The State of the Art in Physiological Biometric Security Methods

The ‘have’ is nowadays increasingly biometric and we investigate some of the current techniques more closely in this article. But a third element is now becoming more frequently used for identity verification: ‘something you are’.

Let us look first of all at some of the possible biological ‘haves’. There are many aspects of each to be considered when constructing a security system tailored to the particular circumstances of an organisation or company.

High on the list is user acceptance of their introduction, helped by an education campaign to dispel any false information, rumours or downright lies about the effect of taking scans of body parts. We know with certainty meanwhile that your hand will not be burned, you will not go blind, and you will almost certainly not develop an allergy by using biometric security devices!

Quick and Reliable Fingerprints

When they are dirty, wet, swollen or damaged through injury, fingerprints cannot be used as identity verification. The rest of the time, which is most of the time, they provide a quick and reliable method of proving someone’s identity.

Contactless fingerprint scanners are rapidly becoming widespread, reducing hygiene concerns and making the process more convenient. Modern scanners look at the finger in question at different optical wavelengths or using ultrasound to build up an accurate digital model and also to check if there is blood flowing – a good sign that someone is alive and not just a severed finger has been offered up.

TBS in Switzerland have a wide range of scanners for the job in hand ... sorry for the pun. Aratek also have a palette of products and solutions that are available in most regions of the world.

Facial Scans Have Their Limits

While the stuff of science fiction movies in the 1960s, facial scanning has become an everday technique to identify people. It has its limits though, and can be confused by beard growth, changes in makeup, some temporary skin ailments, or even just people getting older. Early primitive systems could even be overcome by holding up a photograph of someone’s face.

Nowadays, a 3D grid map provides a far more accurate 3D model made up of 30,000 data points or more. With that, it is also possible to tell whether someone is awake and responsive, or drugged, or even still alive.

However, even these facial recognition algorithms working in the background often struggle with people from some ethnic minorities and produce inconsistent results, a situation already experienced by police, border forces and some universities. Someone’s face is often freely available on their social media accounts, the website of their football club and the local school PTA, so it’s easy to obtain ‘fake faces’.

You might like to contact Oosto to find out about their facial scanning solutions that avoid such scams. Alternatively, the Luna range of terminals is manufactured by Vision Labs in Amsterdam. Summary: face scanning is ideal for a great many situations but not perfect.

Retina and Iris Scans and Vein Pattern Recognition

The invention and introduction of facial recognition has caused a heap of political discussion, as well as regulation, for fear of racial discrimination or the intrusion of privacy. Neatly overcoming that problem are scans of other body parts.

Everybody’s eyes have a unique pattern of shapes and blood vessels that can be scanned using infrared light to generate a totally individual record. The scans look at the colourful part of the eye, and the distinctive patterns of the iris or the retina, and refer to a database for highly secure identity verification.

Also unique are the patterns of blood vessels in your hand. Under infrared light they can be compared against a biometric template in a database. Either fingers or palms can be analysed, both of which provide a highly secure method of identification.

A spinoff benefit of highly accurate retina scanning is exposing so-called ‘deep fakes’ that are otherwise totally convincing. NEC have patented the method of iris recognition and capture used in their terminals, while terminals from Secunet are in a trial phase at Frankfurt airport.

Link Voice Recognition with Biometry

Computer software can be trained to recognise patterns in spoken words or in continuous free speech. The duration of speech necessary to achieve a satisfactory identification has continuously come down, and is currently under a minute.

Again, a number of factors can lower the useablity of voice recognition as a unique identifier, among them variations in one’s voice caused by illness or background noise. Most criitcally, and as we are now hearing almost every day, the development of voice recognition has been matched by voice generation, which has now become so advanced that fake audio (and video) clips of outstanding quality are relatively easy to produce, and already overcome anti-spoofing methods.

Voice authentication can only be used in combination with other, preferably biometric, methods of identity verification for secure environments.

DNA Matching on the Way

Yes, a physical sample of your body can of course be a unique identifier. The processing of DNA samples still takes too long to be generally used as an access control method, but it is highly secure, and the technology that will make a DNA test a quick process is developing rapidly.

Antier are working hard to advance the technology into everyday life and application in a number of security-related scenarios.

Behavioural Biometrics as You Type

Not physiological but behavioural analysis to identify people is much less known generally, but has already been subtly in use for many years. This cannot (yet) be used alone for rapid access control, but if this has already been breached somehow, then the behaviour of an imposter will certainly give them away.

