fingerprints, and the authenticity of the claim that this is an individual’s passport can be made by a 1:1 biometric comparison. Since there is only one comparison being made, the accuracy for authentication decisions can be higher than that for service enrollment. (A service might still choose to use 1:N comparisons if they want to perform authentication using the biometric alone, but the size of the N would probably be limited to the list of current customers rather than an entire population.)
What’s Wrong With Biometrics?
Even though biometrics have the potential for increasing the accuracy of identification and authentication, and thus reducing chances for identity theft, there are limitations. First, the performance of biometric systems is not perfect, and it can vary a great deal from system to system. Overall, the data currently available on fingerprint matching accuracy, for example, suggests that the performance can be quite good in laboratory studies and when high quality images are captured in the field. Caution is appropriate, however, because the results from real-world trials suggest that actually accuracy can be much lower and capturing high quality biometric information can be difficult in practice.
Failures to enroll are a serious problem
Failures to enroll are often a serious problem when deploying biometric systems, and yet they have not received as much attention as matching failures. Failures to enroll can be caused by missing or damaged biometric characteristics, poor user training, poor devices, etc. For many biometric technologies, enrollment may be more difficult for disabled people and older participants. Any biometric system will have to plan for participants who are not able to enroll in the system, and this may be a sizeable portion of the participants depending on the target customers.
Social and human factors, particularly the usability and acceptance of the biometric system, will also be very important for their success. If the users have difficulty using the system or fail to accept it, the service is likely to fail. There is a relationship between biometric usability and accuracy. The methods that are the most accurate, such as iris and retina recognition, tend to be the least usable. Conversely, the methods that are most usable, such as speech and face recognition, tend to be the least accurate. Fingerprint systems tend to provide moderate levels of accuracy and usability.
Convenience can be more important than security
Concerning the acceptance of biometric systems, research has shown that although acceptance is increasing, users are still wary because the benefits are not always evident (both in terms of security and convenience). Security systems, including biometrics, are “enabling tasks” that differ from the “production tasks” (actual work) that users are interested in. If the enabling task is at all awkward, slow, or unusable, it is natural for users to try to avoid it. For biometrics, perceived convenience can be a bigger driver than any increase in security.
Research studies have found that users’ concerns about biometric misuse and privacy invasions are large and poorly articulated. Potential users are also concerned about the reliability of new technology. Moreover, research has shown that users find biometrics systems to be less hygienic and more stressful than traditional PIN systems. Some groups have also expressed concerns about health risks caused by biometric systems, such as eye damage caused by the near infrared illumination used for iris scanning. Users also reported significant fears that criminals may do them harm to obtain the biometric (e.g., cut off their finger). Including “vitality tests” that ensure the biometric is offered by a living person will be crucial to avoid these problems, and yet this technology is very immature.
There also appears to be a general lack of understanding of biometric templates. Users do not understand, and the interfaces don’t explain, how biometric templates are created, stored, and secured. Since it is obvious to users that their biometric characteristics are not a secret, the applications must explain how the corresponding template is to be kept as a secret, and this explanation is rarely done. Managing privacy impacts and ensuring personal control of biometric use will be very important for promoting acceptance.
A privacy impact assessment may be required
Another area that must be considered is privacy. Depending on the place of deployment, it is likely that any biometric service involving the public would be covered by privacy legislation or guidelines, which means that a privacy impact assessment would have to be completed and methods put in place to protect the privacy of the users. The organization bioprivacy.org has produced some tools that may be useful for doing impact assessments for biometric deployments. In addition, the Ontario Privacy Commissioner looked at a biometric deployment scenario when Toronto proposed an anti double-dipping scheme. They required that such a model privacy-protecting system have the following characteristics:
- requiring the biometric, in this case, the finger scan, to be encrypted;
- restricting the use of the encrypted finger scan only to authentication of eligibility, thereby ensuring that it is not used as an instrument of social control or surveillance;
- ensuring that an identifiable fingerprint cannot be reconstructed from an encrypted finger scan stored in the database;
- ensuring that a latent fingerprint (i.e., picked up from a crime scene) cannot be matched to an encrypted finger scan stored in a database;
- ensuring that an encrypted finger scan cannot itself be used to serve as a unique identifier;
- ensuring that an encrypted finger scan alone cannot be used to identify an individual (i.e., in the same manner as a fingerprint can be used);
- ensuring that strict controls are in place as to who may access the biometric information and for what purpose;
- requiring the production of a warrant or court order prior to granting access to external agencies such as the police or government departments;
- ensuring that any benefits data (i.e., personal information such as history of payments made, etc.) are stored separately from personal identifiers such as name, date of birth, etc.
There is even some fear that using biometric systems may reveal private information about a person. For example, recent research has shown a relationship between personality and the patterns of colors in the iris. If iris characteristics are possibly related to personality, then privacy concerns about who gets to capture, examine, and store iris images becomes more important. What might a government agency or an insurance company due with information that someone possesses personality characteristics (and perhaps genetic markers) related to approachability or impulsiveness?
