To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://www.silicon.com/publicsector/0,3800010403,39156697,00.htm

Are biometrics ready for the UK?
Usability and security issues linger...

By Dan Ilett

Published: Thursday 23 February 2006

The UK Foreign Office is issuing facial recognition biometric passports in the US, and iris scanning pilot schemes are underway at Heathrow Airport.

With the ID cards scheme moving ahead, and Chancellor of the Exchequer Gordon Brown backing the use of biometrics, it seems that finger, face and iris scanners will be soon become an everyday part of our society.

But are biometrics the answer to identity theft and terrorism, as the government claims, or do they bring problems of their own?

Bori Toth, head of biometric research for Deloitte and Touche LLP, says: "Obviously they are not perfect. They can be forged - you can lift someone's fingerprint and potentially access a system. The question is whether you are being presented with the real thing or a copy but there are ways to defend against that."

There has been little research done on the effectiveness of biometrics on a national level, though the UK Passport Agency's one trial of biometrics last year found that facial recognition technology was the most unreliable.

Although the majority (almost 100 per cent) of participants managed to register their faces, the rate at which faces could be verified was less good.

Most problems that occurred with facial registering were with lighting or location. Some disabled people also found it difficult to maintain the correct facial position to register.

When it came to verification, the face had the lowest success rate (69 per cent) of the three biometrics tested. Changes in appearance such as facial hair caused verification to fail and those more than 60-years-old were harder to recognise then younger people.

Toth says: "It's quite easy to disguise a face. But there are now some technologies in facial [recognition] which look at the dimensions of the face. It's produced very promising results. Faces are not very unique, though. Everyone has two eyes, a nose and a mouth. There is not as much differentiation as in irises."

Most people (90 per cent) in the UK passport trial successfully registered for iris scanning but operators said the camera was difficult to use and, as with facial recognition, success varied according to the participant's ethnic group and age. People under 60 years had higher success rates than those aged 60 or above, and people who wore glasses had a higher failure rate than those who did not.

Angela Sasse, professor of human-centred technology at University College London, says: "There are problems with people who have eyes which have different focal lengths. The other problem is that dark-skinned people don't have much contrast in the eye so it can't be processed. If you have astigmatism, if the eyes move, the camera has problems with them. If you can't see very well there can be also be problems."

But Deloitte and Touche's Toth believes iris recognition is the most accurate of the three techniques.

She says: "Iris patterns are highly unique. The difference between each eye is as much as you and me. If you pull out an eye, the pupil expands very quickly so you can't see the iris. If a person dies, it's the same.

"There are options of using high-resolution photos or hand painting an iris pattern onto a contact lens that you can wear. You can use glass eyes but because it's an internal organ it can be hard to spoof. And there are sophisticated methods of detecting that."/p>

Spoofing has certainly worked with fingerprint scanning. Last year in Malaysia, a man was robbed of his $75,000 car when thieves cut off his thumb so they could circumnavigate the security controls on the ignition.

There was also the well-reported case of the Japanese researcher who used a gummy bear to copy a print and fool fingerprint scanners.

Toth says: "To cut someone's finger off - it's possible to do that. Most of today's systems are not protected against spoofing. For fingerprints it's quite easy to do."

Most participants in the passport test successfully enrolled their fingerprint biometric. One of the factors influencing failure was that the single fingerprint device used for verification occasionally did not record sufficient detail from the fingers. And again younger participants had a higher fingerprint verification success rate than older participants.

Sasse says: "When the skin is dry you can't see the ridges. If you put a full layer of hand cream on it can be unusable. Characteristics deteriorate with age; people who play guitar have trouble and those with calluses."

So it appears there are some barriers to usability and security of biometrics, and Toth and Sasse both agree more testing is required before they can be rolled out effectively.

Sasse says: "You can only work on a system that's been implemented. We can only comment on these systems. But in all trials there have been problems.

"There needs to be more controlled studies with large samples of old, young and people of different ethnic backgrounds. The UK passport system only did one verification test."