Computing Applications

New Approaches to Biometric Security

biometric eye scan and fingerprint
The use of fingerprints for identification may date back to Babylonian times, while facial recognition dates to the 1960s, and vein recognition has been around for decades.

Businesses and organizations of all sorts need to restrict access—to systems, devices, accounts, places, and more—to only those people who should have it. The most common method for accomplishing this is to require each user have a password, sometimes backed up with a code they get on their phone or by answers to questions about something personal, like their first car.

An increasingly common alternative is biometric security: identifying someone by some physiological feature of their body. Every body is unique, and one's body is always available, while passwords and security questions can be forgotten. Fingerprints and facial recognition have become mainstream forms of biometric security (although both of these methods have downsides, which create demand for other physiological approaches).

New biometric security methods place a priority on contactless identification (such as facial recognition), propelled by the pandemic and the public's increased reluctance to touch shared surfaces. According to a study by Canadian-Indian market research firm Precedence Research, the contactless biometrics technology market was valued at $6.95 billion worldwide in 2021, and is expected to reach over $37.10 billion by 2030. Another market research organization, UAE-based Fact.MR, sees an even larger market for biometric security solutions growing from $17.1 billion this year to $78.6 billion in 2032.

Current downsides

The use of fingerprints for identification may date back to Babylonian times, when it was used as a form of signature on clay tablets. Modern Americans use their fingerprints for everything from getting a driver's license to unlocking their smartphones. However, fingerprint sensors are far from foolproof, as it is vulnerable to measures as simple as using adhesive tape to lift a fingerprint from a surface and using it to fool security into unlocking.

Facial recognition dates to the 1960s, when a researcher at the Rand Corporation used a digital tablet to mark coordinates of facial features on a grid. By 2017, smartphone manufacturers were offering facial recognition as a way for users to unlock their phones.

However, "The pandemic taught us that face recognition does not work with masks on, and certain ethnic groups have more difficulty being accurately identified than others," says Chris Jahnke, senior vice president for Global Business Development at EyeLock, a company that provides iris-based authentication. "To get around masks these days, some companies are using only what is available to be seen—the area around the eyes—and this greatly reduces their accuracy because they are taking fewer data points into consideration."

Facial recognition also raises privacy issues. For one thing, it can be used to track people in public, as well as just unlocking their phones. Users feel proprietary about their appearance, too, and worry about data breaches: the U.S. Internal Revenue Service (IRS) in 2021 started using facial recognition-based security to allow taxpayers access to their accounts, but taxpayers reportedly found the process frustrating and intrusive, so the IRS discontinued its use of facial recognition software.

A show of hands.

Bernard Garcia, founder and CEO of nVIAsoft Corporation, which provides what the company calls the "world's first contactless multimodal hand biometric," describes fingerprint recognition as being part of the "golden age" of biometrics. "You can't abandon it, because it's being used by the government for many purposes, but we are witnessing changes in technology because of the prevalence of identity theft data breaches. We need a more secure and hygienic method."

nVIAsoft's Verihand biometric security system is based on scanning the vein patterns in a user's palm and fingers. Vein pattern recognition (also called vascular technology) is based on the fact that hemoglobin in the blood changes color when exposed to near-infrared light, enabling vein patterns to be traced.

Vein recognition, which has been around for decades, has been seeing new interest from technology manufacturers in recent years. For example, in 2014, Fujitsu demonstrated its PalmSecure system for authentication using palm recognition; and in 2020, Hitachi launched its VeinID Five finger recognition product. In 2021, Eqypt reportedly was planning to use the Hitachi system to provide digital ID authentication for its national ID program by integrating the capability for finger-vein recognition.

Verihand combines both finger and palm vein recognition. "Unlike current biometric methods," says Garcia, "Verihand captures the complex vein structure of the entire hand," so it has more data points to work with than a finger- or palm-only approach. The system generates a unique, encrypted code representing the pattern, which is matched for identification and authentication later. "The device that reads the veins is like a TV remote control," says Garcia. "We use partial infrared—it's harmless and non-invasive."

Vein recognition offers one big advantage over fingerprints, says Garcia: the approach we've seen in movies, where the bad guy cuts off someone's fingertip to unlock a phone or open a door, just won't work. He explains, "If you cut off the hand, there will be no blood to track."

The eyes have it.

Another contactless approach is based on scanning the eye. "Iris scanning can identify one out of 1.5 million people with one of their eyes or 1 out of 2.25 trillion people with both," says Eyelock's Jahnke. Market research firm StrategyR predicts the global market for iris-based biometrics will rise from $2.8 billion this year to $4.3 billion by 2026.

Iris recognition avoids many of the pitfalls of facial recognition, explains Jahnke. "It doesn't care what the color of your skin is or what your hair, beard, or other facial features look like," he says. "If you can see a person's eyes, they can be authenticated."

Iris recognition works by illuminating the iris with infrared light, which reveals the complex patterns within. Software then generates a digital code that describes the information captured. Eyelock's code doesn't contain an actual image of the iris, but represents 240 points of data about each eye. The pattern is stored in a database from which it can be recalled for identification and verification. "Should your iris become damaged or diseased, you simply re-enroll that affected eye," Jahnke says, adding that most iris recognition systems also can be programmed to work with one eye.

Eyelock's technology also incorporates "liveness detection methods" to ensure it's looking at a real person and not, for example, a photograph or video clip. One method commonly used in the industry is determining that the pupil changes size when the scanner's light shines into it; another is the familiar redeye phenomenon from photos. "These are just two of many things we do in that fraction of a second a scan takes to verify that it's a live person," Jahnke explains.

Future directions

Neither of these methods, and no single method, is the final answer, says Jahnke, as in the end, biometric security will rely on "multimodal" approaches. "Devices that provide multiple biometric modalities are the future of biometrics. Eyelock will soon be releasing its first dual contactless multimodal product, combining both iris and face."

However, some challenges persist, including one that arises from the same persistent, unique aspects of physiological biometrics that make them so useful: the data isn't easily changed. You can't just replace someone's iris pattern or the veins in your hand the way you can create a new password. According to FactMR, replacement of biometrics data is one of the major challenges expected to hinder the growth of the contactless biometrics technology market.

Jake Widman is a San Francisco, CA-based freelance writer focusing on connected devices, Smart Homes and Cities, Extended Reality, and other emerging technologies.

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More