Biometrics are Best
Why am I so keen on biometrics for SSCA? Well, let me take you back to what I wrote about the launch of the iPhone 5 with TouchID (which was, of course, always a misleading label: it should be called TouchAuthenticate, but more on this later). Here’s an amalgam of the conversations I had with different people following that 2013 announcement:
Person: Do you know that fingerprints can be faked? I heard about a Japanese guy who did it with jelly babies or something?
Me: Yes, I know.
Person: Your fingerprints are all over your phone, people could easily steal them.
Me: Yes, I know.
Person: Criminals might be able to find a way to make a fake finger and use it to buy songs on iTunes using your iPhone.
Me: Yes, I know.
Person: Do you know that researchers were able to reconstruct useable 3D models of fingers by accessing stored fingerprint templates?
Me: Yes, I know.
Person: So would you use the new Apple TouchID on your next iPhone?
Me: Of course.
If I sounded complacent about the possibility of agents of foreign powers delving into my iPhone, it’s because I was. The key point I was making is that Apple TouchID/FaceID and the Android equivalents are not really about security, they are about convenience, a point I made on BBC Radio 4’s Today programme at the time. Convenience is something at which Apple excel. That may not seem like much, but when you are at the front of the queue on the bus, or checking it at British Airways, or showing a ticket for an event or trying to show a loyalty card in a shop using and paying in Starbucks using their app, then touching or looking at your phone rather than entering PIN is nice. And there will be a bunch of people who currently don’t lock their mobile phones but will because of the fingerprint or faceprint.
So are these biometrics more secure than a 4-digit passcode that can easily be read over someone’s shoulder? Yes. Will such biometrics replace 4-digit passcodes? No. You will still have a passcode for the odd occasion when your fingerprint can’t be read or for when your wife wants to look up something on IMDB on your iPhone and can’t be bothered to go into the other room and get her smartphone. As I wrote even before the iPhone 5 launched, Apple understands the location of biometrics in the consumer space: convenience, and Apple is all about convenience. Remember, consumer mobile devices aren’t going to be used to launch nuclear missiles or identify people in databases (I hope), so the combination of possession of the phone and possession of a face are sufficient for most purposes.
To see why, it’s important to reinforce the distinction between authentication and identification. When I open my Barclays app on my iPhone, it uses FaceID to authenticate me. It matches a template of my face against a stored template of the face of the owner. That’s authentication. It’s a very different problem from, for example, taking a template of my face and then attempting to match it against the faces of everyone in the Home Office passport database before popping up “hello David G.W. Birch”.
Doing away with a phone (or a card or a chip in your head) and just going with biometrics is a different issue. Biometric identification is a much harder problem and is fraught with difficulties. It can work very well with limited populations, which is why it is being installed in airports all over the place. I rather like the system going in to Chinese airports where when you walk up to one of the screens displaying flight information it switches to displaying your flight only. Very helpful. And earlier this year at KnowID in Las Vegas I saw a super presentation from US Customs and Border Control talking about the specific use of biometrics in airports as an interesting example of how to use biometric technologies for security but at the same time deliver convenience into the mass market. The investments made in biometrics to allow paperless travel have obvious benefits in terms of security but, as we have found in our other work about the cross-sector exploitation of digital identity, intelligent use of these new capabilities can also transform the customer experience. The same biometric system that scans your passport picture on entry to the airport and then checks you in for your flight can also be used to direct you through the airport and implement smart departure boards that as you approach them switch from displaying a list of all flights to displaying your flight only.
You can imagine this kind of system being extended to retailers and banks. Having been to the AmazonGo
When I go to the airport, however, I want to be identified. I’m already a member of a subgroup of the general population (ie, people who are flying from that airport on that day) and I want to co-operate in being identified to make my journey more convenient. It’s a different matter when you are dealing with the population as a whole, not a self-selected subgroup, including people who don’t want to be identified. The Metropolitan Police have revealed that their facial recognition technology incorrectly identified members of the public in 96% of matches made between 2016 and 2018. So, round off, that’s in practical terms all matches that were incorrect.
Hhhmmmm…..
One particularly interesting aspect of biometric identification is its amusing susceptibility to what is known as “adversarial” biometrics. If you know how a face recognition algorithm works, for example, then you can deliberately choose to wear make-up or some disguise that exploits the characteristics of that algorithm. In fact, as it turns out, it is all too easy to do this and to do it in such a way as to give the recognition algorithms high confidence that they have correctly identified something. When it comes to picture recognition, the results can be hilarious (and disturbing). MIT researchers found that Google’s AI-powered open source “Inception” picture classifier can be easily fooled. Take a picture of a cat, add some “noise” that is imperceptible to people and the computer thinks it is looking a guacamole (this is a real example). There are techniques, such as Adversarial Generative Networks (AGNs), that can automatically create images to fool the recognition algorithms!
Master criminals may not need to resort to such sophisticated algorithmic skullduggery to get away with
Snippings 