Thursday, November 09, 2006

The purpose of Biometrics

Many people wonder exactly why the biometric element of current ID cards is so important, as I see it the purpose of the biometric element of id card is as follows. If anyone wants to challenge anything I've written, stick in a comment and I'll edit as appropriate.

PIN style Validation
When you use you bank card, the card holds the details of who you are, you confirm who you are by using a PIN. Someone could potentially make a copy of your bank card, but without the PIN they can't get at your money. With a biometric ID card, your fingerprint is the pin, so you make the confirmation with a fingerprint swipe.

The benefit of this is that a fingerprint swipe (or iris scan) is very hard to fake, far harder than a PIN.

Detection of Multiple Identities
Currently, proving your identity is a case of digging out household bills, tennancy agreements, passports etc. The problem with this is that some documents can be quite easily faked, with the right combination of documents it is not particularly difficult to obtain more than one driving licence, or passport. More thorough checks can be performed, but often, there is simply not the capacity available to perform such checks.

Biometric data is recorded to a common standard. This means that unlike a photo, where you can change your hairstyle, grow a beard or use a little subtle makeup a biometric image is very hard to change. This means that that checks can be put in place to prevent people from registering twice.


Jeremy Wickins said...

I'm researching the risk of biometrics leading to more social exclusion at the University of Sheffield, so I have some knowledge of the points you raise.

Firstly, an iris or fingerprint is actually not that hard to fake. as security guru Bruce Schneier has famously said "Biometrics are not secrets". Fingerprints can be lifted very easily from any surface, including a credit/debit card. A piece of sellotape can lift a fingerprint sufficiently to fool a fingerprint scanner. Iris scans can equally be spoofed, but it requires a reasonably high-res picture to do so.

On the second point, one of the problems with facial biometrics is exactly that they are so sensitive to changes that the human eye would not be fooled by. In the only large scale test of biometrics in the UK, a woman brushed back her hair from her face between enrolling the facial biometric and verifying it - the system did not recognise her. Hats, beards and spectacles also baffled the system, and we should all become familiar soon with the fact that any facial expression other than the bland one required will result in a refusal of recognition. At the very least these things are denying us the humanity of self-expression.

Citizen Andreas said...

Hi Jeremy, thanks for your contribution. This post is intended as an "In an ideal world" post, as an explantion of how I would understand it to work. I do not want to address your concerns in the post itself for fear of causing bloat.

I'm intending to answer your concerns where I can in a future post when I have a little more time on my hands.

Anonymous said...

jeremy wickens: Fingerprints can be lifted, but to fool a fingerprint scanner outside a laboratory the criminal would have to make a false fingerprint to stick on his finger. I don't know for sure, but I guess it is easy to check someone's fingers for a false one.

Tesco are trialling payment by fingerprint.

Bruce Schneier, like other so called security experts, is ignoring the administrative procedures that exist in any system. The technology is only one component of any security system.

The main component is to assume that the technology can be breached in some way and devise measures to combat the result. PINs are one example. Mothers' maiden names are another.

Anonymous said...

jeremy wickens: Have you tried lifting a fingerprint from any surface? The police don't find it that easy.

And when you do, how do you know who's fingerprints you have lifted? The police don't, unless they put it through the fingerprint matcher.

My advice is, don't be dazzled by technology.