Fergil BV
  • Home
  • Cyberwar Live
  • About
  • Contact
    • intranet

Fingerprint biometrics to peak, so what's next?

26/1/2016

 
Foto
Fingerprint biometrics have been around for at least 25 years or more. The current mass adoption was long in the making. Much longer than any respected analyst firm had predicted. The Forresters and Gartners of this world underestimated the public scepsis and privacy concerns at first.
In the '90's there were a lot of initiatives to promote and implement fingerprint biometrics* but not often these projects ended earlier than expected because of above mentioned reasons.

The public opinion on biometrics in general and fingerprint biometrics in particular changed this millennium because of a variety of reasons; the tragic 9/11 event being the trigger to fuel the global security market, followed by the increased online personal-data collection which leads, per definition, to increased internet criminality.

Biometric fingerprint technology was, in the last decade of the previous century, thought to play an important role in the early days of the e-commerce. Companies like SAFLink, Lennard & Hauspie, Iridian Visionics, Authentec and others as pioneers paved the way and shaped the market as it is today.
The majority of those companies are not around anymore, they went bankrupt or were acquired at some stage.
With the consumeration of IT and biometrics being embedded in smartphones, the payment industry drives the biometric adaption in the e-commerce space with neat apps.

The market as it is today is divided into 3 segments;
  1. The border control market​
  2. Enterprise market
  3. Consumer market
Each market has biometric specific specifications for the security/access control systems. Whereas 1:N matching is typically used in the border control market, 1:1 and/or 1:Few is used in the enterprise and consumer market.

The enterprise market stores biometric templates typically in central directories like AD or eDir and they are controlled by the user and administrators, whereas templates in the consumer market are stored locally on the device and are fully controlled by the user.
Slowly but surely these markets converge. We're moving to a world where your mobile phone is your digital you and fully trusted by Governments across the globe.

Foto
Back to fingerprint biometrics. the market for fingerprint biometrics matured the last decade. After a lot of consolidation in the market, the prices dropped to an acceptable level and they will drop even further.
What technology vendors learned is to embed fingerprint technology in such a way that it's easy to enroll for the user and automatically is being adopted in the various apps (thank Steve Jobs for the app-store)

The downside of fingerprint biometrics is that every fingerprint reader can be spoofed.

Foto
The essence of fingerprint technology is of course your fingerprint. Something you leave behind everywhere you go. In other words, it's easy to obtain your fingerprint without you even knowing.
Fingerprint readers are build to recognize you and some have anti-spoofing systems build-in. Sometimes very rudimentary and sometimes very sophisticated. If you pay more you get more quality in general. However, even the most sophisticated systems are not fully spoofing proof.
The more applications, the more (business)value, is protected by fingerprint biometrics, more advanced attacks on the system will happen and force users and corporations to implement other (biometric) technologies besides fingerprint biometrics.

Let's take a look at the most likely biometric technology candidates.
We have;
  • Facial,
  • Voice
  • Iris
  • Vein
  • Heartbeat
  • Behavior
  • others (DNA, ear etc)
As for biometrics, there is no 1-fits-all biometric technology. That is never going to happen, well maybe somewhere in a distant future when we have an easy and fast way to extract DNA and perform a matching. That is when privacy concerns are to be overcome of course.

Voice & Face
Given the fact that there is no 1-fits-all, Face & Voice are not likely to be winners since for them to work correctly you will need to be able to control the environmental settings (lighting, noise etc) under all circumstances. And that will proof to be a mission impossible. So face and voice will not be the most likely candidates to be the biometric successor of fingerprint.

Iris
Iris is becoming interesting again. After Iridian screwed up the market with their idiot patent threats, now with the expiration of the various patents the innovation in iriscamera's reach a new peak. They are becoming affordable and the cameras are getting smaller and the next-gen will probably be embedded in smartphones.
Iris algorithms are fast and perfectly suitable for 1:N matching. Making them a more likely candidate for border-control rather than enterprise and consumer biometrics. As you can see in the video below there is always something needed called "hamming distance" (20cm in the video) the range where the actual iris is captured. It is simply not a very user-friendly technology. It's a bit clumsy to be honest.
Vein
My first encounter with vein technology was back in 2005. I had a nasty issue with fingerprint technology by BMF (pressure sensitive readers) in a datacenter and Hitachi as supplier of BMF in Europe invited us to test new groundbreaking technology first hand.
I met the director of biometric technology in Hoofddorp where I saw finger vein technology for the first time. I immediately thought it was a far better technology than fingerprint biometrics, but little too late to enter the border control market. The standards for fingerprint were already set.
A year later Fujitsu launched palm vein technology. Their are both technologies looking at the vein pattern  with the differentiator that finger vein technology reads the pattern "through" the finger whereas palm vein technology is based on an reflected image of the pattern.
I leave it up to the reader to judge which of the methods is most secure than the other.
Fact is that the vein algorithms are not suitable for 1:N matching like the iris one. You need additional technologies like fusion in-memory databases to get performance, which increases the total costs of ownership.

The other downside to palm & finger vein technology is the way the two vendors structured their licensing model. In short, it sucks. It's a showstopper for the mass adoption of vein technology. I wrote about this in my previous blog on the "biometrics 2015".

Another vein tech provider is Eyeverifi. This Kansas based startup "reads" the vein pattern in the corner of your eye. It is cool technology as demonstrated below. But like iris recognition one can wonder if it is suitable for mass adoption by consumers. It's a nice add-on, doesn't require any additional hardware but is not very user-friendly as it is now. Maybe in the future when camera's are even beter to recognize from a distance. You always have to look straight in the camera, which you cannot do under every circumstance. Like face recognition you will need to be able to influence the environmental variables needed to acquire a correct and usable picture. And I wonder if it works flawlessly in Asia where people tend not to be able wide open their eyes.
Conclusion vein is a candidate but still has to overcome hurdles technology- and businesswise.
Heartbeat & Behavior technology
I've talked about heartbeat and behavior biometrics in a previous posts. I really like the technology but it is still early stage for heartbeat, and behavior is well suited to be just the additional layer of security. It's an add-on to existing biometric technologies or other security systems.

