Fingerprint biometrics have been around for at least 25 years or more. The current mass adoption was long in the making. Much longer than any respected analyst firm had predicted. The Forresters and Gartners of this world underestimated the public scepsis and privacy concerns at first.
In the '90's there were a lot of initiatives to promote and implement fingerprint biometrics* but not often these projects ended earlier than expected because of above mentioned reasons.
The public opinion on biometrics in general and fingerprint biometrics in particular changed this millennium because of a variety of reasons; the tragic 9/11 event being the trigger to fuel the global security market, followed by the increased online personal-data collection which leads, per definition, to increased internet criminality.
Biometric fingerprint technology was, in the last decade of the previous century, thought to play an important role in the early days of the e-commerce. Companies like SAFLink, Lennard & Hauspie, Iridian Visionics, Authentec and others as pioneers paved the way and shaped the market as it is today.
The majority of those companies are not around anymore, they went bankrupt or were acquired at some stage.
With the consumeration of IT and biometrics being embedded in smartphones, the payment industry drives the biometric adaption in the e-commerce space with neat apps.
The market as it is today is divided into 3 segments;
The enterprise market stores biometric templates typically in central directories like AD or eDir and they are controlled by the user and administrators, whereas templates in the consumer market are stored locally on the device and are fully controlled by the user.
Slowly but surely these markets converge. We're moving to a world where your mobile phone is your digital you and fully trusted by Governments across the globe.
Back to fingerprint biometrics. the market for fingerprint biometrics matured the last decade. After a lot of consolidation in the market, the prices dropped to an acceptable level and they will drop even further.
What technology vendors learned is to embed fingerprint technology in such a way that it's easy to enroll for the user and automatically is being adopted in the various apps (thank Steve Jobs for the app-store)
The downside of fingerprint biometrics is that every fingerprint reader can be spoofed.
The essence of fingerprint technology is of course your fingerprint. Something you leave behind everywhere you go. In other words, it's easy to obtain your fingerprint without you even knowing.
Fingerprint readers are build to recognize you and some have anti-spoofing systems build-in. Sometimes very rudimentary and sometimes very sophisticated. If you pay more you get more quality in general. However, even the most sophisticated systems are not fully spoofing proof.
The more applications, the more (business)value, is protected by fingerprint biometrics, more advanced attacks on the system will happen and force users and corporations to implement other (biometric) technologies besides fingerprint biometrics.
Let's take a look at the most likely biometric technology candidates.
Voice & Face
Given the fact that there is no 1-fits-all, Face & Voice are not likely to be winners since for them to work correctly you will need to be able to control the environmental settings (lighting, noise etc) under all circumstances. And that will proof to be a mission impossible. So face and voice will not be the most likely candidates to be the biometric successor of fingerprint.
Iris is becoming interesting again. After Iridian screwed up the market with their idiot patent threats, now with the expiration of the various patents the innovation in iriscamera's reach a new peak. They are becoming affordable and the cameras are getting smaller and the next-gen will probably be embedded in smartphones.
Iris algorithms are fast and perfectly suitable for 1:N matching. Making them a more likely candidate for border-control rather than enterprise and consumer biometrics. As you can see in the video below there is always something needed called "hamming distance" (20cm in the video) the range where the actual iris is captured. It is simply not a very user-friendly technology. It's a bit clumsy to be honest.
My first encounter with vein technology was back in 2005. I had a nasty issue with fingerprint technology by BMF (pressure sensitive readers) in a datacenter and Hitachi as supplier of BMF in Europe invited us to test new groundbreaking technology first hand.
I met the director of biometric technology in Hoofddorp where I saw finger vein technology for the first time. I immediately thought it was a far better technology than fingerprint biometrics, but little too late to enter the border control market. The standards for fingerprint were already set.
A year later Fujitsu launched palm vein technology. Their are both technologies looking at the vein pattern with the differentiator that finger vein technology reads the pattern "through" the finger whereas palm vein technology is based on an reflected image of the pattern.
I leave it up to the reader to judge which of the methods is most secure than the other.
Fact is that the vein algorithms are not suitable for 1:N matching like the iris one. You need additional technologies like fusion in-memory databases to get performance, which increases the total costs of ownership.
The other downside to palm & finger vein technology is the way the two vendors structured their licensing model. In short, it sucks. It's a showstopper for the mass adoption of vein technology. I wrote about this in my previous blog on the "biometrics 2015".
Another vein tech provider is Eyeverifi. This Kansas based startup "reads" the vein pattern in the corner of your eye. It is cool technology as demonstrated below. But like iris recognition one can wonder if it is suitable for mass adoption by consumers. It's a nice add-on, doesn't require any additional hardware but is not very user-friendly as it is now. Maybe in the future when camera's are even beter to recognize from a distance. You always have to look straight in the camera, which you cannot do under every circumstance. Like face recognition you will need to be able to influence the environmental variables needed to acquire a correct and usable picture. And I wonder if it works flawlessly in Asia where people tend not to be able wide open their eyes.
Conclusion vein is a candidate but still has to overcome hurdles technology- and businesswise.
Heartbeat & Behavior technology
I've talked about heartbeat and behavior biometrics in a previous posts. I really like the technology but it is still early stage for heartbeat, and behavior is well suited to be just the additional layer of security. It's an add-on to existing biometric technologies or other security systems.
