Just how reliable are biometrics?

DARPA-funded study raises concerns

Biometrics may not be as accurate of scalable as is commonly thought, according to a new study from the National Research Council.

The report, published as a book by the National Academies Press, is available free online. The authors make two main points, according to the book's summary: "First, biometric recognition systems are incredibly complex, and need to be addressed as such. Second, biometric recognition is an inherently probabilistic endeavor. Consequently, even when the technology and the system in which it is embedded are behaving as designed, there is inevitable uncertainty and risk of error."

The Council's biometrics committee produced the report. The named authors are Joseph Pato, chairman of the committee and distinguished technologist at Hewlett-Packard's HP Laboratories, Palo Alto, Calif.; and Lynette Millett, study director. The Defense Advanced Research Projects Agency, the Central Intelligence Agency, and the Homeland Security department funded the study, with assistance from the National Science Foundation.

The report is already provoking reaction among biometrics champions.

"The report is out of date and misleading at best," said Michael DePasquale, CEO of BIO-key International, in a report published in NetworkWorld. "The fact that it relies on data gathered over five years ago does a disservice to the industry, and to those individuals who have been pushing technological advancements since 2004. Over the last six years, the technology has made significant contributions to not only our national security but also to protecting access to a wide variety of commercial applications including smart phones, laptops, offices, homes, commercial networks, point-of-sale terminals and medical storage cabinets."

The report's authors are skeptical of the reliance security policies can place on biometrics, writing at one point: "A biometric match represents not certain recognition but a probability of correct recognition, while a non-match represents a probability, rather than definite conclusion that an individual is not known to the system." 

Others say the report adds weight to the arguments of skeptics of the technologies. "Although the results have created a stir in the security world, the report was produced as a scholarly overview of the science behind biometrics," wrote Eric Doyle on the U.K. website ITPro.co.uk. "Its conclusion [is] that no single biometric trait has been identified as stable or distinctive has placed doubt about the reliability of fingerprint, iris patterns, voice recognition and facial recognition systems."

The British government, which recently halted a project to introduce "second-generation" passports that would have included fingerprints, Doyle reported. The cited reason was cost-cutting, he wrote, "but now the report would support an argument that it represented a bad return on investment."

The probabilistic nature of the technology means that there's still a need for human judgment, wrote Andrew Nusca on the blog SmartPlanet.

"Take a system in which a true breach of security is rare — say, the average white collar office," Nusca wrote. "Despite having accurate sensors and matching capabilities, the system can still have a high rate of false alarms. That means the operators of the system begin to put less stock in the system’s alarms, thus weakening security and putting it at risk when a real threat comes along."

In addition, biometrics based on physical characteristics that change with age, such as facial features or voice, have to be updated regularly or else the risk of false positives rises. And bear in mind, Nusca warned, that other people can see your face and hear your voice -- providing some potential for counterfeiting.

"In other words: there are too many variables to accurately calibrate a biometric system, so it’s not wise to put faith in them to securely lock down valuable facilities or information," Nusca wrote. "Moreover, a person’s biometric traits are public — hardly secure enough to be a primary security system."

About the Author

Technology journalist Michael Hardy is a former FCW editor.

Reader Comments

Thu, Oct 14, 2010

These people obviously don't know what they are talking about. I am assuming then that, if I some how have s smart card, that mean I am really who I claim to be? Or if I know a password, then my true identity can be guaranteed? Biometrics is the only thing that can truly identify a person.

Thu, Sep 30, 2010

funny you should mention HP in this article...i have an hp laptop with one of those fingerprint scanners on it. the software for the scanner was NFG so I removed it and don't even bother with it.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above