The truth about biometrics

For a few weeks in 1998, Will McMeechan, lead business developer at Nationwide, sat in a small shed next to an experimental ATM belonging to ‘the world’s largest building society’. The shed had been the capture point for the iris patterns of 1,400 customers, who had agreed to participate in a pilot project designed to see if they prefer signing into the ATM by peering into the screen or punching in their PIN. But having logged all of those irises, McMeechan had some time on his hands and embarked on an extra test.

He started timing how long it took PIN users to go from card insertion to transaction initiation and compared that to the same process via iris recognition. PIN customers averaged 14 seconds; iris customers 28 seconds.

The pilot was a resounding success, with a user satisfaction rating of 94%. “People loved it, they loved to use it,” says McMeechan. But there was another telling number. Along with questions about what they thought of the system and whether they would recommend it to friends and family, the users were asked which approach was faster. Surprisingly, three-quarters said the iris-based system.

“Because we gave them convenience – all they had to do was stand there looking at the camera – the perception was it was quicker, even though it actually took them twice as long,” says McMeechan. “Biometrics can be an extraordinarily user-friendly technology depending on how you apply it.”

The customers may have loved it, but like the thousands of companies that have piloted but never committed to biometric technologies, Nationwide decided that customer satisfaction was not enough.

Generally held misconceptions about biometrics, often reinforced by media reports, have undermined the confidence of many senior managers (especially in the UK and much of the rest of Europe) in the acceptance of biometric technology as a key security mechanism. While often convinced that the technology is mature enough, that it works within acceptable error ranges and that it is actually beneficial to both the business and the user, they have steered clear of embracing biometric technologies out of fear of how those ‘perceptions’ will impact user acceptance.

Related: Are biometrics scalable?

But there is plenty of evidence that the tide is turning for biometrics: public awareness of the weaknesses of passwords and PINs has convinced many users of online commerce that there must be a better way of ensuring their identity is verifiable and protected. Macro-events – terrorism and economic immigration, in particular – have had a equally profound effect, with national and regional governments mandating biometric identification at many levels.

For business, the evidence that biometrics is at a ‘tipping point’ has come with the increasingly successful deployment of different biometric technologies in unquestionably enterprise-scale applications – from national roll-outs down to implementations involving hundreds of users.

Biometrics in action

Many of these deployments and planned implementations are being inspired by the broad application of biometric technologies outside of Europe.

At a state level, Hong Kong has spent the last three years introducing smartcards that carry the thumbprint of their owner; in the Philippines, citizens already prove their eligibility for social security via a biometric card; Saudi Arabia uses biometrics for immigration control; the US federal authorities have been capturing the digital fingerprints of visa applicants and non-resident visitors for over two years and, from October 2006, all visitors to the US from the 27 visa waiver programme countries will need to arrive in the US with biometric chips in their passport.

There is also major adoption in commercial settings – and in financial services in particular. Columbia’s Bancafe Bank has been using fingerprint scanning technology across its network of ATMs since 2004, and several Japanese banks are using either finger-vein or palm-vein geometry to verify customers’ identity at ATMs. (The fine skin on many Japanese finger tips makes fingerprint biometrics impractical.)“Biometrics is a mature technology that is already being used in mass deployments worldwide,” says McMeechan. “It is still an emerging technology in Europe, but if you look at the rest of the world, they are up and running with it. And some of the issues being talked about in the UK, that question whether we’ll ever be able to roll out 60 million cards across the country, just fade into insignificance when you look at some of the stuff that is already underway. In short, the biometrics shift has happened; the problems have been cracked.”

Despite resistance, some of those patterns of adoption are now very clear in Europe. Aside from the continent-wide introduction of biometric passports over 2005-6, legislation coming into force next year will oblige all non-EU residents to carry a biometric ID card. The UK’s much-debated National ID Card scheme may represent the country's biggest push towards biometric identity but it is also likely to widen the acceptance of biometric applications elsewhere – whether customers realise they are participating in biometric security or not.

“Biometrics is still an emerging technology in Europe. If you look at the rest of the world, they are up and running with it.”

Will McMeechan, Nationwide

Although it backed away from its iris-scanning ATMs, for example, Nationwide has not lost sight of the potential of biometrics and is rolling out electronic digital signature verification across the complete branch network of 880 outlets.

There are plenty of other examples throughout the UK, especially involving fingerprints – from age verification and check-out at Mid-Counties Co-ops to single sign-on by 800 staff using the IT systems at Tayside Fire and Rescue.

One of the reasons for the surge in confidence has been the increasing number of trials that have turned into full roll-outs, demonstrating the critical success factors for biometric projects.

Few projects have had as much attention as the frequent flier programme at Amsterdam’s Schiphol Airport. Its Privium programme fast-tracks members through special automated gates by the use of a smart cards containing an iris scan and personal data, checked against the passenger’s eye to verify their identity.

Since completing a pilot in 2001, Privium has been opened up to any European Union citizen who uses Schiphol. To date, 32,000 people have enrolled and had their iris scanned in specially designed booths, encouraged by both a quicker route through the airport and by parking allocations close to the terminal. Why the privilege? According to Tim Best, a business consultant with LogicaCMG’s e-Identity division, which was the systems integrator on the project, although they represent only 1% of people who pass through the airport, such frequent flyers account for 10% of the airport’s income in terms of landing fees.

