Referencing your Q&A from May 4
how has the biometrics market been affected by the events of Sept. 11? Will we see a market leader soon?
No. Biometrics is a broad term that covers a broad range of technologies. While they are all related in that they try to match a human being with one they've seen before, there is no synergy between them. Asking which will be the market leader is like asking if the next
generation of cell phones will displace HDTV.
There are a number of broad forms of biometrics that include fingerprint scanners, voiceprint matching, hand-geometry scanners, facial geometry scanners, iris scanners and retinal scanners
Since Sept. 11, there has been a lot of discussion on the applications of biometrics. Everything from ID cards with biometric data in them, to using biometric scanning of crowds to look for known bad guys.
There are a lot of places where biometrics are good to use and places where they are not good. They're marvelous things to use when used properly, but when used improperly, they're worse than useless. Unfortunately, the most obvious uses that we think of are the ones that are the least useful. This was true before Sept. 11 and is just as true now. Here are some reasons why:
Biometrics are always inexact. Most authentication systems are exact. If it's something you have, like a key, you either have it or you don't. If it's something you know, like a password, you either know it or you don't. But with a biometric, it's always a guess, a probability. That probability is actually a pair of probabilities, the probability of a false positive (someone else who appears to be you), or that of a false negative (failing to identify you as you). All systems have to balance these, and because of this, biometrics tend to have a strength of around .9999, or that they will work 99.99% of the time. Thus, they're about as good as a 4-digit PIN.
Some people don't have the biometric. No matter which one you pick, about 1% to 2% of the population will fall outside of your model. Often, it's for obvious reasons -- you'll find a lot of blind people who will fall outside of a model that uses retinal scans. But all biometrics also have people who are just anomalous. There are people who for whatever reason just don't give good hits on fingerprint scanners, for example. Your system must account for this if it is going to be mass deployed in polite society. It's reasonable to assume that airline pilots have irises. It's not reasonable to assume that people with ATM cards do.
Biometrics are very susceptible to replay attacks. If an attacker can devise a replay, you're sunk. This is a consequence of the fact that they are inexact, but it's important to state. An example of this was in a relatively recent James Bond movie where 007 takes his magic cell phone and scans a fingerprint off of a water glass, then projects it onto a fingerprint-protected safe. Glib, but it shows the point. If I'm a hacker who stole fingerprint data along with credit card numbers, I can send the fingerprint data along with the credit card number. Biometric designers spend a lot of effort trying to avoid replays, but if biometric devices become wide-spread, researchers will come up with ways to do replay attacks.
If a problem occurs, it's very hard to revoke a biometric. If someone steals your thumbprint, how do you get a new thumb? "Use the other one" may not be an acceptable answer because your woodworking hobby leaves you with unreadable prints on one hand. Consequently, you must work very, very hard in a biometric system not to let the biometric data escape, because an escape may be fatal to your system. If a hacker steals 300,000 credit cards and 300,000 fingerprints, this would be the end of a fingerprint-backed fraud prevention system.
This was first published in December 2001