Biometrics: Reliable, Quick and Efficient — but Not Foolproof

The growing popularity of biometric technology has the attention of those looking for another layer of security, but as with anything else, there are implications to consider.

by / August 5, 2016
Mission Impossible I (1996)

In 1996, moviegoers watched as Ethan Hunt peeled off a lifelike mask and slinked through U.S. Embassy security and facial recognition systems in Mission Impossible I. As one of those moviegoers, I absolutely lost my mind. Nothing was safe from someone who could steal your face and wear it around. Nothing.

At the time, biometric security measures looked so far away, seemingly relegated to government agencies like the CIA, classified military facilities and spy films. But today we live in a world that very much relies on our fingerprints, faces, voices and other markers to verify that we are who we say we are.

Apple iPhone users clamored to upload their own fingerprints into their new devices when the biometric security feature was added, and just this week, Samsung announced the Galaxy Note7 that effectively scans your iris to verify your identity. 

For governments, fingerprints and photographs are some of things collected for a new driver or security clearance.

But all of this information being collected forces you to consider, what about those Ethan Hunt/James Bond-types clever enough to steal passwords you can never change? What happens when someone steals your biometric data and tricks a machine into believing they are you?

Believe it or not, it has already happened; a dead man’s phone was unlocked using a fingerprint reprinted in a lab. It took some doing, but Michigan State University’s biometrics expert Dr. Anil Jain and his team made it happen.

Video courtesy of the Michigan State University

Jain was recently approached by detectives, who asked him to unlock a murder victim’s phone for potential evidence with only the victim’s full set of prints, he did.

When you ask him what he thinks the larger implications of biometrics are, he will tell you that as security measures go, biometrics offer something PIN codes and passwords can’t. A thumbprint or an iris scan are not only harder to fake, they're impossible to guess — but they still aren’t perfect.

“Credential-based systems, ID card, passwords, PIN numbers, they all sort of have their own weaknesses, right? Documents can be forged; documents can be stolen. Passwords and PINs, even though they are supposed to be random characters, people, if they want to remember it, [make them a] relatively simple combination of characters.,” he told Government Technology. “That’s why for higher security, we have started adopting biometrics. And there are some places where biometrics are the only way to find a solution.”

In high-security areas, border crossings and even at the Department of Motor Vehicles, biometrics, like facial recognition, offer a reliable way to identify people quickly and efficiently. 

While he advocates that the technology is a great way to improve security or identify individuals, whether on a cellphone or some other system, he acknowledges that these biometric systems can be tricked. 

The best way to ensure any security barrier is to couple it with other ID verification methods.

“So, basically, the idea is that, yes, biometric systems can be spoofed, and that is true with any security system, right?” Jain said. “Now passports have a security chip in them, the dollar bills that we use are more difficult to forge, but that doesn’t mean it has fixed everything.”

As for whether he is concerned about the data being stolen and used inappropriately, he said there are really two kinds of thefts in this space. 

“There are two types of attacks which are possible in a biometric security system; one we already talked about, the most publicized one, namely fake biometrics offensive. And the second attack is the biometric data is stolen from a database,” he said. “If you cannot safeguard the data, then that’s a problem.”

In New York, the DMV relies on facial recognition, not for access to a certain location or system, but rather to ensure that people are who they claim to be. Social Security numbers and fingerprints are one thing, but more than 15 million photos on file offer a fast, efficient means of cutting down on multiple identities, fraud and other criminal activities.

Owen McShane is an investigator for the department and said the facial recognition program, which has been active since 2010, has been an effective tool in stopping illegal activity. 

“[The program] is identifying a lot of the people you would not want driving behind you,” he said.

Since the beginning, McShane said they have identified more than 15,000 people with more than one identity — 50 percent were trying to circumvent driving restrictions and suspended licenses, 30 percent were avoiding other issues like warrants and child support, and the remaining 20 percent were facing suspended or revoked licenses under all of their aliases.

“Over the years, we’ve tried different mechanisms. We validate the Social Security numbers for everyone who applies for a license,” McShane said. “When we first started doing that, we found a lot of people who were using the same numbers or committing fraud with the numbers. In terms of biometrics, facial recognition is the easiest. It doesn’t require any special processing.”

Other identification practices like iris scans and fingerprinting required additional processing, but photos allow an applicant to be processed against the millions of existing records fairly quickly. Just this year, the program boosted the recognition parameters from 64 points of recognition to 128.

And when it comes to locking down the database, McShane said the files are closely monitored and access is limited. Investigators are granted deeper access than other DMV employees, and a trail of access is available should questions arise about who or why a certain file was accessed.

Eyragon Eidam Web Editor

Eyragon Eidam is the Web editor for Government Technology magazine, after previously serving as  assistant news editor and covering such topics as legislation, social media and public safety. He can be reached at eeidam@erepublic.com.