Biometric Truths And Fictions
Biometrics are seductive: you are your key. Your voiceprint unlocks the door of your house. Your retinal scan lets you in the corporate offices. Your thumbprint logs you on to your computer. Unfortunately, the reality of biometrics isn’t that simple.
Biometrics are the oldest form of identification. On the telephone, your voice identifies you as the person on the line. On a paper contract, your signature identifies you as the person who signed it. Your photograph identifies you as the person who owns a particular passport.
What makes biometrics useful for many of these applications is that they can be stored in a database. Alice’s voice only works as biometric identification on the telephone if you already know who she is; if she is a stranger, it doesn’t help. It’s the same with Alice’s handwriting; you can recognise it only if you already know it.
There are many different types of biometrics, including handwriting, voiceprints, and face recognition. There is also hand geometry, fingerprints, retinal scans, DNA, typing patterns, signature geometry, and others. The technologies behind some of them are more reliable than others, and they’ll all improve.
"Improve" means two different things:
First, it means that the system will not incorrectly identify an impostor as Alice. The whole point of biometrics is to prove that Alice is Alice, so if an impostor can successfully fool the system it isn’t working very well. This is called a false positive.
Second, "improve" means that the system will not incorrectly identify Alice as an impostor. Again, the point of the biometric is to prove that Alice is Alice, and if Alice can’t convince the system that she is her then it’s not working very well, either. This is called a false negative.
In general, you can tune a biometric system to err on the side of a false positive or a false negative.
Biometrics are powerful and useful, but they are not keys. They are useful in situations where there is a trusted path from the reader to the verifier; in those cases all you need is a unique identifier. They are not useful when you need the characteristics of a key: secrecy, randomness, the ability to update or destroy.
Biometrics are unique identifiers, but they are not secrets.