Feeds

Fingerprints as ID - good, bad, ugly?

Well, there's an effectiveness:usability trade-off, for starters

  • alert
  • submit to reddit

Beginner's guide to SSL certificates

Why are we just talking about fingerprints, aren't there other kinds of biometrics? I'm glad you asked me that. Iris recognition is potentially a simpler recognition job, and the NPR humorously (?) observes that fraudsters tend to be more reluctant to mess with their eyes than their fingerprints (slightly useless factoid: "over 1 in 1,000 fingers are missing or have no fingerprint", but only 1 in 10,000 lack a usable iris for recognition purposes).

There have been no widespread deployments of iris scanning systems, and there are difficulties associated with broad deployment of enrollment and reading systems. Current systems require careful alignment and good lighting conditions, and enrollment systems will be more costly to operate and will have a poorer throughput than for fingerprints. And we can perhaps entertain unworthy thoughts about how the police might best achieve optimum conditions with mobile iris recognition systems after dark - slam suspect up against wall, shine bright light in their eyes...

Facial recognition meanwhile is rejected entirely by the NPL study. It quotes one study as finding a false match rate of 1 in 1,000 with a false non-match rate of 1 in 10, but points out that a longer time lapse between enrollment and check, and less optimum lighting conditions would produce a false non match rate of 6 in 10 at a false match rate of 1 in 1,000. The best you can say is it's not ready for prime time, but it might have an application as a supporting biometric to reduce false matches from the primary one.

NPL's observations about the lower possibility of people trying to falsify their eyeballs does however raise the possibilitiy of fingerprint falsification. David Westcott reminds us about the use of gummy false prints. The feasibility of these means some degree of observation of the hand will be necessary when it's placed on the reader, and that the use of fingerprint recognition in unattended security scenarios is of dubious value.

What about DNA? Pete Austin rightly corrects me for another unwarranted assumption:

Actually, if my DNA is found at the scene of a crime, it only means that my DNA is there. But DNA is easy to aquire. For example, like most people, I don't guard my wheely bin to stop criminals nicking vacuum cleaner dust, much of it hair and skin cells brimming with my DNA, to scatter at any crime scene of their choice.

Quite right, Pete. But as you, the container of the vast majority of your DNA, are likely to be present at an ID check, we don't necessarily need to be talking forensic worries here. They can just watch you, er, leak into a handy receptacle, or something. Kristoffer Winther Sørensen suggests that it actually is currently possible to do on-site DNA fingerprinting:

In the biomedical industri and academia we use a device called a PCR lightcycler to basically copy/clone DNA. As far as I know this technique was developed by the US military to facilitate the identification of possible biological agents used in biological warfare. The device is small enough to be carried on the back of a soldier and costs around $15.000. So I don't think there is a technical problem to "on-site" DNA fingerprinting.

Is there no end to the US Army's specialist hardware collection? Kristoffer however points out that DNA fingerprinting can give rise to false positives, "even if the material is of superb quality."

From memory, the methods used in Denmark will give a positive in 1 out of 100.000 persons. So if all danes were in a DNA register, on average 52 persons (population of 5.2 million) would match a crime-scene DNA-profile. That's a lot of suspects.

And we've had many more emails on the subject. We've skipped the ones saying what David Blunkett is (true, people, but this is established), and we've skipped the one claiming authorship of a system "paying 2.5 million people a month using fingerprint technology." We couldn't help noticing that in the country in question there seems to have been some debate about the effectiveness of this system, so we'll just have to call it 'jury still out.'

Intelligent flash storage arrays

More from The Register

next story
Criticism of Uber's journo-Data Analytics plan is an Attack on DIGITAL FREEDOM
First they came for Emil – and I'm damn well SPEAKING OUT
'It is comforting to know where your data centres are.' UK.GOV does NOT
Plus: Anons are 'wannabes', KKK says, before being pwned
Google's whois results say it's a lousy smut searcher
Run whois google.com or whois microsoft.com. We dare you, you PIG◙◙◙◙ER
Holy vintage vehicles! Earliest known official Batmobile goes on sale
Riddle me this: are you prepared to pay US$180k?
'Open source just means big companies can steal your code.' O RLY?
Plus: Flame of the Week returns, for one night only!
NEWSFLASH: It's time to ditch dullard Facebook chums
Everything hot in tech, courtesy of avian anchor Regina Eggbert
Hey, you, PHONE-FACE! Kickstarter in-car mobe mount will EMBED your phone into your MUG
Stick it on the steering wheel and wait for the airbag to fire
prev story

Whitepapers

10 ways wire data helps conquer IT complexity
IT teams can automatically detect problems across the IT environment, spot data theft, select unique pieces of transaction payloads to send to a data source, and more.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
10 threats to successful enterprise endpoint backup
10 threats to a successful backup including issues with BYOD, slow backups and ineffective security.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Website security in corporate America
Find out how you rank among other IT managers testing your website's vulnerabilities.