Evolution of biometrics: How much can you protect?

Tuesday December 01 2020

A customer completes a transaction. Transactions conducted on biometric-enabled devices such as smartphones and laptops ensure payment access via fingerprint or face recognition technologies. PHOTO/Edgar r. Batte

By Charlotte Ninsiima

You are probably familiar with swiping an identity card or using your fingerprints to gain access to an entrance, and withdraw money. All this helps register the efficacy of business operations.

By using biometrics, most organisations have invested in security systems to cut out corruption and inefficiencies to build apt structural mechanisms. Techtarget, an online security platform, defines biometrics as the measurement and statistical analysis of people’s unique physical and behavioural characteristics. The technology is mainly used for identification and access control or for identifying individuals who are under surveillance.

Biometrics were introduced in 1800 in France where Alphonse Bertillon, a former French police Officer developed a method to take specific measurements of an individual and use it to profile criminals. It was started from the criminal justice system so that if a particular person was seen elsewhere they are able to compare the traits and identify the person in the records.

Nicholas Kyomuhendo, an ethical hacker and innovator simplifies biometrics as the physical or behavioural human characteristic that can be used to digitally identify a person. The commonest form is the fingerprint scanner. These are used to grant access to computer systems, to devices, for example, smartphones. Using biometric properties or features of individuals gives access to data in certain environments .

Biometrics are a faster form of authentication. There is also an element of convenience and it is secure to some extent. Security is always a relative statement, he argues.

The quality of a biometric system or scan is dependent on the number of sensors used to pick the data. Kyomuhendo says that in devices like smartphones which are evolving, it may not be as accurate or as good as it is when it is in another system because the sensors plucked into a small mobile phone may not be enough but high end systems have multiple sensors to scan. The latter have a good print or signature of the entity they are capturing and much more secure. Therefore, accuracy is based on the sensors used.


Examples of existing biometrics include fingerprint scanners, facial pattern recognition system or facial/biometrics system, palm vein signature scanners/ infrared vein pattern scanner and, iris and retina scanner- they look inside the eye at the unique signature inside the retina.


The futurist ones, Kyomuhendo explains, are still undergoing research and are yet to become mainstream like brain wave pattern scan or biometric systems. It identifies you by the way your brain waves move. Still in the pipeline is a heartbeat and DNA scan. Systems of the latter require a sample of your DNA to grant you access after you have been identified.

There is another form based on behaviour. These are behaviour identifiers; the way you move can also be used to create a certain profile for a person. The advantage is it is contactless. In our current situation, contactless biometric systems seem to be of a better advantage in that they are less likely to spread the disease. They are faster than these which require contact.

They are characterised in physical; the way someone is walking and online- some systems require you to type something to assess the speed at which you are typing and pressure inserted on a keyboard. This is used to build a pattern unique to an individual that can be used to identify them in other systems. In other cases, that pattern can be used to differentiate a human being and a robot.

But with changing times, you never know machines can learn from us and get better.

Biometrics versus passwords

Biometrics are convenient. However, they are a bit more complicated to implement than the password systems.

Biometric systems capture information that is immutable. In situations where that information is exposed,  lost or falls in the hands of wrong people, it can be abused to far reaching consequences. He expounds, “Imagine your data is stolen. You can easily be impersonated unlike passwords where the party that has been breached will issue an advisory warning and advise them to update their passwords. One might not update their eyeballs or change the face. ”


When dealing with biometrics, take into consideration security of data. It is advisable to implement encryption in the system running. There are three forms of encryption.  The data should be encrypted before it is saved so that if someone steals it, they cannot make use of it. There are security risks involved because it is possible to beat biometrics and it has been proven.

Data ought to be encrypted in motion; during the transfer process from the scanner to the database or from where you are trying to authenticate to the application that authenticates.

In addition, encryption during run time; processing of data from storage is on the device to verify. Intruders or hackers could intersect it at that point. The IT consultant encourages employment of technologies to encrypt data even during runtime.

 “We can’t have any losses during that stage at the time.”

Technology has advanced so much that there are 3D printers. It is possible to print out your palm print. Research has shown even palm vein scanners can be fouled by having 3D printed rubber palms imitating the physical palm but it has been seen in the laboratory.

The iris scan has also been proven under a proof of concept that it is also possible with a taken and printed photo. The contact lens and the photo, researchers notified, were able to open a phone. However some of these proof of concepts have been proved in laboratories. It is not yet clear that they are easy to implement in the wild.

For now we might be safe but at the rate technology is moving, it will be possible that once these entities (biometric data) are linked, hostile individuals or parties can fabricate another identity and you find that you have multiple people claiming the same identity.


Going forward.

 Implement good data privacy policies. Also install multifactor authentication that consists of the use of one token to authenticate an individual. This means testing an individual for something they know, one of the tokens like password or pin.

Additionally, use a second factor like an Identity Card (ID).

Having a fingerprint, password and work ID could be so hard to fake at once. Some big giants like Gmail have implemented multifactor authentication.