Feeds

Fingerprints as ID - good, bad, ugly?

Well, there's an effectiveness:usability trade-off, for starters

  • alert
  • submit to reddit

Seven Steps to Software Security

Why are we just talking about fingerprints, aren't there other kinds of biometrics? I'm glad you asked me that. Iris recognition is potentially a simpler recognition job, and the NPR humorously (?) observes that fraudsters tend to be more reluctant to mess with their eyes than their fingerprints (slightly useless factoid: "over 1 in 1,000 fingers are missing or have no fingerprint", but only 1 in 10,000 lack a usable iris for recognition purposes).

There have been no widespread deployments of iris scanning systems, and there are difficulties associated with broad deployment of enrollment and reading systems. Current systems require careful alignment and good lighting conditions, and enrollment systems will be more costly to operate and will have a poorer throughput than for fingerprints. And we can perhaps entertain unworthy thoughts about how the police might best achieve optimum conditions with mobile iris recognition systems after dark - slam suspect up against wall, shine bright light in their eyes...

Facial recognition meanwhile is rejected entirely by the NPL study. It quotes one study as finding a false match rate of 1 in 1,000 with a false non-match rate of 1 in 10, but points out that a longer time lapse between enrollment and check, and less optimum lighting conditions would produce a false non match rate of 6 in 10 at a false match rate of 1 in 1,000. The best you can say is it's not ready for prime time, but it might have an application as a supporting biometric to reduce false matches from the primary one.

NPL's observations about the lower possibility of people trying to falsify their eyeballs does however raise the possibilitiy of fingerprint falsification. David Westcott reminds us about the use of gummy false prints. The feasibility of these means some degree of observation of the hand will be necessary when it's placed on the reader, and that the use of fingerprint recognition in unattended security scenarios is of dubious value.

What about DNA? Pete Austin rightly corrects me for another unwarranted assumption:

Actually, if my DNA is found at the scene of a crime, it only means that my DNA is there. But DNA is easy to aquire. For example, like most people, I don't guard my wheely bin to stop criminals nicking vacuum cleaner dust, much of it hair and skin cells brimming with my DNA, to scatter at any crime scene of their choice.

Quite right, Pete. But as you, the container of the vast majority of your DNA, are likely to be present at an ID check, we don't necessarily need to be talking forensic worries here. They can just watch you, er, leak into a handy receptacle, or something. Kristoffer Winther Sørensen suggests that it actually is currently possible to do on-site DNA fingerprinting:

In the biomedical industri and academia we use a device called a PCR lightcycler to basically copy/clone DNA. As far as I know this technique was developed by the US military to facilitate the identification of possible biological agents used in biological warfare. The device is small enough to be carried on the back of a soldier and costs around $15.000. So I don't think there is a technical problem to "on-site" DNA fingerprinting.

Is there no end to the US Army's specialist hardware collection? Kristoffer however points out that DNA fingerprinting can give rise to false positives, "even if the material is of superb quality."

From memory, the methods used in Denmark will give a positive in 1 out of 100.000 persons. So if all danes were in a DNA register, on average 52 persons (population of 5.2 million) would match a crime-scene DNA-profile. That's a lot of suspects.

And we've had many more emails on the subject. We've skipped the ones saying what David Blunkett is (true, people, but this is established), and we've skipped the one claiming authorship of a system "paying 2.5 million people a month using fingerprint technology." We couldn't help noticing that in the country in question there seems to have been some debate about the effectiveness of this system, so we'll just have to call it 'jury still out.'

Seven Steps to Software Security

More from The Register

next story
Canuck reader threatens suicide over exact dimensions of SPAAAACE!
How many As? Reg hack's writing cops a shoeing
Delaware pair nabbed for getting saucy atop Mexican eatery
Burrito meets soft taco in alleged rooftop romp outrage
Japanese artist cuffed for disseminating 3D ladyparts files
Printable genitalia fall foul of 'obscene material' laws
Brit Rockall adventurer poised to quit islet
Occupation records broken, champagne corks popped
Apple: No, China. iPhone is NOT public enemy number 1
Beijing fears it could beam secrets back to America
Accused! Yahoo! exec! SUES! her! accuser!, says! sex! harassment! never! happened!
Allegations were for 'financial gain', countersuit claims
Carlos: Slim your working week to just three days of toil
'Midas World' vision suggests you retire later, watch more tellie and buy more stuff
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.