We all use faces to recognise people, but can facial recognition technology really help in the security sector? The future of biometric screening is not all fingers and thumbs…
We are all familiar with biometrics. As a combination of bio (biological/life) and metrics (measure) you would be hard pushed to find a movie of the last ten years that did not have some form of retinal scan or breath analyser as part of an in-depth security system, but how realistic is this? After all, the biometric industry has been saying that this is the year of biometrics for at least five years running.
However, if you spend some time with a biometrics expert who knows what he/she is talking about, you realise that the biometrics message has been rather distorted by exaggerated claims from early developers.
You can indeed use a retinal scan as proof of identity and sophisticated methods such as otoacoustics (where a sonar ‘ping’ gives an image of the inner ear) do exist, but in reality these systems are used to add an extra layer of security to existing systems rather than acting as the sole form of control as often depicted on the big screen.
What’s more, with developments such as “liveness” testing, where the scanning technology needs to see a vein or thermal pattern to the area under scrutiny before identification can be confirmed, this prevents a body part removed from the rightful owner from passing the scan. Another biometrics movie myth is shattered.
In order to find out exactly what biometrics can and cannot do in the modern security sector, Risk UK spoke to David McIntosh, Chief Executive Officer of facial recognition developers OmniPerception who revealed that the main reason for using biometrics is the growing concern for our protection and concerns over personal security theft and fraud.
“Identify theft is the biggest growing crime in the West at the moment,” says David. “So there are very real reasons why individual citizens need to have their identity protected better. Furthermore, coupled with this need for security is a demand for speed convenience and privacy.”
Practise has taught us that a successful security solution has to be not only socially and politically acceptable it has to be very convenient, very easy to use, very fast and very cheap, but also highly secure. Following the events of 9/11 and 7/7 we are all willing to undergo extra security checks at airports because we are fully aware of the consequences of inefficient screening, however there is a point where our tolerance begins to wane with the time it takes to pass a check, so security needs to be fast and easy.
Today
there is a real need for better ID security. Many of us have experienced some
form of identity fraud/theft and businesses need to ensure that their security
checks can lessen the chances of any criminal behaviour. According to David
McIntosh there are three levels of security that can achieve this.
“The first level of security is what have you got in your hand? In other words do you hold a passport, ID card, etc. This means that the possession of the card is a basic level of security, despite the fact that this ID could have been lost, stolen or reproduced. In order to make this a more secure confirmation of identity you add a second layer of security, usually what do you know? This is often a PIN number, password, mother’s maiden name etc. Again this information could be stolen (passwords are very vulnerable and quite often forgettable and tend to get written down, weakening security even more). The third level of ID confirmation is the most secure, who are you? This is your DNA, fingerprint - essentially biometrics.”
When you consider that the DVLA apparently has 20 million faces (photos) in its database but has no idea how many duplicates it has (indications are that there is probably a very large number) you can see how the first level of security is not very secure at all - possession of a card really doesn’t mean much these days. This is especially prevalent in the US where professional truckers are thought to have on average 15 licences each!
Logical access control with biometrics is also becoming increasingly important as there are more mobile applications and more “cardholder not present” transactions taking place everyday. So even when a person has ID and knows the correct PIN number, biometric confirmation in these areas is necessary to prevent widespread fraud.
There are more types of biometric screening than you would think. Common methods include facial recognition, fingerprinting, voice recognition (for remote telephony), DNA sampling (which is very complicated and time consuming), blood sampling (with a detailed blood sample analysis, you get a very good identity profile), iris/retinal scanning and hand geometry (not very good for applications where personnel are required to wear gloves).
Whilst fingerprinting is the most established of biometric technologies (primarily due to the vast databases already established) it does have some negative points when compared to facial recognition systems as David McIntosh explains.
“Facial recognition is the most socially acceptable biometric test because it is highly intuitive and non-invasive so a reading can be taken in almost any situation and the person under scrutiny does not have to remove any clothing, put anything down or touch anything. You can also combine facial recognition systems with skin characteristics (a finger print of your face) for very good results.”
