Biometric technologies seem like an ideal security solution, but a new report raises worrisome questions.
Biometrics may not be as accurate of scalable as is commonly thought, according to a new study from the National Research Council.
The report, published as a book by the National Academies Press, is available free online. The authors make two main points, according to the book's summary: "First, biometric recognition systems are incredibly complex, and need to be addressed as such. Second, biometric recognition is an inherently probabilistic endeavor. Consequently, even when the technology and the system in which it is embedded are behaving as designed, there is inevitable uncertainty and risk of error."
The Council's biometrics committee produced the report. The named authors are Joseph Pato, chairman of the committee and distinguished technologist at Hewlett-Packard's HP Laboratories, Palo Alto, Calif.; and Lynette Millett, study director. The Defense Advanced Research Projects Agency, the Central Intelligence Agency, and the Homeland Security department funded the study, with assistance from the National Science Foundation.
The report is already provoking reaction among biometrics champions.
"The report is out of date and misleading at best," said Michael DePasquale, CEO of BIO-key International, in a report published in NetworkWorld. "The fact that it relies on data gathered over five years ago does a disservice to the industry, and to those individuals who have been pushing technological advancements since 2004. Over the last six years, the technology has made significant contributions to not only our national security but also to protecting access to a wide variety of commercial applications including smart phones, laptops, offices, homes, commercial networks, point-of-sale terminals and medical storage cabinets."
The report's authors are skeptical of the reliance security policies can place on biometrics, writing at one point: "A biometric match represents not certain recognition but a probability of correct recognition, while a non-match represents a probability, rather than definite conclusion that an individual is not known to the system."
Others say the report adds weight to the arguments of skeptics of the technologies. "Although the results have created a stir in the security world, the report was produced as a scholarly overview of the science behind biometrics," wrote Eric Doyle on the U.K. website ITPro.co.uk. "Its conclusion [is] that no single biometric trait has been identified as stable or distinctive has placed doubt about the reliability of fingerprint, iris patterns, voice recognition and facial recognition systems."
The British government, which recently halted a project to introduce "second-generation" passports that would have included fingerprints, Doyle reported. The cited reason was cost-cutting, he wrote, "but now the report would support an argument that it represented a bad return on investment."
The probabilistic nature of the technology means that there's still a need for human judgment, wrote Andrew Nusca on the blog SmartPlanet.
"Take a system in which a true breach of security is rare — say, the average white collar office," Nusca wrote. "Despite having accurate sensors and matching capabilities, the system can still have a high rate of false alarms. That means the operators of the system begin to put less stock in the system’s alarms, thus weakening security and putting it at risk when a real threat comes along."
In addition, biometrics based on physical characteristics that change with age, such as facial features or voice, have to be updated regularly or else the risk of false positives rises. And bear in mind, Nusca warned, that other people can see your face and hear your voice -- providing some potential for counterfeiting.
"In other words: there are too many variables to accurately calibrate a biometric system, so it’s not wise to put faith in them to securely lock down valuable facilities or information," Nusca wrote. "Moreover, a person’s biometric traits are public — hardly secure enough to be a primary security system."
NEXT STORY: Microsoft releases patch for ASP.NET flaw