Privacy and Security Law Blog : Privacy & Security Law Blog : Davis Wright Tremaine LLP : Seattle, Los Angeles, Washington D.C., New York, San Francisco, Shanghai, Portland and Anchorage Law Firm

As with previous years, once again this year was predicted as the year that biometrics will finally take off. Every vendor involved in the biometric industry, in biometric R&D, or in setting biometric standards assured me that biometrics is here and will soon replace the password as the first authentication standard. On the other hand, those involved in reviewing these technologies to determine whether to deploy them at their companies or their clients' companies pointed out to me that biometrics simply was not ready for widespread commercial use. One integrator told me that by the end of the year he could see fingerprint readers moving from the third factor to the second factor in multifactor authentication, but he did not see fingerprint readers (or any other form of biometrics) becoming the first factor unless the industry addresses the rate of false rejections (i.e., when the reader fails to allow in a person who it should allow in). Data discussed at one of the presentations, which showed that with one biometric system the rate of false rejections six weeks after the person was first scanned into the system was as high as 30%, confirmed his analysis. A system that would not let approximately one out of three people who it should let in is simply not ready for widespread deployment.

When I discussed this with a person involved in setting standards for the biometric industry, he pointed out that: (1) it was not clear that the system was a fingerprint reader; and (2) the solution was to set the selectivity of the system much lower. His rationale was that unless you are dealing with a nuclear power plant (his words, not mine) you really have to decide what the chances are that someone will try to hack into a system and what the cost of such a hack would be and balance that against how selective you make the system. For a law firm, because I had mentioned I was a lawyer, he suggested that it would probably make sense to set the selectivity so that produced approximately five percent of false positives to ensure that the percentage of false rejections was appropriately low (much lower than the 30% figure I was discussing with him). Needless to say, this was not a terribly convincing argumentて琇 would love to explain to my clients why I lost their incredibly confidential data just for the convenience of not having to remember a complicated password and not getting locked out of my computer.

The press has discussed the ease with which some fingerprint readers can be spoofed at great length. And some of the suggested solutions, for example, sensors that look for evidence of perspiration will not work when a person is dehydrated (e.g., after getting off a flight or someone who naturally has dry skin). Although I saw a number of other suggested solutions to the typical spoofs on the Exposition floor, one solution struck me as particularly promising. A company called Lumidigm has come up with a multispectral reader that actually takes a snapshot of the capillaries under your finger. Apparently the capillaries under the skin form a pattern identical to the pattern of ridges and valleys on your skin, and by taking a snapshot of the capillaries the reader avoids many of the standard spoofsて綠rints on a gummi bear, a very thin membrane placed over the finger of some other person, or a heated cast of someone's finger. Additionally, the scan takes into account the spectral qualities of blood, so a finger from a cadaver (a la James Bond) will not work either. Additionally, because it takes a picture of the capillaries below the skin the reader is not affected by lack of perspiration, dirty fingers, or humidity (readers that take a picture of the finger have a high rate of false rejections when its very humid out as they cannot get a very good picture). The downside with a multispectral reader is that it will probably be difficult to deploy on a PDA or laptop (many companies have started building fingerprint readers into their laptops).

In my opinion, biometrics has come a long way and some of the proposed solutions to make them more reliable and hard to spoof (including Lumidigm's) show a great deal of promise. However, until the biometrics companies can deal with the rate of false rejections (a topic not as sexy as whether they can be spoofed, but more important to any company looking to deploy this technology), fingerprint readers are simply not ready for widespread use.