Biometrics are not secrets
Although they have come a long way, there are still some fundamental issues associated with biometric systems that must be solved before wide deployment is feasible. Most importantly, biometrics are not secrets and they are not revocable. So, if a user’s biometric information falls into the wrong hands, which can easily happen, for example, by someone copying the fingerprints left on hard surfaces, a false finger can be created and a user’s account can be compromised. The fingerprint information could also be stolen from any database where it is stored, or intercepted during network transmission. Once stolen, the fingerprint can never be used again for authentication.
Covert use is possible
There are also possibilities for covert use of biometrics. Face recognition can be done at a distance without the user being aware, but face recognition systems have not been very accurate. Iris-based systems are far more accurate but they traditionally require the user to deliberately position their eye about 10 inches from a special camera lens. In a scene reminiscent of the movie Minority Report, however, Sarnoff Corporation recently filed for a patent application for a system that allows iris recognition from distant, moving people. This means that highly accurate iris information could be captured and used without people’s knowledge or consent.
Some work is being done on solving these fundamental problems. For example, some fingerprint readers include a “liveness” detection method to prevent false fingers. Special finger scanners can measure the temperature or conductivity of the skin to ensure it is presented by a living person. Most recently, research has shown that perspiration patterns can be used to distinguish authentic, living fingers from fake or cadaver fingers.
Another approach is to combine biometric characteristics in multi-modal systems so that multiple characteristics must be verified before access is granted. So, for example, a fingerprint might be combined with an iris scan. This would mean that two biometric characteristics would have to be stolen and reproduced to compromise a system. Some developers also combine biometric and traditional authentication systems so that users have to provide a secret, such as a password, along with the biometric characteristic to prove identity.
A third approach is to transform the biometric information so that it is unique to the application context. In the “cancelable biometric” scheme proposed by IBM, a fingerprint image might be systematically distorted or scrambled in some secret way before it is stored and used. If the fingerprint information is every stolen, it will be useless without knowing the kind of distortion that was used.
A related technology is “biometric encryption,” where biometric information, such as a fingerprint, is mathematically combined with a complex password or key and the resulting “private template” is stored. After enrollment, the fingerprint and the password are destroyed and only the private template is kept. During service use, the fingerprint is presented again and it is used to process the private template and regenerate the key. Again, the fingerprint is immediately destroyed, but the extracted key can now be used to gain access to a system or to unencrypted data.
Biometric encryption can enhance privacy protection
The Ontario Privacy Commissioner has recently reviewed the privacy-enhancing characteristics of biometric encryption. With biometric encryption the biometric information is not saved, either as an image or a traditional template, so the risk of privacy breaches is eliminated. Also, since the complex key that is bound to the biometric can be unique to each application, there is no possibility for linking database records and function creep.
Biometric encryption does present some technical challenges. In order for the key to be successful recreated during authentication, the biometric information (e.g., the fingerprint) has to be very similar to the information used during enrollment to create the private template. Since each biometric sample will differ because of orientation on the reader, environmental conditions, dirt, sweat, etc., biometric encryption systems have to be designed to have some tolerance for “fuzzy” biometric matches. The current evidence suggests that iris images may provide the most consistent biometric samples that are needed for biometric encryption, and more research is underway.
Risks with Enhanced Authentication
Even the most sophisticated biometric systems are not perfect. The systems can fail to capture information, make matching errors, and be fooled by imposters. Also, the age-old methods of impersonation and confidence tricks will still allow fraudsters to obtain authentication credentials, including those that include biometrics. And there will still be risks from inappropriate insider activities and institutional data breaches.
Biometrics could increase identity theft
If banks come to trust new biometric systems beyond appropriate levels, then they run the risk of assuming identities and transactions are legitimate when they may not be. Moreover, they may place the onus on the customer to show that a transaction is fraudulent, rather than the bank showing that the transaction was legitimate. If an imposter can spoof a biometric characteristic, perhaps by creating a false finger, they may be able to enroll or use a service without having to produce the supporting identity documents that would normally be required.
Biometrics have the potential to provide a universal identifier, but with that comes universal risk. Biometrics are not perfect, and they can be compromised. Once they are compromised, which will become lucrative when they are used in high value services, there is a potential for increased identity theft. Imagine an identity thief who is able to reliably spoof someone’s biometric characteristics gaining access to their accounts, car, home, and business.
In many ways, biometrics represent a wrong direction in solving identity theft. Instead of a universal identifier that can be used, and abused, everywhere, what is needed are specific, unique identifiers that are used in one place. Instead of trying to create a single, public credential that we make everyone carry or display, why not make multiple, private credentials that people can use selectively, revealing only the information they need to enroll or use a service, while maintaining their overall security and privacy.
Private credentials are an interesting alternative
There is interesting work being done on developing private credentials at companies like Credentica and IBM. These private credentials are cryptographic keys that allow someone to prove an attributed, such as age, credit rating, group membership, etc. without having to reveal who they are. It is not clear how these credentials can be integrated into current authentication systems, but they represent an interesting contrast to the universal identification approach offered by biometrics.