There are two reasons why facial recognition is preferred by the public, its operational and psychological benefits. The psychological side is very important because it is inoffensive and familiar, nobody can say “what are you looking at my face for?” Operationally, face recognition works at a distance, you cannot wave your finger at a camera and take the image for fingerprinting. Facial systems use standard infrastructure, i.e. existing CCTV cameras and web cameras so costs are often much lower. For example, a web camera would cost around $100 while an iris scanner would be at least $5,000.
Other identifying characteristics that can be used for security screening include gait (useful for remote CCTV applications), facial thermography (the temperature patterning of faces), finger vein recognition and even the aforementioned otoacoustic emission.
According the David McIntosh, “Biometrics closes the security loop. In other words, if somebody claims to be a particular person, and they know the things that that person knows, biometrics can confirm if they really are that person. Furthermore, in application, facial recognition has proven to speed up security checks. We have worked with the Chinese authorities in a system where they plan to use facial recognition to get the vast bulk of people through security checks and only when a rejection occurs will fingerprint assessment take place. This means that the majority of people can pass through a checkpoint without being held up as the system is only looking for a handful of people and also there is less physical contact which is particularly important in an area of the world that experienced SARS and bird flu.”
In
spite of all the success of facial recognition technology, David McIntosh is
keen to point out that biometrics is not a cure all. It provides greatly
enhanced security if it is part of an overall solution that is well thought
through.
“The biometrics industry is plagued with people who have promised the earth but failed to deliver,” he says. “And there are a number of reasons why people are still not using biometrics, especially as the most well known forms used are fingerprinting and DNA matching. These are both associated with criminality, so if you are asked to present a fingerprint ID in order to make a retail purchase, it doesn’t feel right for the average consumer.”
Giving a fingerprint can be thought of as being rather invasive and certainly has an accusatory element to it, however if somebody says to you, “Can I take your photograph?” most people strike a pose.
“When I came to this industry as a relative newcomer, I was struck by the level of cynicism that surrounded the technology,” reveals David. “But now that convenient, effective facial recognition systems are coming on to the market, and people are beginning to understand how to integrate them into their overall set up, it is starting to mature and I think that you will see in the next 2-3 years a lot more of these systems are being used.”
This fits with the door to desktop ideal where one level of security is needed to get through the door (let you into the building) and then you have a further check in order to access your computer and another, more complex layer in order to enter a vault/safe.
“It is important to stress that what we are trying to do is improve security,” says David. “We are not trying to make a 100% perfect stand-alone system, we are trying to develop a system that works in tandem with other security checks and eliminates the vast majority of people from further checking. Where security conflicts with convenience, convenience always wins. This is why you find fire doors propped open with fire extinguishers and fire exits blocked with boxes. With face recognition you can make security and convenience fit together, but it is not designed to be used on its own.
This reconfirms the “levels” of security ideal mentioned earlier. If you present a card that holds your personal data on it, then biometrics can confirm that you are that person. This is known as a one to one match rather than a 1 to many (1 to n) check, particularly useful in applications such as on a building site. If you are a bricklayer, your fingerprints are probably going to be unusable, so a facial recognition booth can recognise the workers and can be used for clocking in and time and attendance. This prevents people claiming bogus overtime and clocking other people in. Few people realise that thousands of construction workers clock in for work every day in Britain with facial recognition systems of this kind.
Despite the problems surrounding the early technologies and the failure to live up to expectations, it seems that biometrics really has turned a corner. By providing the third “level” of security as explained, biometrics has shown its value and experts such as David McIntosh expect to see a rise in the deployment of the technology in line with the growth of identity related crime and international terrorism.
“One of the reasons why biometrics will be used more in the future is that the Department for Transport is heading up a large programme that will lead to it becoming compulsory for staff-side access to airports to include biometrics,” he says. “The biggest problem airports have is impersonation of staff and people going airside when they shouldn’t and while the security gates for travellers are intense, for the staff the levels of security have not been so high. By combining a card and facial ID, airports can be sure of allowing access to the right people in the right place.”
With such widespread use of biometrics in the pipeline and the ever-widening of our borders and sophistication of identity theft, biometrics in tandem with established security systems is going to become more commonplace than Hollywood could ever have dreamed.