Fergil BV
  • Home
  • Cyberwar Live
  • About
  • Contact
    • intranet

Fingerprint biometrics to peak, so what's next?

26/1/2016

 
Foto
Fingerprint biometrics have been around for at least 25 years or more. The current mass adoption was long in the making. Much longer than any respected analyst firm had predicted. The Forresters and Gartners of this world underestimated the public scepsis and privacy concerns at first.
In the '90's there were a lot of initiatives to promote and implement fingerprint biometrics* but not often these projects ended earlier than expected because of above mentioned reasons.

The public opinion on biometrics in general and fingerprint biometrics in particular changed this millennium because of a variety of reasons; the tragic 9/11 event being the trigger to fuel the global security market, followed by the increased online personal-data collection which leads, per definition, to increased internet criminality.

Biometric fingerprint technology was, in the last decade of the previous century, thought to play an important role in the early days of the e-commerce. Companies like SAFLink, Lennard & Hauspie, Iridian Visionics, Authentec and others as pioneers paved the way and shaped the market as it is today.
The majority of those companies are not around anymore, they went bankrupt or were acquired at some stage.
With the consumeration of IT and biometrics being embedded in smartphones, the payment industry drives the biometric adaption in the e-commerce space with neat apps.

The market as it is today is divided into 3 segments;
  1. The border control market​
  2. Enterprise market
  3. Consumer market
Each market has biometric specific specifications for the security/access control systems. Whereas 1:N matching is typically used in the border control market, 1:1 and/or 1:Few is used in the enterprise and consumer market.

The enterprise market stores biometric templates typically in central directories like AD or eDir and they are controlled by the user and administrators, whereas templates in the consumer market are stored locally on the device and are fully controlled by the user.
Slowly but surely these markets converge. We're moving to a world where your mobile phone is your digital you and fully trusted by Governments across the globe.

Foto
Back to fingerprint biometrics. the market for fingerprint biometrics matured the last decade. After a lot of consolidation in the market, the prices dropped to an acceptable level and they will drop even further.
What technology vendors learned is to embed fingerprint technology in such a way that it's easy to enroll for the user and automatically is being adopted in the various apps (thank Steve Jobs for the app-store)

The downside of fingerprint biometrics is that every fingerprint reader can be spoofed.

Foto
The essence of fingerprint technology is of course your fingerprint. Something you leave behind everywhere you go. In other words, it's easy to obtain your fingerprint without you even knowing.
Fingerprint readers are build to recognize you and some have anti-spoofing systems build-in. Sometimes very rudimentary and sometimes very sophisticated. If you pay more you get more quality in general. However, even the most sophisticated systems are not fully spoofing proof.
The more applications, the more (business)value, is protected by fingerprint biometrics, more advanced attacks on the system will happen and force users and corporations to implement other (biometric) technologies besides fingerprint biometrics.

Let's take a look at the most likely biometric technology candidates.
We have;
  • Facial,
  • Voice
  • Iris
  • Vein
  • Heartbeat
  • Behavior
  • others (DNA, ear etc)
As for biometrics, there is no 1-fits-all biometric technology. That is never going to happen, well maybe somewhere in a distant future when we have an easy and fast way to extract DNA and perform a matching. That is when privacy concerns are to be overcome of course.

Voice & Face
Given the fact that there is no 1-fits-all, Face & Voice are not likely to be winners since for them to work correctly you will need to be able to control the environmental settings (lighting, noise etc) under all circumstances. And that will proof to be a mission impossible. So face and voice will not be the most likely candidates to be the biometric successor of fingerprint.

