“Banks have much to gain from biometrics”

A specialist in biometrics, and currently traveling between Japan and China to present his projects, Julián Fiérrez has spent 15 years studying biometric systems technologies for speech, face, fingerprint and written signatures. In 2002 he began working with the identification laboratory of the criminalistics service at the Head Office of the Guardia Civil, and has also brought biometrics to the National Cryptological Center and Telefónica, and more recently to Cecabank. A “close contact with these companies and institutions” has given him an insight into the real problems and opportunities of biometric systems.

Is recognizing and identifying people through biometric systems the latest fashion?

Quite the reverse –the general perception of biometric systems is not very positive. People don't see it as being very useful, and being unnecessarily sophisticated. But this type of systems has been used very successfully for decades in limited fields such as forensic research. It was only about 20 years ago, at the end of the 1990s, when the systems were first used in large-scale applications for the general public, such as in access controls to buildings and restricted areas.

Weren't they useful?

Biometric systems at the time were poorly perceived for two reasons. First, back then the systems were very limited and not very technologically advanced in comparison with the ones we have today. They were not very ergonomic, and incapable of dealing with diversity and difficulty in relatively uncontrolled operational environments.

They were not very useful for the applications for which they were designed. Rather than saving time or increasing the level of security, they were an inconvenience. In second place, high hopes –excessively so– were invested in these systems, mostly thanks to popular culture and because of ambitious and unrealistic claims. Both factors led to major commercial failures in this type of system. After that, in the last 15 years users who are unfamiliar with the technology, and technicians with no expertise in this area, have only naturally been fairly reluctant to use and deploy this type of systems.

Has the situation changed?

Currently, the recent and significant advances in multiple fields of technology mean that biometric applications are being deployed ever more widely, and overcoming the understandable barriers of reticence that were so widespread. Several areas have seen a substantial development in recent years: ergonomics and sensor quality (such as those included in smartphones and other tactile devices), robust recognition algorithms in realistic and relatively uncontrolled operational conditions, and automatic learning that exploits large datasets.

Biometric applications are being deployed ever more widely, and overcoming the understandable barriers of reticence that were so widespread".

Why are banks, companies and governments so interested in this type of recognition today?

Because they have multiple applications and are of crucial importance. These technologies will reduce or eliminate paperwork in many spheres of e-government, in medical records and legal processes; they will streamline many processes requiring the authentication of individuals; they will help prevent internal and external fraud in companies and institutions; they will make it possible to monitor and certify the skills obtained by students in distance learning, and much more. The present and future of these technologies is very promising.

Is this the end of passwords?

The aim of biometric systems is not to substitute the current processes of authentication, either cards, keys or passwords. The target most researchers working in these technologies are aiming for at the moment is to improve some aspects of the current authentication processes by supplementing them in some cases, replacing certain processes in others, and incorporating new processes which were previously impossible.

Will biometric technology live alongside passwords?

Rather than thinking of doing away with passwords, it's more a case of developing a complete authentication system that uses a password, and then improve one or several aspects of this system (security, speed, convenience, ease of management, maintenance costs and so on) by introducing biometric systems.

With this focus in mind, I think we'll see the coexistence of new password-free developments, like unlocking cellphones based on fingerprints or facial images, with a multitude of systems that continue using passwords or keys to a certain degree, perhaps supplemented with some biometric information.

The question is not whether biometrics can eliminate passwords, but whether the use of biometrics can be of help in the current world of passwords. The response to this question is definitely yes, and to a great extent.

What is the most secure biometric recognition method (voice, veins, iris….)?

All the biometric recognition methods existing today have advantages and drawbacks –from voice and handwriting through to irises and the pattern of veins on the hand. Specifically, if we're talking about security, this necessarily implies an attacker who wants to gain illicit access. Before comparing biometric features with others in the area of security, we would need to specify the model of attacker, through questions such as: how does the attack occur? how hard is it for the attacker to achieve his or her aim? The suitability of one biometric feature or another will depend on the application in question, the scenario of use, the model of attacker who wishes to violate the system, and the resources at his or her disposal.

There are several current developments that aim to homogenize these models and come up with a standard for considering a biometric system secure, and for its level of security. One such is the Common Criteria initiative, to which our group is contributing thanks to the European project BEAT (Biometrics Evaluation and Testing).

One feature can be compared with another based on factors such as usability, economic cost, durability and so on. All these factors, once the application and scenario have been determined, will point to one biometric feature or another, or a combination of several, used in a specific way and with specific sensors, as being the optimum solution. So an iris recognition system that has no protection against falsification using printed iris images may be less secure than a verification system using a handwritten signature.

What does it contribute to banks?

The banking environment is one of the areas that can benefit most from recent advances in biometric systems, as many of their operations depend on the reliable authentication and management of their customers' identities. Biometrics can vastly reduce costs such as the use and recording of information on paper or the prevention and control of a whole range of fraud. Specifically, biometric systems allow the identity of a customer to be modeled both on one-off inputs (a handwritten signature), and in an ongoing way in the medium and long term (for example with a keyboard or mouse and pointer dynamic).

The detection of anomalous behavior through these models is a good way of filtering possible fraud. Today's technology already allows a full remote relationship with the customer by making use of biometric features such as face and voice recognition for the ongoing monitoring of the user, or a handwritten signature on a touch terminal for authentication with legal validity. The great difference in this remote scenario compared to the scenario with a physical presence lies in the type of impostor that seeks to violate the system, the cost of the attacks, impact, possible protection...).

A greater understanding of these factors is key to the success of this type of initiatives in remote operating environments. Much research is currently being done in this area, and the problem is not totally resolved. Look at the results of one of the European projects in which we have also been working recently, TABULA RASA (Trusted Biometrics Under Spoofing Attacks), for example.

¿Which country is most advanced in its uptake of biometrics? 

All types of countries, from the United States and Japan to India and China are investing heavily in the research and development of these types of systems, as they are aware of the present and future benefits these technologies can provide. Not only the governments of these countries, who have launched programs to fund research, but also companies like Google, Facebook, Microsoft, NEC and Fujitsu are all making a strong commitment to this type of technology.

What sector do you think it can help most? 

As I said before, the banking sector has yet to tap into the substantial advantages offered by these technologies in recent years, and it has much to gain from them. They can reduce the costs related with the management of identities, fraud prevention, customer convenience and the opening of new customized services both in person and remotely.

Other sectors that will benefit vastly from developments in biometrics include distance learning (students' uptake of the course material can be monitored and their learning outcomes can be certified as a result), e-government, insurance companies, notary services, courts, medical registers and health records, and more. In fact any area in which it is necessary to authenticate individuals and subsequently manage these identities.

Are privacy and biometrics compatible?

Yes. Most of the current large-scale developments in biometric systems are very aware of the importance of protecting privacy, particularly in Europe, where the legislation on data protection is clear and strict.

Many of these biometric systems do not in fact store (on the biometric template) the user's registration information in an open way, but via encrypted versions, or with very limited information which –in the most recent developments– are not even unencrypted for comparison with other biometric templates. These techniques for the protection of biometric templates are in fact a red-hot issue in research, and an area in which my group at the UAM is also working.