Face recognition to replace PINs (part 1)

Posted on by

We can now add face recognition to the list of biometrics that won’t work as promised.

rnrn

To understand the problem with biometrics one must understand identification, authentication, authorization, and risk.rnrnrnrn

Identification is the process of asserting an identity. An identity is usually a system-specific handle or account. For efficiency an identity should be easy to claim.

rnrn

Authentication is the process of verifying a claim of identity. Verification is achieved by the production and examination of evidence that is robust to forgery.

rnrn

Authorization is the process of determining the privileges that are conferred by an identity.

rnrn

Use of biometrics

rnrn

The biometric industry often blurs the line between identification and authentication. They claim that you will present your finger, palm, face or eye to a terminal to authorize a transaction. Hmm.

rnrn

When you present a body part to a terminal it must first identify you. That involves scanning the body part in some way, then converting that data into a hash or “template” that is unique and consistent, then looking up that template in a database to determine your account or handle. Note the need for the template to be unique and especially consistent – in biometrics uniqueness is usually inversely proportional to consistency.

rnrn

Next the terminal must authenticate you. That involves scanning the body part in some way, processing that data and comparing it against previously established and stored credentials. Umm, haven’t we just done that in order to establish identity? Identification requires consistency but for authentication we must err on the side of uniqueness, and still have an acceptably low rate of false negatives.

rnrn

Finally the terminal must determine your privileges (authorization) from your identity. This is an easy database lookup … unless you have multiple identities on the system. If you have personal and business accounts at the same bank you will want to claim the appropriate identity when performing a transaction. A broker would want to manage personal investments separately from those of clients. System administrators are advised to have an account for “normal work and web browsing” and a separate one with administrative privileges.

rnrn

Clearly biometric identification is a bad idea – it is inefficient, error prone and cannot cope adequately with multiple identities.

rnrn

In part 2 I will look at biometric authentication and risk.

rn

Comments are closed.