On why I think it is too early for biometric identification

‘Passwords have become obsolete’ was what IBM Speech CTO, David Nahamoo, said–at least effectively–in IBM’s Research News blog. His main point was that our current use of identification and security, our trusty passwords, were a) really insufficient security b) hard to remember. (Incidentally, I suspect Mr Nahamoo has over 50 log-ins to remember.)

Everything we do online, or via a computer, requires authenticating who we are – user IDs and passwords are our safeguard. But the security isn’t foolproof. Our IDs and passwords can be stolen and our mobile devices can be lost or stolen.”

–David Nahamoo

IBM 5 in 5 Security

Given that all my computers, especially my laptops up to this point, have been IBMs, I am particularly fond of–and familiar with–their multiple attempts at user security/protection. Perhaps the farthest back I can recall is the face recognition on my first IBM laptop. It was fascinating at first but I was forced to remove it when I ended up making faces in public just to turn on my PC.

It is really worse than it sounds. Anyway, then came their fingerprinting technology and that too was a nuisance to me until I changed my laptop all the way to the one I now own–free from any of that biometric hassle. At this point I may have come off as a biometric identification hater of some sort, but really, I am a fan of the entire concept so long as it does not leave those glazed pages of comic books.

Personally, I believe that biometric security is a little adolescent right now; the time when one can use it as efficiently as it is meant to is quite far away.

Devices and security

Another key point Mr Nahamoo raises is the high likelihood of devices like our PDAs, laptops and such–all which store our sensitive data–getting ‘easily lost, stolen or misplaced.’

I concede to this point. But, while these devices themselves may be lost, we already have the option (which, sadly, I do not see too many people using) to handle our data on the cloud. So if this data is accessible from anywhere, through any device, including those we will own at some point in the future, the only setback (and that brings us to square one) is the fact that we need to remember passwords and such to access this data repeatedly. And the stolen devices may be permanently blocked, mind you.

The solution

What solution Mr Nahamoo proposes is the replacement of passwords and other related concepts that require us to–as he puts is–memorise, store and secure account IDs and passwords, with biometric security systems. ((For the benefit of a minority of my readers, biometric systems are seemingly straight out of sci-fi works; they are such systems as gaining access using traits peculiar to an individual, including, but not limited to, their eyes, voice and style of walking. Inasmuch as this usage seems feasible, I see some major problems which are no less a trouble than remembering passwords.))

At the very start is ruled out the possibility of that cliched sequence where a villain terrorises you and forces you to either scan your eye or state a pass code or place your fingerprint or all of those in order to gain access. This is simply because the biometric systems we are talking about are far more advanced than what we think them to be. They can, in short, identify stress, pupil dilation, changed heart rate and breathing patterns to find out if you are accessing the account of your own will.

While all this seems great on the one hand, on the other–ironically–this is exactly where I see a problem. The entire system forces one to behave rather mechanically; to put it shrewdly, you have to make sure you have the same heart beat, constricted pupils and the same breathing rate as you did when you first input these data.

The problems I see

Firstly, this obviously rules out people in an urgency (who constitute about half the metropolitan population nowadays.) In an urgency your breathing rate becomes abnormally fast and increases your chances of getting blocked out of your own account. This, of course, is perhaps only until you calm down again which I do not see happening, given that you were in a hurry in the first place.

Secondly, let us assume you just saw something that melted your heart (I would hate to go into the details of that; it is quite unlike me to do so) then you would naturally find your eyes dilated. ((Once again, for a minority of my readers, let me define this process of eye-dilation. The pupil (right at the centre) of the eyes tend to shrink–this shrinking is called dilation–due to a number of reasons: too much light can cause this dilation as a response on the part of your eyes that reduce the amount of light entering; drug intake can cause quick and lasting dilation (and for those who think only illegal drugs cause it, you have another thing coming: do check your eyes after taking most prescription medicine and you ought to find noticeable dilation!); allergy from some plants causes pupil dilation, although many may argue that the chances are slim; soon after an eye exam, for as long as an hour, (most) eye drops that are administered into your eyes immediately cause a dilation, but once again one may claim the chances are slim; lastly, what I believe to be the most significant contributing cause to pupil dilation: looking at somebody/something you like. In short, you are highly likely to be kicked out of your own account soon after a dinner date.))

Thirdly, if you had a cold–unless they make allowances to an extent, sacrificing security in turn–and your voice changed, your account would never let you in. Clearly, each time you fall ill, the chances are your voice changes in a slightly different manner. Making such an allowance as I just mentioned would make it easy for an imposter to gain access even speaking just close enough to your actual voice.

Now some would argue that although each of these would by themselves fall, together they will create a stronger biometric system.

However, consider this: you have an identical twin (remember fingerprints can be lifted off any object and reused) their breathing and voice would be close enough for them to gain access to your account. Or perhaps a case where you have just missed you bus and have to withdraw some money from an ATM so you run up to it only to find it will not let you in because you are breathing differently. Or even the case where you just spent some time with a loved one (or your opthalmologist/optician who is not also a loved one) and realised your account disowned you because your pupils are a tad too dilated.

In short, while the technology does have the potential to enter mainstream society–and I am confident it will–sometime in the future, now is just too soon. To satisfy our curiosity, we will, for the moment, have to make do with select IBM products; and personally, I would rather remember several passwords (and telephone numbers, while we are on the matter of remembering) than be shunned by a (literally) heartless device because I ran out from an overly bright room.

Biometric systems are just not ready for today. As the game now stands, the good old combination of log books and strong passwords hold a one up over biometric technology.

If, after all this, you still like the idea of biometric security, do not forget to vote for it (read IBM’s report before you do that) on the company’s blog.

I follow IBM’s A Smarter Planet blog. They have some interesting things going on there, so if you want to see tomorrow today, I suggest you head there and find a way to keep up with their fairly rapid updates.