Most commonly, the way in which we interact with the input devices of our PCs will allow us to be uniquely identified. We all have our own favourite way of using the shift key, our own individual time gaps between characters, even our own most common spelling mistakes. The benefit of this type of analysis is that it can be continuously done while you work.

The algorithms running in the background build up a profile of your particular behavioural traits over time and gradually narrow down the leeway of doing things differently so that any sudden deviation from ‘normal’ behaviour is flagged up. So the accuracy of behavioural biometrics naturally increases as time goes on.

“This Won’t Hurt a Bit, James ...”

Fans of old science fiction or James Bond movies such as Casino Royale might have already thought of combining the ‘what you are’ and ‘what you have’ by inserting a (micro)chip subcutaneously into your body somewhere.

James is not alone: Today there is a growing five-figure number of people among us with microchips under their skin. They are currently used predominantly for cashless payment, access control and storing emergency medical information.

They also offer a very convenient method of granting access to those people who are mobility challenged. Apart from that, they are, of course, a highly secure method of identity verification. Go and visit Bioteq’s website if you want to join the secret service, or have other ambitions.

Can You Fool the System?

Of course, every security system is only safe until it is cracked ... and biometric systems, although far more challenging, are no exception.

What might sound like a poor April Fools’ Day prank is actually already true: An application called PrintListener can capture the ‘sound’ of fingerprints when they pass over a surface and scarily reproduce them on demand.

While the technique is not perfect, its current 9 % accuracy is climbing quickly and already poses a real threat today. The surface in question is the screen of your smart phone, while its built-in microphone is easily sensitive enough to pick up the unique ‘scratching’ noise that your fingers make. So wiping across the screen should only be done with the microphone disabled. Check now which apps installed on your phone have access to the microphone and camera and disable those that do not need access for their basic operation.

So-called ‘presentation attacks’ involve downloading, printing or generating a person’s photo, using a fake silicone fingerprint, or using a 3D mask. Needless to say, this primitive form of trying to fool a biometric terminal will nowadays rarely, if ever, be successful because of ‘liveness’ tests.

SOC2 Baseline for Data Security Compliance

While all this capturing of highly individual and person-related data is going on, that highly personal data has to be available and referenced when required. It is almost needless to say that it is essential to capture and store biometric data in strict compliance with national applicable regulations, preferably to a standard some way beyond that legally required and also just local to the verifying terminal; SOC2 could be a very good starting point.

When implementing security upgrades with a biometric element, collecting all the biometric scan data for a large number of users will be time consuming and labour intensive. Staff may even be required to visit off-site locations to have the necessary scans done. The time and effort invested, however, will be rewarded with the satisfying peace of mind that yet another barrier has been put in place against fraud, theft, and blackmail.

The gathered data must then enjoy the highest of security levels and only ever be transmitted in encrypted form between biometric terminals and a remote reference database. Administrative access to the management of any centrally-stored data is also best covered by a ‘four-eyes’ principle, with those eyes themselves being a part of biometric personnel validation too.

In a strategic partnership with Veridos, Innovatrics is developing DNA-based security database solutions, while iProov pay rigorous attention to achieving, and indeed exceeding, the highest security certification for their range of products.

Unifying Authentication Standards

With all these scanning devices from different manufacturers popping up that are looking at hundreds of body parts every second, there is great potential for manufacturers’ proprietary island solutions to develop that lock a user into just one supplier.

The well-established FIDO Alliance is working to combat this risk and advocates an open communication specification and exchange of data between edge devices and centralised management and databases. Their Biometric Component Certification Program allows manufacturers of IoT and other terminal devices to submit their products once for performance and compliance certification to be acceptable right across a massive potential customer base without further testing.

Ensuring Access Is Universal

EU Guideline 2019/882, more easily referred to as the European Accessibility Act (EAA) (Barrierefreiheitsst.rkungsgesetz or BFSG in Germany), will apply to digital customer onboarding using identification methods as of the middle of 2025.

It applies to service providers with at least ten employees and an annual turnover or a balance sheet total of more than two million euros, as well as to all manufacturers of identification devices, biometric or otherwise. It aims to ensure that people with restricted mobility or physical impediments are not excluded from using general verification methods.

A simple example of this would be a face scanner at an entrance that must also be able to be used by someone in a wheelchair; there are of course many other situations.

Suffice to say, biometric terminal manufacturers must think broad and long before introducing new techniques to ensure that, firstly, they will work reliably for all valid users, and equally reliably keep out the invalid ones.