Rather than queuing at a manned desk, a Privium member inserts their card to open a first turnstile, before their iris is checked against stored data. Passport details are simultaneously checked against the systems of the Dutch border police. The process takes less than 12 seconds.

Iris recognition is particularly suited to the application, says Best. The system only needs to get a clear picture of 23% of someone’s iris to recognise them, he says.

Look who's calling

Iris, signature and fingerprint/vein technologies are now widely accepted as mature and proven technologies by those in IT who have examined them. Other biometrics – including facial and gait – are at various stages of refinement. But one area that has shown obvious application potential and which has several clear advantages over other biometrics is voice recognition.

A significant drawback of most biometrics is that they require specialised client-side measuring equipment such as fingerprint readers, iris scanners, cameras with specialist lighting, and so on. On the other hand, obtaining a voiceprint of someone is low-cost, is not intrusive and can be carried out via the simplest and ubiquitous of interfaces: the phone. With that in mind, BT is planning shortly to offer a service called URU Plus that allows users – banks, retailers and others with largescale call centre operations – to employ automated speaker verification.

Mark Pawlewski, technical group leader at the BT Security Research Centre describes the system : “URU Plus is a text-dependent system intended for unsupervised verification applications where a human agent is not involved with the call.” The system, which is based on technology sourced from Tel Aviv-based speaker verification specialist Persay, initially asks the customer to record a set of phrases. Then, on subsequent calls, it prompts them to repeat one of those phrases. By changing the selection regularly, impostors are blocked from using a surreptitious recording of the genuine user’s voice taken when they are having a non-specific conversation and then played down the phone.

“Why voice biometrics? Because it can effectively be rolled out to 60 million people with the only interface being the phone.”

Mark Pawlewski, BT

So a customer calling up their bank for a balance enquiry would no longer have to punch in their date of birth, a letter from their password or their mother’s maiden name; they would just have to speak a selected ‘phrase of the day’.

“Why has BT gone with voice biometrics? Because it can effectively be rolled out to 60 million people with the only interface the mobile phone,” says Pawlewski.

There are issues of robustness – when someone has a cold, is calling from a crowded room or is using a poor connection – but BT believes it can build in tolerances into the system and its processes to deal with those.

“We are speaking to potential customers about using the system at the moment,” says Pawlewski. Aside from financial services companies, the online gambling industry is showing considerable interest in URU Plus, seeing it as a means of blocking underage gamblers. URU Plus is being offered as a service, with BT holding all customer’s voiceprints centrally.

The company has already been trialling the system in-house, with several thousand employees using it to gain access to the company’s intranet. It is also looking at other roll-outs of voice verifications. Dutch bank ABN Amro announced in July that it would be using technology from the UK’s Voicevault to verify the identities of its Netherlands-based customers via voice.

BT is also investigating the prospect of using voice verification in interactive call centres where an agent might ask a set of common questions once and then draw on these stored voiceprints in subsequent phone calls.

Applications like this will build acceptance of biometrics in the mass market, turning the number of people with a biometric imprint (of some kind or other) in the UK from tens of thousands to millions. Indeed, some analysts are predicting that within a year or two, the number of people with a biometric profile will outnumber those without one, with security and convenience factors swaying mass adoption.

That just leaves the James Bond factor. “The technical issues are pretty much solved; the soft issues are only just being started to be cracked,” says McMeechan. “The public perception of biometrics is still built around James Bond.” But as biometrics become more mainstream that will change, with the Bond script writers realising there is no high-tech kudos left in biometrics.

Myths and misconceptions

Biometrics have been a staple of fantasy and science fiction for many years: from James Bond being given false fingerprints so he can access villains’ strongholds, through to Tom Cruise in Minority Report being followed everywhere by iris-tracking mini-bots.

The mainstream press have further fuelled those fantasies with stories of how fingerprint systems can be compromised by a false finger made from gelatine or by the use of fingers cut from dead (or, indeed, living) bodies.

The biometrics sector has played its part, often portraying a particular technology as a panacea for security issues – only for the shortcomings of those products to be exposed.

Others, mainly for political reasons, have portrayed the technology as flawed, insecure, and expensive.

Whatever the source, the myths still persist:

Biometrics are not scalable – Biometrics is no different from any other assistive technology: it depends how the system is built, says Will McMeechan, lead business developer at Nationwide. “If you integrate it fully into a system, it is as scalable as PIN or passwords.”

Users hate biometrics – “All the systems I have worked on have received a hugely positive user satisfaction rating,” says McMeechan. “ If you give people convenience, they have no problem with biometrics.”

Biometrics are intrusive – especially iris recognition. “The last thing is that it is intrusive,” says McMeechan. “You only have to stand there; it’s not shooting laser beams at you or anything, it is merely taking a photograph of your eye.”

Biometric images can be copied – A biometric is a digital representation of the feature it is measuring; it is not the actual feature. So any agency taking your fingerprints, for example, does not keep a copy of those images. Modern algorithms make it impossible to reverse engineer that data back into a fingerprint.

Biometrics data can be replayed – allowing for impersonation. In the case of a finger or voiceprint, the digital representation is compared to a stored one and accepted based on how close it is to pre-set parameters. But it is also compared to a set of previous prints to see if it is the same. If it is, it is rejected because fingerprints are created dynamically and no two can ever be the same.

Dead and artificial fingers fool fingerprint readers – Modern fingerprint readers check for ‘liveness’ by examining the resistance of the finger.

Related Topics