Heartbeat and Behavior biometrics are both poised for greatness. It will be a long, rough and costly road but the reward will be there. Behavior is taking off now. Companies like Behaviosec changed their business strategy to make it easier to be embedded in the big authentication frameworks. That helps the mass adoption.
As for heartbeat, still a couple of technology breakthroughs will be needed in order to get the technology embedded easily in wristbands of f.i. smartwatches.  Smartwatches by itself needs to prove that they are here to stay.
Other technologies
There are various other biometric technologies like handrecognition, signature recognition, ear recognition, the way you walk and yes even butt-recognition.
All nice technological achievements but no serious threats to the fingerprint crown.

My prediction for the successor to fingerprint is;
  1. Vein technology: still a couple miniaturizations of the technology needed and a change in the licensing model and then vein will take off.
  2. Heartbeat , no more comments needed, I said enough
  3. Behavior is here to stay and will creep into our lives no matter what.

Nymi band Unboxing & First Impressions

2/1/2016

 
This week I received a batch of Nymi bands. I wrote about Nymi in one of my previous posts about continuous authentication.
The Nymi technology is quite straight forward and ties your biological identity to the network for authentication purposes.

The way it works is that during enrollment a simple but sufficient  ECG is made of your heart. The "template" is stored locally (in the app on the mobile device) and is user-controlled. So no central storage.
Based on the individual "noise" of the heartbeat, the person is identified. (see Nymi's explanation to the technology)
Foto
It looks a bit bulky, but this the developers band
How the technology works
The Nymi band looks quite simple in its form factor which is a good thing. It's a rubber band with on one end a Nymi reader and on the other end a flap with another scanner that has snaps on the reader with magnetic force. Quite easy indeed.
Foto
Top of the reader. This where the flap snaps on with magnets.
Picture
Bottom of the reader clearly show the big metal readers that actually monitors your heartbeat
Foto
Bottom of the flap shows the interface that connects the metal scanner on the top of the flap with the reading device.
Foto
As soon as the band is snapped together the Nymi band and the battery indicators turn on.
Once fully charged you can put the Nymi band on your wrist. As soon as the flap snaps on the reader, the battery/bluetooth indicator turns on warning you that the band is ready for action.
After you downloaded the "companion" app in the store of your choice, you can begin to setup the band and enroll your "heartbeat".

Out of the box the band's first task is the update the firmware. Since Nymi is continuously working on improving the technology and user-experience, the firmware update will probably be something every user will experience on the first run.
I had a funny experience. The update began, installed and after installing it messaged an installation error (see photographs below). As soon as I tried to re-install, the app warned me that the firmware was already up-to date. Hmm. 

The next thing is setting up your profile with the app. It is all reasonably straightforward. It works as expected and provides the user the opportunity to leverage Touch ID as well.
One of the big benefits of the Nymi band is the U2F compliance. U2F is one of the new standards that is being developed by the FIDO Alliance. U2F stands for "Universal 2-Factor" authentication. It's an industry-wide standard to make sure that hard-& software connects easily and the user has complete end-to-end protection, which is a good thing.
Foto
OSX setup looks like a breeze
Picture
Unfortunately I pay the price for being a beta tester @ Apple. The OSX app doesn't work on this version.
Operating systems and Nymi
As you can see above, I tried to hook Nymi onto my Macbook Air. Unfortunately I am a beta-tester @ Apple and my version of OSX was understandably not supported. The Nymi website states that correct.
I will connect Nymi to my Surface Pro later this week and let you know Windows user-experience.

Nymi's future
Nymi band clearly has a bright future but has still development ahead. The current band form factor is not ideal. It fitted my wrist (I have a rather small wrist, all though the band was marked "Large") but it doesn't have a way to adjust it.
Like my Apple watch, reading the heartbeat is only successful and accurate if the band is strapped tied around your wrist. With the Dutch climate (where it is hold and cold) my wrists tend to get bigger when it's hot and I wonder if the band then is still comfortable to use.
I know Nymi is working on other form-factors. The technology screams to be embedded in smart watches. 
​
Below you find more pictures of the Nymi unboxing and screenshots of the app, the enrollment and the way Nymi integrates with existing operating systems.
​Have fun!
Nymi Pro
  • Quick & easy setup
  • Bluetooth-LE support saves battery life 
  • U2F support
  • NFC embedded (payments & physical access)
  • Template stored locally and user-controlled
  • Quick reading
  • ​Potentially continuously authentication
Nymi Contra
  • Bulky design​
  • Not definite form factor
  • Setup has some minor flaws
  • Another band on the wrist

    Author

    I am Reinier van der Drift. owner of FERGIL. Serial Entrepreneur & Technology Freak. Expert on Strong Authentication.
    Blog on StartUps, Gadgets, Technology in general  and my day to day busy-ness.

    Foto
    View my profile on LinkedIn

    Archives

    February 2016
    January 2016
    December 2015
    November 2015
    October 2015
    September 2015

    Categories

    All
    Cyber Security
    Gadgets
    General
    Personal Stuff

    RSS Feed

      Take a pick
    Submit
    Tweets by @rmvanderdrift
© 2022 FERGIL bv, Amsterdam, ​The Netherlands
  • Home
  • Cyberwar Live
  • About
  • Contact
    • intranet