BSIA Briefing

Posted On 15 Dec 2017
Comment: Off

Alongside incredible advancements in medicine and science, innovative methods of accessing systems using the human body have led to an explosion in biometric security solutions. Here, James Kelly discusses the current biometrics market and some future trends worth keeping an eye on for today’s practising security management professionals.

Biometrics is the technical term for body measurements and calculations and refers to metrics related to human characteristics. Biometric authentication, which is sometimes referred to as ‘realistic authentication’, is used in computer science as a form of identification and access control. It’s also employed to identify individuals in groups that are under surveillance.

Biometric identifiers are distinctive and measurable characteristics used to describe individuals. They’re often categorised as physiological versus behavioural characteristics. The former are related to the shape of the body, with examples including (but not limited to) fingerprints, palm veins, facial recognition, DNA, palm prints, hand geometry and iris recognition.

Behavioural characteristics are related to the pattern of behaviour of a person, including (but not limited to) their walking gait and voice. Indeed, some researchers have coined the term ‘behaviour metrics’ to describe this particular class of biometrics.

More traditional means of access control include token-based identification systems, such as a driver’s license or passport, and knowledge-based identification systems (such as a password or PIN). Since biometric identifiers are unique to individuals, they’re viewed as being far more reliable when it comes to verifying identity than token and knowledge-based methods. However, there has been much debate over the years about the fact that the collection of biometric identifiers raises privacy concerns around the ultimate use of gathered information.

What is biometric security?

Essentially, all biometric systems work by unobtrusively matching patterns of live individuals’ data in real-time against enrolled records. Data is initially read with an ‘enrolment’ reader and then ‘encoded’ into a template which is usually stored in an access control database or on a smart card for use at some later juncture.

The encoding process ensures that the data cannot be reproduced from the template, but only compared against a recent read sample for a pass or fail result.

Biometrics have been recorded and used within society since the late 19th Century, with fingerprint identification being used by police agencies around the world to identify both suspected criminals as well as the victims of crime. Since then, and as mentioned, approaches have extended to the iris, face, hand geometry and, more recently, the heart.

In an era where personal information leaks from major organisations now appear to be increasingly common, security has had to evolve far beyond traditional physical locks and keys. Scientists and engineers have developed innovative ways of using unique identifiers within the human body to create access control systems that are ‘un-hackable’ to even the most tech-savvy of criminals.

Just this year, researchers at the University of Buffalo in New York announced that they’ve developed a security method that uses the measurements of an individual’s heart to identify and authenticate a user. This futuristic-sounding method makes use of low-level Doppler radar to determine the heart’s dimensions. With the initial scan taking roughly eight seconds, the system can then continuously monitor the heart of the user to make sure another user hasn’t stepped in to work on the machine.

Beyond making it much easier to log in and log out, this method makes it incredibly difficult – if not actually impossible – for criminals or imposters to infiltrate a system as every user’s heart dimensions are different and certainly unique to them.

Fingerprint technology

Fingerprint technology has also developed in recent years in order to thwart criminals from counteracting security regimes by taking impressions of fingerprints. With fake finger tips capable of mimicking human skin available to criminals, advances in optical sensor implementation have now made it possible for fingerprint readers to look beyond the surface of the print to the subcutaneous layers of the skin (such as the capillaries underneath) which would not be as easily replicated.

Iris recognition is another area of biometrics that has raised the bar when it comes to accuracy. In comparison with fingerprint-based systems, when they were first introduced, iris systems were producing hundreds or potentially thousands of fewer false acceptances. These systems take an image of a person’s iris and apply pattern recognition algorithms. The next time the iris is presented to the recognition reader, a comparison can then be made with the stored pattern.

Iris systems tend to be seen most regularly in airports, but with the introduction of biometric passports they’re now becoming less common. However, due to their abilities they do have a place in specialist high security applications.

Like iris systems, facial recognition technology has been widely available in recent years. Apple has made use of the technology in the creation of its new Face ID feature available on the iPhone X which is due to be released this month. According to Apple, the new system is 20 times more secure than Touch ID, the fingerprint-based system previously included on the company’s products.

With Face ID, Apple has implemented a secondary system that exclusively looks out for attempts to fool the technology. Both the authentication and spoofing defence are based on machine learning, but while the former is trained to identify individuals from their faces, the latter is used to look for signs of cheating.

According to Apple: “An additional neural network that’s trained to spot and resist spoofing defends against attempts to unlock your phone with photos or masks.” If a completely perfect mask is made which fools the identification neural network, the defensive system will still notice – as, indeed, would a human. All that said, Apple’s Face ID is not without its restrictions. The Cupertino, California-based company has reported that it’s not suitable for users under the age of 13 or those with identical twins.

Advantages of biometrics

Biometric technology can be extremely advantageous in terms of playing a fundamental role in an extensive security strategy. In regards to access control, the technology is attractive to users for a number of reasons, primarily because information cannot be passed along to another person in the same way that an access card or PIN might be. This can also be useful in terms of Human Resources management, reducing identification fraud among employees during ‘clocking-in’.

The technology can help to eliminate security threats that may arise when cards or PINs are either lost or borrowed, not to mention the cost savings made by removing the management of lost, stolen or forgotten access cards.

This is not to say that biometric technology doesn’t have its disadvantages, with readers sometimes taking slightly longer to identify users than card-based systems, particularly as users usually have to stop and properly identify themselves to biometric readers.

Not everyone can use biometric systems, either. Such solutions rarely suit an external or exposed location and, in extreme cases, fingerprint readers can fail to identify those users with damaged, dirty or worn fingerprints.

Additionally, it’s important to note that the correct management of biometric systems is critical in ensuring that any data protection concerns are always alleviated.

As mentioned, biometrics based on brain (electroencephalogram) and heart (electrocardiogram) signals have emerged. A research group at the University of Kent led by Ramaswamy Palaniappan has shown that people have certain distinct brain and heart patterns specific to each individual.

The advantage of such ‘futuristic’ technology is that it’s more fraud resistant than conventional biometrics. However, this technology is generally more cumbersome and still has noted issues (such as lower accuracy and poor reproducibility over time).

This new generation of biometric systems has been dubbed ‘the biometrics of intent’. The technology will analyse physiological features such as eye movement, body temperature or breathing and predict dangerous behaviour or hostile intent before it translates into action.

James Kelly is CEO of the British Security Industry Association

*For more information on biometric technology, take a look at the BSIA’s ‘Access Control: Biometrics User Guide’ which provides an invaluable overview of the main types of biometrics, system architectures and the advantages and disadvantages of today’s systems as well as the factors to be considered when choosing the right solution. Download the BSIA’s Guide at: www.bsia.co.uk/ web_images//publications/ 181_Access control_ biometrics_user_ guide.pdf

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.