Biometric security always has been an attractive approach to online security on the conceptual level. After all, by definition, biometrics is always with the user and, in a vast majority of cases, is unique to the individual. The dangers inherent in the mobilization of content — and the clear path smartphones and tablets provide into the core of the organization — appear to be leading to heightened interest in this family of approaches.
While fingerprint-based biometrics has become common, biometrics in general has remained somewhat in the background and has certainly not threatened passwords as the main security platform.
That is not to say that fingerprints are the only biometrics tool. Another approach that has garnered interest is the use of eyes. In general, though, it hasn’t fared as well due to cost and the fact that earlier iris scans made people uncomfortable.
The advent of high-quality cameras, however, has changed the equation. EyeVerify uses a photo taken by the device itself and transmits it for analysis. The Boonsri Dickinson’s story at Byte says that the process takes about four seconds:
It allows mobile users to authorize transactions and access secure information. Using the camera on the phone, the software can determine 4 ROIs (regions of interest) in your eye, sending a pass/fail and a confidence interval. If it passes, you are granted access to the application. If it fails, access is denied.
A late entrant in the “which part of your body or bodily function is telling the truth” contest is voice. An unsigned blog at MIT Technology Review takes a look at the challenges and possibilities of voice security. To date, the writer said, recordings of a person’s voice could beat the system and a person’s voice could change dramatically enough due to illness so that such an approach isn’t a good candidate for security.
The post says that a researcher at the University of Colorado at Colorado Springs is working on a system that would alleviate these problems. It’s rather complex, but seems to at least offer the potential of making voice a viable biometric security tool.
Despite its difficulty in gaining traction, people intuitively put a lot of faith in biometrics, probably because it is so high tech. It is, however, important to remember that nothing is foolproof. It is safe to assume that a security approach either can be defeated now or will be in the near future. Assuming that any approach is unbreakable is foolish.
For instance, PoliceOne writer Tim Dees offers a well-explained post on a problem being encountered by fingerprint-based biometric security. Essentially, biometrics holds passwords in a password manager within the operating system. Once the biometric test is passed, the password is freed for use. Dees reports on new approaches to bypassing the biometric device and tapping into the password manager, which he says are poorly scrambled and not encrypted.
Biometric security seems a lot of things: geeky, futuristic, sexy, creepy and, potentially, extremely sensible. As technology evolves and the tools get more sophisticated, it seems likely that biometrics will become even more mainstream than it is today.