ntouk.com - Jerry Fishenden's technology policy blog

In the run up to Biometrics 2006 I thought it would be useful to provide a brief summary of some of the main areas where biometric technology is making inroads - and to attempt to provide some clarity on the issues being raised by this area of technology.

I'm taking part in a panel discussion at the Biometrics show - "Tomorrow’s biometric agenda: technologies, applications and standards" - as well as providing the closing keynote, on the topic of "Microsoft and biometrics: the past, the present and the future". I'm intending to discuss the conjunction of technology and policy - since biometrics, perhaps more than any other area, are both highly topical and highly sensitive as an issue.

Our next operating system, Windows Vista, will incorporate a new way of supporting third party credential providers (such as biometric devices). This will provide a neater method of biometric vendors integrating into the platform than has been the case with the existing model (the GINA, for those of you who have ever stuck your head under the bonnet). Vendors have long successfully integrated with our highly extensible platform in any case - from discussions with Dept of Homeland Security officials at American airports, I gather the US-Visit programme (with its fingerprint and facial scanning) is running on existing versions of Windows. Just one example of the many projects that have integrated other credential factors to our platform - from smartcards to biometric readers.

I've highlighted some of the potential issues that need to be aired and more widely discussed in my recent illustrative fiction ("enabling guilty men to go free?"), which has had a healthy airing on the blogosphere and discussion forums. My good friend Martin Adams also pointed me to a vintage Philip K Dick story, "The Unreconstructed M" which is worth a read - and raises some of the same issues. Incredible foresight for someone writing back in the 1950s.

Anyway, at core the technology of biometrics is all about formalising the ability to determine identity based on biological traits - and it can include the likes of behavioural biometrics (aspects of our identity that can be influenced by other factors, including for example our signature or the way we walk). The acquisition of biometrics can be intrusive or non-intrusive depending on the specific biometric technology used.

One of the major problems remains the potential for identity spoofing - so there's an increasing focus on issues such as "liveness testing" (ie that it's really a live, human finger on the reader and not the infamous Gummi Bear) and how to resolve issues around attended versus unattended use.

Some of the most commonly mentioned and used biometrics include fingerprints, eye (particularly the iris), face and voice. Beyond that are a wide range of others, from slightly less common to simply, hmm, "exotic". So the range is from methods such as signature verification, hand (geometry and full handprint), face (thermography) to gait, brain waves (aka NWAI to its friends - Neural Wave Analysis Interface), smell and, of course, DNA. Whilst basic fingerprint readers are now largely a low-cost, commodity item (and built into many devices, including keyboards and PDAs), the more "exotic" methods above remain expensive and specialised in their application at present - although it is likely any technology will ultimately follow the same commoditisation curve over time.

 Fingerprints are currently one of the most widespread biometrics in use even though they have reliability issues (particularly on a large scale) such as unacceptable false negatives due to issues such as dirty readers, high humidity and ethnicity, and false positives - again from the likes of dirty readers and threshold settings. Typical attack vectors include duplicated or captured fingerprints - one of the reasons why there is growing concern about the number of organisations already, or intending, to capture and store our biometrics. Other attacks can arise from issues such as the latent image left on a reader and duplicate replay.

In fact, for any biometric technology, there are similar issues of false positives and negatives, complications around where to set the threshold, questions about scale (just how will such technologies cope when scaled up to hundreds of millions of users?) and issues of attacks and compromises that need to be studied, defined and understood as with any systematic risk management modeling.

I use fingerprint readers at home both for access to my office and on one of my PCs - where they are a great convenience and work reasonably well (if occasionally taking a few times to succeed). However, I don't like the way in which they merge authentication and identification into a single process, unlocking the PC for example just with a fingerprint without any other form of credential. This would certainly not be a sustainable model in an environment where proper security was required.

There's an interesting debate and illustration of complications in the successful use of biometrics and other devices on Kim Cameron's identityblog - recently including a debate on the new security "puffer" being used at some airports and how it could be compromised (using a very easy denial of service attack for example). As an aid to a human at a border crossing, I can see that biometrics can provide useful additional information to help verify that the individual standing in front of them is at least the same one that the relevant travel documents were issued to. But I think we need to be careful about any idea of unattended use, least of all where identification and authentication could be merged.

One of the core principles of computer-based security is the separation of identification from authentication. After all, if you merge the two, what happens when your biometrics are compromised? By keeping these aspects separate, it remains possible to issue different credentials to be used alongside our biometrics. Stronger systems ideally adhere to the established 3 factor principle: something you know (such as a PIN), something you have (such as a smart card) and something you are (which is, of course, where biometrics typically come in).

Multi-factor systems provide stronger solutions. Increased factors provide increased difficulty, particularly if you don’t know which of the factors failed (a system should ask for all factors and when it fails, because one of them is not correct, fail without saying why). But if a lot of people start storing one of these proof items (such as our biometrics) it will undermine the foundation of strong security: after all, you wouldn't expect lots of people to start demanding and storing our PINs, would you? Why then store something which is even more critical, such as our biometrics - since at least PINs and smartcards can be re-issued and replaced when they fall into the wrong hands. And important security elements typically remain under our control (rather than that of third parties) to ensure their integrity and security - any proposals to change this security model need to be properly understood and analysed.

The policies and standards that need to be adopted around the use, acquisition, storage and access of biometrics are one of the most pressing areas for scientific, informed research at present. Alongside the debate about the maturity and value of the different biometric technologies, we must consider the standards or protocols that should apply. So, for example, should fingerprint systems always be restricted to capturing no more than our two index finger prints? At least then, any compromise would be contained. How do the "laws of identity" apply? And how might we, as a company, take on board such protocols in the way we think about best technological design and engineering practice - baking them in for example into our Trustworthy Computing principles?

But this is not just a debate for the technology industry to have alone - it's one that must involve a broad spectrum of society. And identity is not a topic that exists in isolation - much of the time the value of proof of identity comes from then being able to associate related information with that individual. That in turn raises issues about how such related personal information can also be appropriately partitioned to protect it from a complete compromise too.

There remains much work yet to be done. I'm hoping that Biometrics 2006 will be a good opportunity for discussion and elaboration of many of these topics at both the technology and policy level. But we will need to continue the dialogue long beyond the end of the conference.

biometrics identity security privacy technology policy Microsoft