Heartbeat and Behavior biometrics are both poised for greatness. It will be a long, rough and costly road but the reward will be there. Behavior is taking off now. Companies like Behaviosec changed their business strategy to make it easier to be embedded in the big authentication frameworks. That helps the mass adoption.
As for heartbeat, still a couple of technology breakthroughs will be needed in order to get the technology embedded easily in wristbands of f.i. smartwatches. Smartwatches by itself needs to prove that they are here to stay.
There are various other biometric technologies like handrecognition, signature recognition, ear recognition, the way you walk and yes even butt-recognition.
All nice technological achievements but no serious threats to the fingerprint crown.
My prediction for the successor to fingerprint is;
Every market has it's holy grail. In the strong authentication market it's something called "continuous authentication".
It means that the user isn't bothered by typing a PINcode and/or present a card or biometric, the system simply knows it's you.
There are a couple of promising techniques that strive to become the holy grail that I'll discuss here:
- Behaviosec, a,Swedish startup that delivers keystroke biometric algorithms and
- Nymi, a Toronto based startup that measures "the noise" your heartbeat makes to identify you.
Behaviosec developed a so-called behavior biometric algorithm. Basically the algorithm interprets your typing behavior on keyboards/mice and smartphones or tablets, and based on your unique "flight, swipe or touch" times and motions, the algorithm flawlessly identifies you in a short period of time.
Usually it takes 1-2 seconds after you starts typing/swiping for the algorithm to make a positive ID.
Besides the algorithm, Behaviosec developed a cloud based system which makes it easy for Identity providers to add Behaviosec's technology to their authentication eco-system.
This kind of behavior biometrics is often implemented as part of a multi-layer authentication system, that sits behind a website or payment system, to add more security to the accountholder's data.
Because the technology is non-intrusive to the user (he simply does what he always did; typing), these technologies are very elegant to implement and often implemented without the user knowing.
It was early 2006 that I was first approached by an investor to give my opinion on an investor paper on "project Heartbeat" as it was called then. I don't know whether or not that old investment proposal is related to Nymi in any way, fact of the matter is that I advised negative at that time.
The reason was that fingerprint technology already caused a public debate and in my experience technology like finger-vein recognition basically scared the consumer finger-vein sounded very intrusive (where it actually is not).
We're now almost 10 year further. Fingerprint readers are widely exerted by the public (smartphones, biometric passports and so on) and people are not surprised by biometrics anymore.
The Nymi algorithm which interprets your heartbeat in order to be able to identify you, finds it's form factor in the Nymi band. You can see a picture above. During enrollment it asks you to touch the band with the other hand so that an ECG can be made on which the algorithm can do it's trick.
The Nymi band form factor is chosen so that developers can easily integrate the technology into their systems and applications. It's expected that in the near future the algorithm will be embedded in other devices like smartwachtes and fitnessbands.
The two technologies are examples of "continuous authentication". Authentication that is "always-on" and non-intrusive to the user. It simply always works and as part of a layered-authentication-framework delivers the next-gen authentication systems.
Today I presented on the current status of the FIDO alliance at the "Biometrics in Banking and Payment" seminar organized by the European Association for Biometrics.
Although I live in Amsterdam, this was the first time I visited the Amsterdam Planetarium.
I found it a very nice and convenient place to have these kinds of events organized.
Specially when you want to attract a lot of interest of financials, they are literally around the corner.
So all of Dutch major banks send their representatives and all in all it was a well organized and interesting seminar.
You can find my presentation here:
BMF introduced in 2003 a biometric sensor based on TFT-material. It was a so-called pressure sensitive sensor. Through various layers of material an image of the fingerprint was created solely by a simple pressure of the finger on the reader. Big benefit: you could read the fingerprint under almost every circumstances even "under" water (see picture). It was sold in Europe via Hitachi. I was really impressed.
This weekend my wife and I were in Harrogate for a wedding. It was a traditional english wedding which we really enjoyed.
Harrogate is named the happiest place to live in UK. It's a typical english place with stunning parks and beautiful old buildings.
When we tried to fly out of Leeds/Bradford's airport (because of delays we eventually flew out of Manchester), just after the security check I spotted this old biometric time punch system of Recognition.
Once considered hightech but never a real breakthrough in the global biometric market.
Nevertheless it's good to see Harrogaters live in the 21st century ;-)
It seems like a winning combination; biometric fingerprint scanning and the Home or Startbutton. This week Sony announced the availability of the new Xperia Z5 which has a nifty biometric feature.
"The Obama administration is developing a package of unprecedented economic sanctions against Chinese companies and individuals who have benefited from their government’s cybertheft of valuable U.S. trade secrets."
Washington Post August 30, 2015
It is another step in the escalating cyberwar and it will get worse. IoT (Internet of things) which will explode over the next few years, will be another easy target to hack.
We need to focus on making cyberspace a safe and user-friendly place. So security is the key.
So prevention rather than aggression & repression.
I am Reinier van der Drift. owner of FERGIL. Serial Entrepreneur & Technology Freak. Expert on Strong Authentication.
Blog on StartUps, Gadgets, Technology in general and my day to day busy-ness.