After we recently discussed password security in our short series “Authenticate, authenticate and authorize,,” today everything revolves around biometric data. The use of biometric features to identify and verify people has increased significantly in recent years – every modern smartphone, notebook, and other device has at least one process based on biometric data. Today’s post will look at what is meant by the term “biometrics,” which biometric methods exist, and which possible risks users can face.
Biometric Data – What’s Behind It?
When we talk about biometric data, we are talking about biological or physical characteristics used to identify people. The most well-known forms include fingerprints, face recognition, and retina scans. What is unique about biometric procedures is their uniqueness: even twins have relatively individual and unchangeable characteristics. So it makes sense to use these features in addition to password systems or even to replace them. The aim of the biometric data is, therefore, to determine (identify) the identity of persons or to be able to confirm (verify) specified identities.
Biometric data is so unique that it can even be used as a security feature in identification documents. While the USA uses electronic passports with a chip on which fingerprints, irises, or a photo of the face are stored, fingerprints in passports and ID cards have been mandatory in Germany since August 2021.
A Brief History Of Biometrics
Biometrics is by no means a modern invention. In fact, in 14th century China, fingerprints are said to have been used to confirm the identity of merchants. Law enforcement has been using biometric data since the late 19th century. It is said that the Argentine police used fingerprints to solve a murder for the first time in 1892. Scotland Yard began using fingerprints for law enforcement in 1901. In 1905, biometric data were said to have been admissible as evidence in criminal proceedings for the first time.
Today a distinction is made between biometric processes and biometric systems: Biometric systems are combined hardware and software structures with which biometric identification or verification is possible. These systems work using biometric methods, unique features that can only be assigned to one person. Biometric systems aim to use automated measurements to distinguish certain people from other people using specific features.
Advantages And Disadvantages Of Biometrics
Authentication based on biometric features is practical – however, data protectionists fear that privacy will be undermined: It would be too easy to collect personal data without the consent of users. Face recognition, for example, is available in many large cities all over the world, at train stations, on trains, at airports, and so on.
All the data that comes together here must also be stored somewhere. This increases concerns about constant monitoring but also about data misuse. Databases with very personal information – biometric data – could become targets of hackers. Fingerprints, iris scans, and other biometric data could be misused for identity theft.
The risk with biometric databases is similar to that with password databases: If hackers break into the system, they can steal data that has not been adequately secured. However, while passwords can be changed to prevent cybercriminals from entering, biometric data cannot – they always stay the same.
Despite these dangers, biometrics offers effective solutions because the systems are difficult to copy. Biometric data are an excellent addition to password-based login. The danger lies less with the biometrics itself than with the central storage of biometric data. Decentralized and encrypted storage with sole control of the user is therefore preferable to the central warehouse.
Biometric methods are divided into physiological and behavioral characteristics. Concrete:
Biometric Processes On A Physiological Basis
- Fingerprint: The fingerprint scanner is familiar to all users of modern smartphones and notebooks. The type of fingerprint recording differs: optical, capacitive, thermal, or direct optical sensors are just as possible as ultrasonic sensors, which are currently being tested. Regardless of the sensors used, a grayscale image of the finger is created, namely the fingerprint. The idea is further processed by reducing the image noise, detecting features, and other image-optimizing methods. Various methods can extract characteristic features.
- Voice recognition: Speech or voice recognition is about non-visual properties. The vocal cord, mouth, lips, and nose are responsible for creating a specific voice. The sound vibrations in the voice are measured in this biometric process and compared with existing patterns. People to be identified usually use certain recognition words or phrases. The method has to struggle with weak points; in particular, interference and background noise are problematic.
- Iris and retina: The iris or retina of the eye are further possible biometric data. They are considered to be the most precise biometric solution, which can also take place without contact. This option is also regarded as accurate because copying retinal patterns is much more time-consuming than copying fingerprints. The iris is the most complex biometric characteristic in humans. Sitting as a ring-shaped muscle in the anterior chamber behind the transparent cornea, the iris is ideally protected from external influences. The iris does not change in the course of a person’s life, it has hundreds of measurable variables, and the iris scan is one of the fastest processes without glasses or contact lenses being an obstacle. Because of these properties, the iris scan is the method of choice in prison surveillance. But the iris scan is also increasingly replacing or supplementing the password for online applications.
- Face recognition: Face recognition systems are particularly popular as access control for employees in sensitive company areas. A high-resolution camera scans a person’s face. Image processing and image analysis methods are used to compare characteristic facial features with corresponding reference features. Elastic-Graph-Matching is often used as a method: a grid is placed over the face to adapt the nodes to the contours of the face. For facial recognition, features are used that do not constantly change due to facial expressions; For example, you focus on the top of the eye sockets, the sides of the mouth, or the areas around the cheekbones.
- Palm vein pattern: With palm vein detection, the vein pattern of the hand is recorded and compared with a reference pattern again. The veins on the palm can be used for this, as can the veins on the back of the hand or the finger veins. The practical thing about the hand vein scan is that the vein pattern is complex, and unnoticed spying is almost impossible. The positions of the veins do not change throughout their life, so palm vein recognition offers a very high level of security – similar to iris recognition.
Behavior-based methods are at least as diverse as physiological characteristics. They are based on the users becoming active. Behavioral biometric solutions usually work together with artificial intelligence (AI) and evaluate how users interact with their devices: With what pressure do users touch their device’s screen? How do you hold your device during interactions? What is the frequency with which users type or swipe on the screen? How do users connect with their environment? Specific behavior can be expected; is the behavior of users consistent with previous behavior?
With the AI onboard, interactions, times and patterns can be recognized and evaluated. Further data such as the IP address, the geographical location, or the transaction history of the device used are used to estimate the probability. Hundreds of data points are analyzed around interactions to determine deviations from the expected behavior. If variations are then detected – for example, that the typing frequency is too fast or the pressure is too high – the systems sound the alarm.
Biometrics: Risks And Data Protection
Unfortunately, there are also certain risks associated with the advantages of using biometric data. So that biometric data can be used sensibly and securely, their use must be planned accordingly. One of the risks – as mentioned above – is to store biometric data centrally. Incorrectly secured, central databases with biometric data are a viral target for hackers. But caution is also required with decentralized storage: If biometric data is stored on an insecure device, this device, including biometric data, can also become a target of attack.
It makes sense to use only compressed mathematical files, i.e., templates if biometric data is to be used. With the help of these templates, for which Lower Saxony’s data protection officer also campaigns, excessive information from raw biometric data and thus data misuse should be avoided.
The knowledge of those affected is also essential. Because if those affected do not know the use of biometric evaluation programs, the risk of creating movement and behavior profiles increases.
Biometrics As A Supplement To Password Procedures
Biometric processes have long since crept into our everyday lives: The smartphone is unlocked with a fingerprint. Access to certain areas in work is only available to authorized persons who can identify themselves with an iris or face scan. Due to their uniqueness, biometric data are the ideal complement to password-supported login procedures; In some cases, these classic login procedures are even being entirely replaced by biometric data.
But there are also dangers: Databases in which inadequately secured biometric data become the target of hackers. While passwords can be reset, neither with the iris nor with the fingerprint, users face a real challenge once compromised. However, with decentralized approaches, secured end devices, and other protective measures, biometric data are an excellent addition to conventional methods.