Being curious about new technologies has its consequences: whether installing OSx Yosemite beta which lead to 4 SSD wipes, relying on GPS module on MAVLink programmed autonomous drone (took off in Hong Kong and was last tracked flying in direction of Hawaii), or being fascinated by the new user experience of PayPal’s recognition of credit card details via smartphone camera (one of the best solutions I’ve seen, brilliantly repeated by Apple).
Bottom line – as much as I love new solutions, I learned to not encourage anyone to use anything without certain understanding of the person’s ability to deal with potential negative consequences. Let’s put it in a layman terms: I will not encourage anyone saying that starting riding on a 1’000cc track ready superbike is fine as long as you are careful (was my misstep, thus I know the consequences first hand).
Ok, why am I sharing this? Recent development and wide application of security mechanisms based on authentication by fingerprints and facial recognition is becoming a mainstream. However I think most of the users are not completely aware of how safe their sensitive information is. Here I’m going to cover the most common ways of authentication and their vulnerabilities just on a surface level, without getting too technical. Let’s start:
Featured recently in iPhone 5s and iPhone 6 as well as on Samsung devices, fingerprint authentication technology was around for a while: I, myself, started using it with IBM ThinkPad T42 around 2004 once it was introduced with a fingerprint sensor.
Without getting deep (for these of you who wish to dive in: proceed here), the method has 2 major flaws:
- In case you use only one finger to authenticate – as much as a paper cut can lock you out. Logically, using at least 2 fingers on different hands is necessary. However using simple deduction, the more fingers you authenticate, the moreprobability of error you allow.
- Note to self: interesting idea to use at least 2 fingers match in authentication process.
- Despite of common perception that unless you have a criminal record, no one got your prints, your fingerprint data is likely to be stored in multiple databases . I don’t have any criminal records, but I know that they were taken in US and Canadian Embassies to issue visas, stored on a dozen security systems I have (or had) access to, one of my earlier cars started with fingerprint scan, at APEC card authentication on border control requires a match, even Disneyland stores it to prevent anyone else using your annual pass. I could go on and on in this direction, but I think after the Disneyland example you got the idea.
Bottom-line: the wider this technology applies, the further it gets from being failsafe: your fingerprint data is very likely stored in multiple various databases.
About 2 weeks ago I’ve had a meeting with NEC on their new out-of-the-box facial recognition solution. These, who know me personally, know that I take time before meetings not to meditate, but to prepare. And I must say I was impressed when I read latest report published by NIST. Extracts:
- “When 1.6 million individuals’ lifetime mugshots are enrolled, the NEC’s rank one miss rate is 0.035 vs. Morpho’s 0.077. At rank 50, the NEC result is 0.023 with Toshiba at 0.049 and Morpho at 0.054.”
- Accuracy of recognition accuracy results recorded in 2010 improved by 30% during 2013 evaluation.
- The former flaws such as being able to fool the system by holding a picture of a person in front of the camera are cured: current algorithms recognize mimics and eye blinks. During my meeting I asked whether a video recording of someone’s face would fool the system, I was told “no”, but no explanation was given on method (I would assume digging the patents database would show it unless it was filed very recently).
So far it sounds great. The cost of implementation of such solution went down significantly, and now a corner store can implement it spending at most US$ 2’000 (hardware and software included). Which brings it to the same pattern of failsafe degradation as previous method: the wider this technology applies, the further it gets from being failsafe.
Essentially it will be is as safe as the weakest protected database containing your biometric record.
Biometric recognition: recognition of personal patterns
To make things clear: both fingerprint and facial recognition are considered biometric methods. What I wish to cover here is a much more fascinating technology, which not widely known yet, but I trust it will gain momentum very quickly: recognition of personal patterns such as human physiology, chemistry and behavior.
First solid publication on this, which I discovered, dates back to 1999 (Jain, A.K.; Bolle, R.; Pankanti, S., eds. (1999). Biometrics: Personal Identification in Networked Society.). However application was largely constrained due to technological limitations, which now are increasingly disappearing.
Recently unveiled perfect example of this is the Apple Watch. While there are many pranks referring to seemingly useless functions such as sharing of your heart beat or letting your contacts know how you feel by touching or gently striking the display sensor:
I see this as an enabling factor for multi-layer authentication possibility. Once it was announced, I started looking for someone, who does R&D in this direction, and so far had no luck: either no one started yet, or (what I rather assume) they are hidden within divisions of companies, that do not make it public. Apple for once is a very well matching candidate: both because they enabled the technology and because of it’s extensive and very reserved R&D practices.
I will not finish with a verdict. Comments are very welcome.