Fingerprint scanners now come standard on most new smartphones, and some devices even feature iris scanners and 2-D facial recognition technology. But with every new step forward in biometrics, it seems a way to “spoof” the technology follows soon behind — from fingerprint replicas to high-resolution photographs of faces and eyes. So, what’s on the horizon in biometric security, and how can we make the technology more secure?
First, there’s a lot going on in biometrics: Apple is reportedly testing 3-D facial recognition in its upcoming iPhone, and Slate technology staff writer April Glaser says other companies are experimenting with everything from monitoring your unique heartbeat to implanting chips under your skin to scanning your eye veins or the shape of your earlobes. “So, it goes well beyond the finger,” she says.
Stephanie Schuckers, director of the Center for Identification Technology Research, says the veins in your wrists, palm and fingers can also be used as unique identifiers. “I've even seen the electroencephalogram,” she says. “So, this would be electrodes placed on your head [that] could be used as an identifier, which might be good for wearables, headphones, et cetera.”
In addition to these kinds of physiological biometrics, Schuckers explains that there are also behavioral biometrics, which can change depending on your behavior. “Like how you walk, how you talk, how you hold something, for example, how you type, how you swipe on your phone,” she says, adding that these behaviors can also be used to create a “signature” for biometric recognition.
According to Schuckers, one way to strengthen biometric security is through “liveness detection” — not only confirming that your features match what’s expected, but also that you’re standing right there. “When you measure the biometric, you also want to measure additional features that really tell you that you're measuring it from a real person, not just a photograph or someone holding up a phone or a photograph of an individual,” she explains. Technology like Apple’s rumored 3-D facial recognition could be capable of doing just that.
“What's neat about the 3-D face, for example, is now any two-dimensional representation of a face, like a photograph, wouldn't work anymore, because you would need that three-dimensional information,” Schuckers says. “Other examples might be looking in the near-infrared range because obviously, you have different information present in your face in the near-infrared range than you would in a typical visible spectrum photograph.”
But even as biometric technology improves, another security question lingers: From law enforcement to advertisers and social media companies, who gets to use our biometric data to identify us? Here, Schuckers and Glaser agree that we’re still midconversation.
“I think ... we're still in a national conversation about what are the limits? What is OK, and what is not OK?” Schuckers says. “And I think the public certainly is expressing their opinions on this, and it's really up to technology and government to listen, in terms of what's the right balance between security of your own devices, security of the country, and of course, your own privacy.”
Illinois and Texas have consent laws regarding facial recognition, Glaser adds. (Washington state passed its own biometric privacy law earlier this year, but facial photos aren’t protected.) “So, in those states, or in Illinois, in particular, you're supposed to consent to your face being matched to your name using facial recognition technology. But in other places, they don't need your consent at all.”
And with companies increasingly using everything from your gait to your fingerprint to your password to identify you, “[t]he question then becomes, how is this going to be applied?” Glaser says.
“Now that they know you’re the one in the room, are they going to tailor ads to you? Are they going to dig up your criminal history? These are the questions that remain unanswered.”