Iris
Iris is becoming interesting again. After Iridian screwed up the market with their idiot patent threats, now with the expiration of the various patents the innovation in iriscamera's reach a new peak. They are becoming affordable and the cameras are getting smaller and the next-gen will probably be embedded in smartphones.
Iris algorithms are fast and perfectly suitable for 1:N matching. Making them a more likely candidate for border-control rather than enterprise and consumer biometrics. As you can see in the video below there is always something needed called "hamming distance" (20cm in the video) the range where the actual iris is captured. It is simply not a very user-friendly technology. It's a bit clumsy to be honest.
Vein
My first encounter with vein technology was back in 2005. I had a nasty issue with fingerprint technology by BMF (pressure sensitive readers) in a datacenter and Hitachi as supplier of BMF in Europe invited us to test new groundbreaking technology first hand.
I met the director of biometric technology in Hoofddorp where I saw finger vein technology for the first time. I immediately thought it was a far better technology than fingerprint biometrics, but little too late to enter the border control market. The standards for fingerprint were already set.
A year later Fujitsu launched palm vein technology. Their are both technologies looking at the vein pattern  with the differentiator that finger vein technology reads the pattern "through" the finger whereas palm vein technology is based on an reflected image of the pattern.
I leave it up to the reader to judge which of the methods is most secure than the other.
Fact is that the vein algorithms are not suitable for 1:N matching like the iris one. You need additional technologies like fusion in-memory databases to get performance, which increases the total costs of ownership.

The other downside to palm & finger vein technology is the way the two vendors structured their licensing model. In short, it sucks. It's a showstopper for the mass adoption of vein technology. I wrote about this in my previous blog on the "biometrics 2015".

Another vein tech provider is Eyeverifi. This Kansas based startup "reads" the vein pattern in the corner of your eye. It is cool technology as demonstrated below. But like iris recognition one can wonder if it is suitable for mass adoption by consumers. It's a nice add-on, doesn't require any additional hardware but is not very user-friendly as it is now. Maybe in the future when camera's are even beter to recognize from a distance. You always have to look straight in the camera, which you cannot do under every circumstance. Like face recognition you will need to be able to influence the environmental variables needed to acquire a correct and usable picture. And I wonder if it works flawlessly in Asia where people tend not to be able wide open their eyes.
Conclusion vein is a candidate but still has to overcome hurdles technology- and businesswise.
Heartbeat & Behavior technology
I've talked about heartbeat and behavior biometrics in a previous posts. I really like the technology but it is still early stage for heartbeat, and behavior is well suited to be just the additional layer of security. It's an add-on to existing biometric technologies or other security systems.

Heartbeat and Behavior biometrics are both poised for greatness. It will be a long, rough and costly road but the reward will be there. Behavior is taking off now. Companies like Behaviosec changed their business strategy to make it easier to be embedded in the big authentication frameworks. That helps the mass adoption.
As for heartbeat, still a couple of technology breakthroughs will be needed in order to get the technology embedded easily in wristbands of f.i. smartwatches.  Smartwatches by itself needs to prove that they are here to stay.
Other technologies
There are various other biometric technologies like handrecognition, signature recognition, ear recognition, the way you walk and yes even butt-recognition.
All nice technological achievements but no serious threats to the fingerprint crown.

My prediction for the successor to fingerprint is;
  1. Vein technology: still a couple miniaturizations of the technology needed and a change in the licensing model and then vein will take off.
  2. Heartbeat , no more comments needed, I said enough
  3. Behavior is here to stay and will creep into our lives no matter what.

Strong Authentication and the holy grail

9/12/2015

 
Every market has it's holy grail. In the strong authentication market it's something called "continuous authentication".
It means that the user isn't bothered by typing a PINcode and/or present a card or biometric, the system simply knows it's you.
​There are a couple of promising techniques that strive to become the holy grail that I'll discuss here:

