Hocus Pocus
This is the second in a series of columns dealing with misunderstanding and misrepresentations of speaker authentication. In the first column (March/April 2002) I discussed the confusion regarding the difference between speech recognition and speaker verification and I decried the practice of marketing slightly-modified speech recognition as speaker authentication. This column addresses the belief that biometric-based technologies, including speaker authentication, are the answer to all our security-related prayers.
Better security Awareness of biometrics had been growing prior to the 9-11 terrorist attacks. The new millennium brought with it an increase in the number of articles and reports on biometrics in the popular media. High-profile implementations, including the deployment of speaker authentication by the Home Shopping Network, were establishing a foundation for widespread acceptance of biometric technologies. The attacks of September 11, 2001, thrust biometrics into the limelight as the only kind of security capable of providing direct positive evidence that a person is who she or he claims to be. All other kinds of automated security employ indirect authentication. Some forms of non-biometric security such as a token, ID badge or smartcard can be lost, stolen or duplicated. Other types of security such as a PIN or password are easy to break because people often share or lend them, write them down or are unsuspecting victims of shoulder surfing. This is a common practice of criminals who peer over the shoulders of people who are using ATMs, telephones and other access devices located in public places. There are also free and inexpensive tools that can quickly generate and try possible PINs and passwords. Given these vulnerabilities of traditional approaches to security, the newfound respect accorded to biometrics is justified. However, problems surface when biometrics are treated as if they were a form of magic rather than as technology.
Misconception: Biometrics can automatically determine whether anyone is a terrorist (or other kind of criminal).
Reality: A biometric system includes a database of stored bioprints and an algorithm that compares new input with the stored samples. Each bioprint is linked to a specific person. When a face, fingerprint, voice or other biometric sample is submitted to a biometric database the system looks for a matching bioprint in its database. Failure to find a match in a biometric database of terrorists does not mean the person who provided the sample is not a terrorist, but simply that there is no biometric sample available, or that person has not committed terroristic activities in the past. Even if the US and Canada had used biometric screening at border crossings and airports only a few of the 9-11 Al Qaeda terrorists would have been stopped because for most of terrorists, the attacks on the World Trade Center and Pentagon were their first (and last) acts of terrorism.
Misconception: Biometrics will perform with (virtually) 100% accuracy in your application.
Reality: This dangerous myth reduces vigilance and promotes unwarranted overconfidence. Biometrics are far more reliable and secure than the PIN and password systems, but neither they nor any other form of security is 100% accurate. Once that is accepted it is possible to focus on what to do when there is a failure, breakdown or error. This is true whether you are using security technology or human security. They make two major kinds of errors: false acceptance and false rejection. False acceptance occurs when a biometric system erroneously determines that an impostor is an authorized individual. False rejection occurs when the system decides that an authorized individual is an impostor. Errors can arise from a variety of sources, including the behavior of the person interacting with the system and this is true for all biometrics. Unfortunately, recognition of the impact of human behavior on all biometrics is just beginning to penetrate the biometrics industry. Most performance assessments - even reliable third-party testing - employ laboratory testing. As with any technology, the likelihood of error increases as it moves out of the lab and into the field. The reason is that there are more uncontrolled and uncontrollable variables in the field. For example, face recognition can be highly accurate when people are consciously presenting themselves to the system. It has also been tested at 50% accuracy or worse when sampling faces of unaware individuals in crowds.
Final words Biometrics are powerful identification and security mechanisms but they are not magic.