United Airlines this week announced that it would begin rolling out
Clear’s biometric prescreening at its hub airports, including Newark
Liberty International and Houston George Bush Intercontinental. The
system works by verifying a flier’s fingerprints or eye scan.
Clear already is available at about 60 locations throughout the United
States. It offers a system that utilizes biometrics to speed
preapproved travelers to the front of the security lane, and even
ahead of TSA Pre-Check fliers.
United Airlines joins Delta Airlines in offering the service to fliers — and Clear’s technology also is in use at participating stadiums
and arenas that require an ID check for entry. However, Clear is just
one of several companies to begin developing this the biometric
screening technology, and airports already have been struggling with how do
deal with competing but not compatible systems.
There now are at least
53 biometric systems used just by the aviation industry, and dozens
more by other industries, according to the World Travel & Tourism Council. Most don’t see eye-to-eye, in that their
respective databases aren’t shared.
Getting all the competing systems
to work together is just one of the challenges that biometric
screening companies will have to deal with in the near future to make
this technology universally embraced as an alternative for traditional identification.
History of Biometrics
It is easy to think of technology that can recognize a
unique fingerprint instantly as being a modern marvel of the 21st century, but
its roots actually go back to the end of the 19th century.
Argentine anthropologist Juan Vucetich first cataloged fingerprints in 1891, and just two years later that helped Inspector Eduardo Alvarez identify Francisca Rojas as the actual killer of her two sons.
Then there is the story of Will and William West — two men who were
unrelated yet nearly identical in appearance. Each was serving a
prison sentence at Leavenworth Penitentiary, but Will West was
convicted of a minor crime, while William West already was serving a
life sentence for first-degree murder. The prison had almost no way of
telling the men apart, but then turned to a new technology — fingerprint identification.
French handwriting expert and early biometrics researcher Alphonse Bertillon already had created an identification system that included a “mug shot,” along with detailed description of an inmate’s
facial features. Normally that system was enough to differentiate
individuals from one another. However, given that the West men
looked so similar, something else was needed.
As it happened, Bertillon also made a breakthrough in the advancement of
dactyloscopy, which can analyze the patterns of fingerprints. As each
individual’s fingerprints are unique, it was enough to determine which
West was which!
“Biometrics have been around as identifiers and authentication means
for over 100 years, with the most well-known case being that of
police/law enforcement use of fingerprints,” noted Ralph Russo,
director of the
School of Professional Advancement
Information Technology Program at Tulane University.
Advances in Biometrics
This system of fingerprint identification is just one of the unique
identifiers that can tell individuals apart. In the century since
Bertillon developed dactyloscopic technology there have been many
advances that also can scan an individual’s retina — something that is
as unique as fingerprints. In addition, there also have been great strides
in facial recognition as well.
Both fingerprints and facial recognition scanning have been adopted
in recent years as a way to unlock smartphones. Supporters of the technology have suggested they offer a greater
level of security over passwords, which easily can be forgotten.
“The main advantage of the biometric authentication is its ease of use
for the end user,” said Leigh-Anne Galloway cybersecurity resilience lead at
Positive Technologies.
“Simplicity in information security is not always good,” she told TechNewsWorld. “The face and fingerprints are always with you. You will not
forget them as a password, but you cannot change them either,” Galloway added.
Biometric Advantages
The advantages of using digital biometrics — including fingerprints,
iris scans or facial recognition — to manage access to applications and
devices include fast and reliable access to information tied to a
specific person, as well as relatively high accuracy, suggested Tulane’s Russo.
In addition, biometrics as a password can’t be lost or forgotten, and
therefore businesses do not have to manage the flood of forgotten
password changes, while passwords can be relegated to a secondary
option. Biometrics also can used as part of a multifactor
authentication process, and they can replace cards and other physical
devices that can be lost or stolen.
The latter “results in thousands of incidents of lost identification
each year as people try to manage the ID along with their luggage, and
following TSA procedures,” Russo told TechNewsWorld.
There is also the convenience factor, and the fact that no type of
password is truly perfect.
“All methods of identifying people have risks and drawbacks; to avoid
forgetting passwords for a multitude of sites, people write them down,
store them in plaintext — not encrypted — or trust them to third-party
password managers which present a risk that the password manager could
be hacked,” said Russo.
“Expect the use of biometrics to increase at an increasing rate going
forward, and this is for many reasons, including convenience to the
user, lower cost for the business to scale and manage, and a
relatively frictionless user experience,” he added.
“Once users have chosen their type of biometric authentication, there
is no typing on tiny keyboards, no phone calls, and no one leaves home
without their hands or face — just comparatively fast and easy
access,” Russo noted.