- Behaviosec, a,Swedish startup that delivers keystroke biometric algorithms and
- Nymi, a Toronto based startup that measures "the noise" your heartbeat makes to identify you.
Behaviosec
Behaviosec developed a so-called behavior biometric algorithm. Basically the algorithm interprets your typing behavior on keyboards/mice and smartphones or tablets, and based on your unique "flight, swipe or touch" times and motions, the algorithm flawlessly identifies you in a short period of time.
 Usually it takes 1-2 seconds after you starts typing/swiping for the algorithm to make a positive ID.
Besides the algorithm, Behaviosec developed a cloud based system which makes it easy for Identity providers to add Behaviosec's technology to their authentication eco-system. 
This kind of behavior biometrics is often implemented as part of a multi-layer authentication system, that sits behind a website or payment system, to add more security to the accountholder's data.
Because the technology is non-intrusive to the user (he simply does what he always did; typing), these technologies are very elegant to implement and often implemented without the user knowing.


Nymi
It was early 2006 that I was first approached by an investor to give my opinion on an investor paper on "project Heartbeat" as it was called then. I don't know whether or not that old investment proposal is related to Nymi in any way, fact of the matter is that I advised negative at that time.
The reason was that fingerprint technology already caused a public debate and in my experience technology like finger-vein recognition basically scared the consumer finger-vein sounded very intrusive (where it actually is not).
We're now almost 10 year further. Fingerprint readers are widely exerted by the public (smartphones, biometric passports and so on) and people are not surprised by biometrics anymore.

The Nymi algorithm which interprets your heartbeat in order to be able to identify you, finds it's form factor in the Nymi band. You can see a picture above. During enrollment it asks you to touch the band with the other hand so that an ECG can be made on which the algorithm can do it's trick.
The Nymi band form factor is chosen so that developers can easily integrate the technology into their systems and applications. It's expected that in the near future the algorithm will be embedded in other devices like smartwachtes and fitnessbands.

The two technologies ​are examples of "continuous authentication". Authentication that is "always-on" and non-intrusive to the user. It simply always works and as part of a layered-authentication-framework delivers the next-gen authentication systems.

FIDO Update

26/11/2015

 
Today I presented on the current status of the FIDO alliance at the "Biometrics in Banking and Payment" seminar organized by the European Association for Biometrics. 
Although I live in Amsterdam, this was the first time I visited the Amsterdam Planetarium. 
I found it a very nice and convenient place to have these kinds of events organized.
Specially when you want to attract a lot of interest of financials, they are literally around the corner.
So all of Dutch major banks send their representatives and all in all it was a well organized and interesting seminar.
You can find my presentation here: 
fido_update.pdf
File Size: 1320 kb
File Type: pdf
Download File

Foto

#Biometrics2015 in decline

14/10/2015

 

My fist visit to the London Biometrics Show was back in October 2003. It was 2 years after 9/11 and the security world was set on fire. Gartner, Forrester and all the other researchers promised a biometric world with astronomical growth figures. 
​No one could foresee the hard reality of a very long lead-time for biometrics. It was about to lift off ten years later when Apple launched "the biometric killer app", a fingerprint reader in the startbutton of a phone. Simple & elegant and flawlessly working.
During that decade many biometric pioneers didn't survive. 
SAFlink started in 1988 (which company burned roughly $350MLN) eventually went bankrupt in 2009 due to mismanagement, lack of focus and vision. 

​BMF introduced in 2003 a biometric sensor based on TFT-material. It was a so-called pressure sensitive sensor. Through various layers of material an image of the fingerprint was created solely by a simple pressure of the finger on the reader. Big benefit: you could read the fingerprint under almost every circumstances even "under" water (see picture). It was sold in Europe via Hitachi. I was really impressed.
Little did I know know at that time that the layers in the readers only survived roughly 1000x presses. So when I introduced a IP-based variant of the reader for securing a datacenter I ran into trouble a few months after the go-live. Shit happens. But Hitachi promised me the world and came up with the prototype of the finger vein scanner in the summer 2005. It was the death for BMF. The company never had real lift-off.
Nor did Hitachi by the way. Still their finger vein solution needs to lift-off. They are pushing hard on ATM's in banking, but Fingerprint looks to be the winner in this sector. 
Hitachi's business model sucks. It lacks interoperability with the other vein vendors. There is simply no standard for finger vein, which makes it hard for enterprises to invest in. They will never be sure of their investment. It used to be the same for Fingerprint, but those technology vendors (with a little help from the Government) solved the interoperability problem and then it took off.

