Nasir Memon, Computer Science and Engineering NYU Tandon School of Engineering
The use of biometric data – an individual’s measurable physical and behavioral characteristics – isn’t new. Government and law enforcement agencies have long used it. The FBI has been building a biometric recognition database; the Department of Homeland Security is sharing its iris and facial recognition of foreigners with the FBI. But the use of biometric data by consumer goods manufacturers for authentication purposes has skyrocketed in recent years. For example, Apple’s iPhone allows users to scan their fingerprints to unlock the device, secure mobile bill records and authenticate payments. Lenovo and Dell leverage fingerprints to enable users to sign onto their computers with a swipe.
Using biometric data to access our personal devices is increasing as a way to get around the limitations of the commonly used password based mechanism: it’s easier, more convenient and (theoretically) more secure. But biometric data can also be stolen and used in malicious ways. Capturing fingerprints at scale isn’t as easy as lifting a credit card or Social Security number, but experience and history tells us that once something is used extensively, criminals will figure out how to misuse and monetize it.
In addition, with the uptick in data breaches (Yahoo being the most recent example) we’ve demonstrated we can’t keep secrets or properly protect identities. As more companies use biometric authentication, we must be concerned about how our biometric data is secured: currently there is no restriction on what biometric information companies can share, and with whom. This is why we need better solutions – we must develop techniques and protocols based on cryptography and signal processing that would protect biometric data and yet allow authentication. We need mechanisms that provide a user some control on when and how their biometric data are being used.
To ensure we’re staying on top and ahead of threats to our personal information, we must better understand the dangers associated with the use of biometric authentication (and the role signal processing can play in alleviating them), and the concerns that come to light with technological advances.
The Dangers of Frequent Biometric Authentication
Why is biometric authentication an important issue now more than ever? Companies are increasingly using different means to identify people, and assess their buying decisions and how they live their lives. By simply uploading your picture to Facebook, or using your thumb to unlock your smartphone, it is you may be giving away critical data without realizing where the information is going and what it’s being used for. It’s feasible to envision a society in which we’re all identified, all the time and wherever we go. This is dangerous because it can lead to illegal spying from government and law enforcement agencies. To address these concerns, mechanisms must be put in place to permit people to keep some level of anonymity. We need new approaches and tangible solutions to tackle this issue as it will cause significant problems in our future, but the question of how we will accomplish this still remains.
When it comes to secure storage of biometric data, there have been some clever techniques proposed in the past enabled by signal processing, including fuzzy hash (e.g., the ability to compare two distinctly different items and determine a level of similarity between the two), fuzzy vault (e.g., an encryption scheme which encodes information in a way that is difficult to obtain without a key), and secure sketch techniques. However, these techniques suffer from one of two problems. First, many of the security techniques proposed, from a quantification, storage and communication point of view, are designed for discrete data, and use simple similarity measures. However, true biometric data requires complex similarity functions. Second, the techniques designed for real-world biometric data are either ad-hoc and without formal proof of security, or don’t provide a sufficiently rigorous security formulation.
Is Technology Giving Companies Unprecedented Access to Our Data?
For most of us, the use of fingerprints today might be limited to our phone or computer, but what does the future hold for biometric authentication? As technology advances we will encounter privacy and security issues even more frequently. It’s within reach for companies to use new technology to replace all passwords, security pins, access codes, etc. MasterCard and HSBC are great examples of companies using facial recognition technology to verify a user’s identity. Even Ford is partnering with a machine vision company to add facial recognition technology to its vehicles.
But these advances might allow companies to “go too far” with a person’s biometric data, giving unprecedented access. While your face isn’t a secret, the data about you and your loved ones that it’s linked to should be protected unless we truly do want to live in a “Big Brother” society.
All in all, these security concerns will only increase and evolve with time, but signal processing plays a significant role in providing potential solutions to these issues. Although there is a fascination with the science behind our biometric data, we can’t head into a future in which we’ll be identified at every step of our lives. We must be diligent in ensuring the right policies and laws prevent biometric data from being used indiscriminately. We must ask ourselves how biometric authentication, which is a convenience in our lives, be prevented from becoming an avenue for companies to invade our privacy.
Nasir Memon is a member of the IEEE Signal Processing Society, and professor of computer science and engineering at NYU Tandon. He also is an affiliate faculty at the computer science department in the Courant Institute of Mathematical Sciences at NYU. Dr. Memon received his bachelor of engineering and his masters of science from Birla Institute of Technology and Science, Pilani, and his Ph.D. from the University of Nebraska.