Privacy and Security Concerns
The other side of the issue is one of privacy, and the fact that
biometric technology could be used for nefarious reasons. That is why
the city government of San Francisco has instituted a blanket ban on face
recognition technology. Just this week California became the first state to consider a state-wide ban of face recognition technology.
Assembly Bill 1215, known as the Body Camera Accountability Act, has
proposed a ban on facial recognition software in police body cameras
due to privacy concerns. Similar concerns are being echoed regarding
the use of fingerprints as a method of identification.
Even travelers who see the benefits with the Clear or similar
biometric screening systems may want to consider if the cons may
outweigh the pros.
“Although it can shave a few minutes off of travel times, we’d
recommend that travelers spend the extra few minutes in line to
maintain sovereignty over their personal data,” said Sean McGrath,
privacy advocate at
ProPrivacy.
“Both private companies (United and Clear) and the government have
proven time and time again, that they can’t be trusted to keep this
data secure,” he told TechNewsWorld.
Another concern is that once a fingerprint or eye scan is in the
system it isn’t easy to get it back out again.
“As travel authorities shift from using traditional technologies to
biometrics, travelers are having less of a say of how their biometric
data is used,” McGrath added.
Is It a Perfect System?
There is another issue to consider and that is the reliability of
biometrics. Faces change with weight loss or gain, and people do look
different as they age. Fingerprints, while unique to individuals, do
have similarities as well. And what about cuts or burns to a finger —
is it really such a perfect system for identification?
“Reading sensors and fingerprint processing algorithms have a certain
threshold for sample compliance,” explained Positive Technologies’
Galloway.
“Considering possible damage or impurity of a finger, this threshold
makes it possible to compromise the print,” she added.
Thus the higher the threshold, the more false-negatives possible; the lower, the more false-positives are possible.
“While injury can interfere with the reading of a fingerprint — for
comparison against a differing image file stored in the database —
most biometric systems encourage a second or tertiary print to be
stored as well to allow access in these type situations,” added Tulane
University’s Russo.
“In serious organizations, biometrics must be combined with other user
verification tools, for example, finger plus eye plus password,” said
Galloway.
“Biometrics is not a ‘perfect’ means of identifying users of
applications and systems; like anything involved with security there
is a balance between too much security and too little security,” said
Russo. “Dial up the percentage to declare a match and get more
failures — false negatives — and user frustration. Dial down the
percentage and get more false positives and weaker security. This is
as opposed to passwords, which are 100 percent matches or not.”
Protecting the Biometrics
The biggest consideration in biometrics is whether this information
ever can be secure enough. In 2015 the Office of Personnel
Management (OPM) was hacked and personal information of more than 5
million people — including fingerprints — was compromised.
“The biggest danger is the impossibility to change your biometric
data,” warned Galloway.
“Hacks and leaks have happened and will exist. There are no ideal
systems; the biometric data used in our time isn’t a secret,” she
added.
“Fingerprints can be restored by photo; voice, by calling and
recording a sample; and the shape of the face, by collecting photos
of a target from social networks,” Galloway explained.
“If your password is hacked, you can always create a new one, but if
biometric data is stolen you couldn’t realistically change your
fingerprints, face or irises, so that data could be used to attempt to
fool devices and allow unauthorized access,” said Russo.
“However, this is not as easy to do as one might think, and while
people have successfully replicated fingerprints and voice prints to
fool systems, face ID secured systems are much harder to fool,” Russo
added.
“In all, the incidents of using hacked biometrics to successfully gain
access to systems have been minimal,” he noted.
Another consideration is that “protecting biometric databases is not
much different from protecting other forms of data stored within a
given network, except perhaps in how governments’ accumulation of such
data is rapidly outpacing their ability to secure it,” said Christopher Whyte, assistant professor of homeland security and emergency preparedness at Virginia
Commonwealth University’s
L. Douglas Wilder School of Government and Public Affairs.
“As recent breaches here in Tennessee and abroad have shown, massive
leaks involving this kind of data are far from fantasy,” he told
TechNewsWorld.
Even when it is protected, the question comes back to how well
some of works.
“Biometric data actually does bring with it an added obstacle to
security in that you need to actively work with the data to account
for variations in the nature of relevant information,” said Whyte.
“I, for instance, grew a beard last year and I have a friend that lost
80 lbs. two years ago — both would have to be controlled for by a facial
recognition algorithm,” Whyte added. “This prevents at least some
amount of standard practice when it comes to minimizing the
information stored by a company or organization that could actually be
stolen or leaked.”
Peter Suciu has been an ECT News Network reporter since 2012. His areas of focus include cybersecurity, mobile phones, displays, streaming media, pay TV and autonomous vehicles. He has written and edited for numerous publications and websites, including Newsweek, Wired and FoxNews.com.
Email Peter.