#Biometrics2015
In my last post I told you my wish-list. I was really looking forward to this year's edition of the Biometrics show. But I was very disappointed.
​#BiometricsXXXX is organized by Reed/Elsevier. When I was exhibiting in London in 2013, I already noticed that the format was in decline. Somehow Reed/Elsevier was not able to attract the new young and hip biometric technology startups and they totally missed out on FIDO and app-builders. Not to speak of Apple, which was a major biometric player with the launch of the 5S that year.
Reed/Elsevier just played safe and did the trick they'd done for a decade. Now in 2015, the #Biometrics2015 is basically diminished to nothing to be part off anymore. There were a few old players (HID, Cogent & Wacom) a 2 mobile biometric solutions and Fujisoft, a vein vendor (old Sony-stuff, but revived)and yes NokNok was there, I said hi to Jamie.
I met old friends now working at Crossmatch, talked business, and basically agreed not to meet at Biometrics anymore but at more inspiring events or locations.

This was my last BiometricsXXXX, goodbye Queen Elizabeth II Centre, Goodbye Reed/Elsevier. I hope life treats you well, but somehow I think this was the last that we've seen from Reed/Elsevier on biometrics too.

Picture
Fujisoft vein technology for physical and logical access

Harrogate and hand recognition

5/10/2015

 

This weekend my wife and I were in Harrogate for a wedding. It was a traditional english wedding which we really enjoyed. 
Harrogate is named the happiest place to live in UK. It's a typical english place with stunning parks and beautiful old buildings.

When we tried to fly out of Leeds/Bradford's airport (because of delays we eventually flew out of Manchester), just after the security check I spotted this old biometric time punch system of Recognition.
Once considered hightech but never a real breakthrough in the global biometric market.
Nevertheless it's good to see Harrogaters live in the 21st century ;-)

Home for the fingerprint

6/9/2015

 

It seems like a winning combination; biometric fingerprint scanning and the Home or Startbutton. This week Sony announced the availability of the new Xperia Z5 which has a nifty biometric feature.

Picture
According to the online website "All About Phones", the fingerprint reader that is embedded in the Home button on the side of the phone works flawlessly. It's another example of increasing security and user-convenience at the same time. That's how we like to see it at FERGIL. 

The cyberwar is escalating

3/9/2015

 
Picture
So the US is going to take sanctions against China corporations and individuals caught hacking US systems. 

"The Obama administration is developing a package of unprecedented economic sanctions against Chinese companies and individuals who have benefited from their government’s cybertheft of valuable U.S. trade secrets."

Washington Post  August 30, 2015

It is another step in the escalating cyberwar and it will get worse. IoT (Internet of things) which will explode over the next few years, will be another easy target to hack.
We need to focus on making cyberspace a safe and user-friendly place. So security is the key.
So prevention rather than aggression & repression.

    Author

    I am Reinier van der Drift. owner of FERGIL. Serial Entrepreneur & Technology Freak. Expert on Strong Authentication.
    Blog on StartUps, Gadgets, Technology in general  and my day to day busy-ness.

    Foto
    View my profile on LinkedIn

    Archives

    February 2016
    January 2016
    December 2015
    November 2015
    October 2015
    September 2015

    Categories

    All
    Cyber Security
    Gadgets
    General
    Personal Stuff

    RSS Feed

      Take a pick
    Submit
    Tweets by @rmvanderdrift
© 2021 FERGIL bv, Amsterdam, ​The Netherlands
  • Home
  • Cyberwar Live
  • About
  • Contact
    • intranet