You Are Your Password
By Mark Frauenfelder, Mon May 13 00:00:00 GMT 2002

Are biometrics the key to mobile security, or would the technology go too far?

Almost all my friends use PDAs, but not a single one of them uses the password protection built into the devices. They should, because their PDAs are loaded with sensitive personal information, including credit card numbers, PINs, and passwords to Web sites. But they don't.

Pecking out a password on a Palm computer is inconvenient; it ruins the purpose of a PDA, which is supposed to provide instant information wherever you are. So my friends (and I) blithely carry these tiny vaults of information around, pretending we'll always be careful and never misplace them. Of course, we're fooling ourselves. According to the Gartner Group, over 250,000 cell phones and PDAs are lost or stolen at airports every year, and only 25 to 30 percent of them ever make it back to their rightful owners.

If only there were some way to keep your private information private, without having to go through the rigmarole of entering a password every time you use your handheld. Well, thanks to biometrics, there is a way. Biometrics is a way of using parts of the human body as a kind of permanent password. In the same way that your fingerprints are unlike those of any other person, your eyes, ears, hands, voice, and face are unique, too.

In recent years, technology has advanced to the point where computer system can record and recognize the differences between people's retinal blood vessel patterns, hand shapes, ear lobe contours, and a host of other physical characteristics. What that means is biometrics can endow your phone, PDA, laptop, and other portable device with the ability to instantly verify your identity, and deny access to everybody else.

In other words in the future, your boss may not know who you are when she sees you, but your cell phone will.

What are Biometrics?

Traditionally, there are two ways you can make yourself known to a stranger or a system: by what you know (such as a password or pin) or by what you have (such as a house key or an ID card). The problem with passwords is that people forget them, or they write them down and they get stolen. And ID cards and keys can get lost, stolen, or forged. Biometrics aims to solve these problems by making you the password. You can't lose yourself (at least not without the use of some heavy drugs, but that's beyond the scope of this article), and even better, you can't be forged (even clones wouldn't be able to fool a biometric scanner, because there are plenty of recognizable differences in iris and retina patterns, fingerprints, and other physical attributes between "identical" clones.)

The hue and cry over identity theft and terrorism are music to the ears of the biometrics industry. In 1999 sales of biometric equipment was around $100 million dollars. That figure is expected to swell to $600 in 2002, says the International Biometric Association trade group.

Different biometrics systems scan different body parts, but once the information is captured, they all work pretty much the same. The computer digitizes whatever it scans into a binary code, which is checked against a previously sampled code that's associated to a name in the database. If the codes match, then the computer assumes that the person in front of the scanning device is the same person whose name is linked to the code.

Note that only a code is stored in the database, not an actual picture of the fingerprint, hand, eye, or face. This helps alleviate some, but not all of the concerns that some people have about a database that has their biometric data stored on it, because any hacker that breaks into a computer containing biometric data would only be able to steal the codes derived from the biometric scans.

Biometrics Go Mobile

Biometrics are already in wide use around the world. For example, the Immigration and Naturalization Service Passenger Accelerated Service System (INSPASS) allows international airport travelers to use hand geometry scanners to verify their identity and bypass the immigration lines at several US airports. Airports around the country are testing various face recognition scanners to help weed out terrorists. Stockbroker Charles Schwab uses voice recognition technology to verify the identity of its customers who call the company's customer service department.

While biometrics have an obvious place in banks, airports, and high security facilities, one of the most hotly pursued areas for biometrics is in handheld devices. Dozens of companies are working on ways to integrate eye scanners, fingerprint readers, and voice recognition systems into mobile phones, PDAs, and laptops. Scanners are getting smaller and cheaper and more accurate, making it possible to be used in mobile devices without running up the size, cost, and power consumption. Not only can biometrics render handhelds and laptops worthless to would-be thieves, they could almost eliminate fraudulent transactions.

