Seriously: biometrics replacing passwords?!

I know it’s the season to be jolly but, oh lord, I am so sick of the endless re-publishing of IBM’s breathless prediction that biometrics will replace passwords in five years time. As reported by the Daily Mail, what they said is: “The complex, hard-to-remember strings of numbers and letters will be replaced by biometric readers that ‘work out’ who you are by reading unique things such as the shape of your face”. Nonsense!

Firstly, no biometric ever ‘works out’ who you are; they have to be first told who you are. I won’t apologise for being pedantic about this, for the loose language that besets most biometric reporting leaves readers quite clueless about the real issues.

The cost of registering for biometrics far exceeds the cost of registering passwords. And the unit cost of decent readers (ones with liveness detection that arent so easily spoofed) is hundreds of dollars. Where’s the ROI to replace all passwords?

Speaking of loose language, again we have the casual claim that biometrics detectors read “unique things” about their subjects. It’s just not the case. If any biometric security system really did use a unique trait, we would expect a False Accept Rate of precisely zero, and not the pretty shoddy one or two percent that is common in practice. The only biometric traits I know of with good theoretical bases for being near-unique are the iris and DNA. Iris is one of the best biometrics, but it’s expensive (to get the impressive specificity performance, you need special purpose cameracs and controlled lighting conditions, unachievable with webcams or smart phone cameras). As for DNA, well despite the odd hype, there just isn’t any sign of a commercial DNA access control system. Sure, there’s forensic DNA analysis, but it requires tissue samples and takes hours of time on masses of equipment, and even then it actually does not deliver “unique” results! DNA testing only examines a few dozen selected genetic markers and has a False Match Rate of around 1 in a billion. Ok, that sounds great but before getting too excited, note that the inventor of DNA testing, Dr Alec Jeffreys, has pointed out that [due to the Birthday Paradox] the chance of random false matches amongst pairs in population-wide DNA databases could climb to be very high.

No responsible analysis of widespread use of biometrics (at a scale that would allow us to ‘replace passwords’) should skip over the serious inherent flaws in all biometrics. These include the impossibility of cancelling and re-issuing compromised biometrics, the absence of any standardised testing methods and performance specifications, and the fact that (as stressed by no less an authority than the FBI) biometric testing in the lab is a poor predictor of how they perform in the field.

And finally, let’s be careful what we ask for, in case we get it. The high cost of biometric registration is such that as soon as anyone embarks on widespread deployment, it’s inevitable that service providers will seek to “federate”, so that a biometric identity established in one setting can be re-used others. But until we properly solve the problems outlined above, biometric federation, with shared template databases up in the “cloud” somewhere, would quite simply be a nightmare in waiting.