next Contents previous
Next: Is the card redundant? Up: Contents Previous: The cost of security

Is Biometrics a silver bullet?

The British and other Governments have put a lot of faith in Biometric systems as being the sure-fire method of verifying identity, a silver bullet to slay the monster that is fake identities and the people that use them.

Biometric systems work by taking a picture of a characteristic such as iris or fingerprint and then converting the image into a digital form known as a template. When a person needs to have their identity verified, another image is taken and processed into a form that allows comparison with the template. It is thought that each individual has unique characteristics that can be used to distinguish him or her from other individuals.

But in practice are biometric technologies up to the task required of them. In February 2003 the National Physical Laboratory performed a biometrics feasibility study on behalf of the Home Office, DVLA and the UK Passport Service.

They studied the feasibility of the use of recognition systems for face, iris and fingerprint on the scale needed to cover the population of the UK. No biometric system is perfect and a balance needs to be found between false matches and false non-matches.

A false match is where the biometric template of an individual is matched to that of a different individual i.e. Vera Duckworth of Manchester is falsely recognized as Pauline Fowler of London.

A false non-match is where an individual is scanned and are not matched to their own biometric template i.e. the system has failed to recognize them.

The results of the study were:

• Iris recognition can achieve a false match rate of better than 1 in a million with a false non-match rate of below 1 in 100.

• Against a single finger, some fingerprint systems are able to achieve a false match rate of 1 in 100, 000 with a false non-match rate of approximately 1 in 100.

• Face recognition has worse figures than either of these and is judged as unfeasible to be used.

One of the purposes of the National Identity Register is to prevent multiple applications by a single individual, but the rates of false matches and non-matches makes this problematic. A person who is falsely matched to another's template already in the Register will be refused the ID card they are entitled to and someone that is falsely non-matched will be able to obtain a second ID card that they are not entitled to.

The solution to this is to improve the error rates by requiring multiple biometric templates per individual i.e. iris scans of both eyes or fingerprints of more than one finger.

Another physical problem associated with biometrics is that some people simply lack the necessary body part for the scan. Many people lack fingers due to either birth defect or accident and others lack fingerprints due to manual labour that has worn the prints away. Some of the population have irises that are unsuitable for a biometric scan due to accident or illness and in the case of the inherited condition aniridia 1 in 70 000 people are born without an iris.

As well as the problems outlined above there may be individuals who will intentionally attempt to make the system fail and create a false identity. The term for this is spoofing; an individual may either attempt to spoof the registration system or the identity verification system.

Commercial fingerprint scanners have been proved to authenticate a fake fingerprint made from gelatine. Tsutomu Matsumoto, a Japanese lecturer at Yokohama National University along with his students were able to create a mould of a live finger and then fill the mould with gelatine to create a fake finger that was able to fool fingerprint detectors about 80% of the time. He was able to take a fingerprint left on a piece of glass and then enhance and photograph it with a digital camera and computer. He then etched the fingerprint onto a copper printed-circuit board to create a three-dimensional mould into which gelatine was poured to produce the fake finger. There has not been a similar experiment to try to fool a system based upon iris scans but that does not mean that it won't be possible.

Another probable attack on the system would be on the data created by a registration in storage in the computer database. Someone with access to the database whether they are authorised or not will have the capability to make alterations to the template stored in the database or search for another individual with a similar biometric template in order to steal their identity.

The worse thing about biometrics is the faith in its infallibility, your biometric template is merely a fancy password and it's one that can never be revoked. The proposed system treats the biometric template as the core of your identity with all the other information about you such as your name and address of secondary importance. If the details of your biometrics can be stolen and accurately faked then your whole identity can be stolen.


next Contents previous
Next: Is the card redundant? Up: Contents Previous: The cost of security

Creative Commons License This work is licensed under a Creative Commons License.