Written by [Dave Birch] I was tangentially involved in discussion about biometrics while working on a technology roadmap for one of our clients in the financial services sector. I was arguing my usual point, which is that mass market biometrics are about convenience, they are not a security play. In passing the issue of biometric accuracy was raised, and a useful discussion ensued. I. I'd like to amplify a point that was made in passing and introduce some data points.
The Unique Identification Authority of India (UIDAI) has successfuly conducted a proof of concept iris authentication study in the Mysore district of Karnataka, achieving accuracy levels of above 99.2 per cent, an official press release said here today.
[From UIDAI’s iris authentication proof of concept study successful | NetIndian]
At population scale, 99.2% is not very good. If you had a 99.2% effective contraceptive, the average woman using it would get pregnant every year. In closed environments, matching an iris against a token-based template as a PIN or password replacement is plausible but population-scale iris matching against a database for identification requires more thought. In the UK, the government shut down the IRIS system for border control back in 2012 in favour of e-passport scanning. Of course, iris isn't the only biometric that might be used in the future.
A new lab is working to perfect special shoe insoles that can help monitor access to high-security areas, like nuclear power plants or special military bases. The concept is based on research that shows each person has unique feet, and ways of walking.
[From Shoe ID Lab Developing Biometric Shoe To Identify Individuals Based On How They Walk]
Yep. Feet. If I want to log in to your Facebook using this technology, I'll have to walk a mile in your shoes, so to speak. But gait is not the only lower-limb biometric on the horizon.
A new study involving magnetic resonance imaging suggests that MRI knee scans could be used as an almost foolproof form of identification. For the study, Dr. Lior Shamir, an associate professor at Lawrence Technological University in Southfield, Mich., analyzed knee scans of 2,686 people. He found that the scans accurately identified about 93 percent of the test subjects.
[From Knee Scan Identification: MRIs May Be Better Way To ID Travelers, Study Suggests]
In my books, 93% identification accuracy isn't "almost foolproof", it's "almost useless". Imagine the diligent anti-terrorist super-team at Heathrow Terminal 5 are on the lookout for the noted terrorist Dave the Jackal, who is known to be travelling incognito in a Facebook-blue burkha. Armed with an MRI scan of his knees, obtained by waterboarding a Cairo chiropractor, they set the scanners loose on a Monday morning. Now, Heathrow Terminal 5 carries about 65,000 passengers per day. The scanner will, broadly speaking, correctly identify 60,000 of them as not being the Jackal and send 5,000 of them for detailed investigation as potential Jackals. Say a few hundred an hour. What's the point of this?
Is this just another example of typical media innumeracy? I think not. I think it represents an underlying belief that we will be moving to biometric identification. There's a faith in biometrics, a belief that at some point in the future the biometric technologies will be so advanced that their identification will, indeed, be foolproof. The curve of technology might be taking us in that direction, but we're a long way off it just yet. This is why biometric authentication against a secure token makes for better strategy in our space. Biometrics as a PIN replacement, not biometrics as a card replacement. Or, indeed, biometrics as a phone replacement.
I’m glad you are being consulted about biometric data, Dave, but I don’t like your answers? When am I to be consulted about who holds my biometric data, and what they do with it?
Biometrics are also useful to avoid identification; in most countries a grey beard is enough to indicate being old enough to buy beer.