Every body loves biometrics
How many digital identities do you have — or need?
If you’re like the average person these days, the answer is: too many.
Our wallets bulge with credit, debit and discount cards; we rummage through our bags for the access passes used to enter homes and workplaces; and we generate so many internet passwords that we have trouble keeping track of them all.
But while such identities are necessary for interactions and transactions in our increasingly digitised world, they don’t serve us very well, being vulnerable to hacking and theft.
“These identities are pseudo-identities, and they are not sustainable,” said Mr Walter Lee, evangelist and government relations leader at NEC’s Global Safety Division.
He was speaking on 18 August 2017 at the one-north Festival, on the topic of ‘Digital Identity in a Digitised Media World’.
On the other hand, imagine if you could pay for your purchases or enter a room with a quick scan of your fingerprint, retina or face — aspects that make an individual uniquely identifiable.
“With advances in biometrics, you could do away with tokens, cards and passwords, and provide personalised services everywhere, from retail spaces to airports,” said Mr Lee.
With the Internet of Things (IoT) set to become more widespread, the boundaries between physical space and cyberspace will continue to blur, said Mr Lee.
Cybersecurity threats will thus not only impact data and computer systems, but also human safety and critical infrastructure.
“While the IoT is wonderful because it lets us get connected, it also means we are fully exposed to the threat landscape,” he said.
“The IoT is also the internet of threats.”
In the future, biometrics could play an important role in safeguarding our identities against hacking and theft, and thus in improving the safety and security of smart cities.
But to do that, several concerns with the technology have to be addressed.
Signs of life
For example, we’ve all heard the urban legends — or seen the Hollywood movies — of determined robbers cutting off fingers and gouging out eyes to fool biometric authentication systems.
If these stories are true, the systems in question were simply not good enough, said Mr Lee.
Advances in ‘liveness detection’ would ideally help biometric systems function like the timepiece in the nursery rhyme My Grandfather’s Clock, which “stopped short — never to go again — when the old man died,” said Mr Lee.
Fingerprint recognition systems, for example, would only accept fingers with a pulse, while facial recognition systems would use temperature and certain three-dimensional aspects of live faces to distinguish them from masks or pictures.
“Even if someone were to take your biometric data, they will not be able to use it if we adopt certain standards,” said Mr Lee.
For added security, different biometric technologies could be also used in combination for multifactor authentication.
Standards of trust
Since biometrics involves data about the human body, data privacy is a key concern.
“You have to respect data privacy and protect the individual,” said Mr Lee.
Again, this can be addressed by complying with certain safety standards, such as those from the Fast IDentity Online (FIDO) Alliance.
Such standards would ensure that user credentials do not leave the device they are used to log into, meaning that there is no centralised database for hackers to attack.
What if the devices themselves are compromised?
As it turns out, biometrics is not just limited to flesh and blood, said Mr Lee. Electronic devices, too, have their own unique digital signatures that can be used to ensure that they have not been hacked.
These ‘silicon biometrics’ are much more secure than MAC or IP addresses, which can be easily impersonated, he added.
Once biometric data is entered into the device, another concern is how to authenticate it. In airports and other border control locations, for example, biometric authentication is done through servers that are based with a trusted authority — the government.
“In Singapore, we’re in a very secure space and we assume that the government can be trusted. But what about countries where there is less trust?”
Get it right from the start
In such cases, blockchain technology — the distributed digital ledger system that underpins Bitcoin and other cryptocurrencies — could be used to address the lack of trust.
“The server-client system we’re used to is becoming outdated,” said Mr Lee. “With blockchain, no single server is storing the data, so even if one server gets hacked, your data is still safe.”
NEC, for example, has already started testing biometric authentication systems in various settings, said Mr Lee.
In one case study, the company is working with Sumitomo Bank to pilot facial recognition for payments in a retail mall in Japan.
Customers can walk out of the mall with their purchases without worrying about cash or cards — the system identifies their facial biometrics and bills the items to them.
“What’s exciting is that the technology is advancing very rapidly,” said Mr Lee.
“But what is scary is that if we don’t secure it right from the very beginning, then we will be going back to the good old days of bad passwords.”