Voiceprints and fingerprints are the two main biometric scanning technologies being considered by mobile manufacturers and wireless operators. Both of these technologies are more secure that PIN numbers and can be used to give users easy access to banking information, voice mail, email, and other private records, without requiring them to enter a password.

Voice is an obvious choice for mobile phones, because it doesn't require extra hardware on the device, and it's naturally integrated into the way people use phones. All the processing is done on the system that stores the reference voiceprints, which are as unique as a fingerprint. The biometrics system that analyzes a person's voiceprint looks for particular patterns of behavior, tone, and inflection in a voice. To prevent a hacker from simply playing a recording of someone's voice into the phone, many voiceprint systems will ask the user to repeat a couple of randomly selected words. This ensures that a real person, not a tape recording, is on the line. Nuance, Trintech, and Dialogic all have voice verification applications for mobile devices.

While voice verification is an ideal way to identify a mobile user, in some situations, it's awkward to use. If you're shopping on the Web using a smartphone with a color screen, you don't want to have to put you phone up to your ear and speak into it. In that case, fingerprint scanning is ideal. Imagine a little pad about the size of postage stamp on your mobile phone. The pad would be placed in the spot where your thumb naturally rests on the phone. As soon as you touch it, the pad would send a signal to the microprocessor in your phone, which would compare the print with the one stored in memory. If they matched, the phone would give the all-clear signal and you could start using it. If they didn't match, the phone would lock up, and send an alert to the phone operator.

AuthenTec, a biometrics company in Melbourne, Florida, recently announced its EntrePad, a 6.5mm square sensor array, which it claims is the smallest fingerprint reader in the world, made especially for mobile devices. The EntrePad scans the fingerprint that lays under the first layer of skin, which is often too scarred, dirty, greasy to give an accurate reading.

In fact, several employees at AuthenTec sanded off their fingerprints to test the reader, and it was still able to authenticate them. The company is partnering with Texas instruments to add its technology to chips that will be used in a number of different wireless devices. In addition, Precise Biometrics, Applied Biometrics Products, Fujitsu, and Mytec offer inexpensive, small-form-factor finger scanners made specifically for handheld devices.

I See You, I Know You

Now that some mobile phones are starting to come with built in digital cameras (see my previous article, "Point, Shoot Share!"), the opportunities for face recognition biometrics are starting to appear. Recently, AcSys Biometrics Inc. announced that it had devised a face recognition system for wireless handhelds, and rival biometrics company Visionics has created a mobile version of its FaceIt face recognition software for wearable wireless computers. The Visionics system underwent tests by the U.S. Army Military Police, who used the system in conjunction with GPS mapping to scan the faces of base visitors and pick out suspected criminals-at-large.

Which leads to an obvious question - will biometrics usher in an era Big Brother-style surveillance? Who wants to live in a society where the electronic devices we use can keep a record of exactly who used them, and when, and even where? The people who stand to profit from biometrics tell us not to worry. Every time we enter a PIN number at an ATM or into a mobile phone, they say, we're letting the computer know who we are and what we are doing. Biometrics does the same thing, and it has the added advantage of preventing fraud. That's a compelling argument.

Still, I can't help but wonder where biometrics might take us. There's a term civil libertarians use to describe the unintended consequences of systems that were originally designed for benign purposes. It's called function creep.

A good example is the social security number, which started as a number to guarantee retirement benefits, with assurances from the government that the number would never be used as a form of identification. Today, just try to open a bank account, or get insurance, or see a doctor without divulging your SSN. Now, imagine much the government would like to have access to a nearly irrefutable record of everyone's whereabouts. Corrupt officials could use this information as a blackmail tool. And the public, knowing that their every move could be watched, will rightly begin acting like paranoids.

Sure biometrics offers convenience, but is it worth the risk of losing our privacy? I honestly don't know. I'd like to hear what you think.

Send your comments directly to Mark Frauenfelder, or pop over into the forums and sound off!