Security

My body, my password

How much easier life could be if we had no more passwords or PIN numbers! Biometrics offers an alternative to protecting your data.

11 Jan. 2016
14_Körper Passwort_iStock_000023390459_Large

Honestly: How many passwords which you use on a daily or even occasional basis have you actually committed to memory? Or do you have many of them written down on a piece of paper or programmed into your smartphone instead? Or do you use the same password for a number of different things? Experts recommend using unique character strings consisting of a random series of letters, numbers and special characters. But who among us can remember all of them?

This is no doubt the reason why lists of the most popular passwords regularly contain alphanumerical combinations like “1234” or “password” – with convenience winning out over security. But this doesn’t have to be the case. For the human body possesses many innate, unmistakable characteristics which – if used the right way – can help rule out any confusion and protect your access to sensitive data.

Not every characteristic however offers the same amount of protection. The following scale provides an insight into those biometric characteristics which are best suited to keeping the treasure chamber sealed – and those that are not.

That classic identifier, the fingerprint (protection level 1 out of 10)
The impression made by the skin ridges on our fingertips is unique for anyone in the world. No wonder, then, that the technology of measuring and comparing fingerprints is globally in use. Unfortunately, it is not a sure thing. As far back as 2005, the Chaos Computer Club used a mockup of German politician Wolfgang Schäuble’s fingerprint to demonstrate just how easy it is to counterfeit this security feature. This is primarily because we leave our fingerprints virtually everywhere, providing a perfect window of opportunity for counterfeiters. Schäuble’s fingerprints for example were lifted from a glass of water . In smartphones, fingerprint scanners are nevertheless in widespread us e, due to the convenience of the method.

The security selfie: facial recognition (protection level 2 out of 10)
For facial recognition, a computer compares a captured image of the user’s face with one or more images in a database. Because our facial shapes are different and can be personally categorized, the computer can make an identification using this process – although not necessarily more securely than identification based on a fingerprint scan. Researcher Jan Krissler from the Technical University of Berlin, for example, had no problem outsmarting a facial recognition system using high-resolution photos. A prominent “victim” of this deception was Angela Merkel . But even non-celebrities need to worry about the security of their own facial features, since a photo can be shot secretly and then potentially used to gain access to a presumably safe system – for instance, a computer running on Windows 10 .

Shake on it: finger geometry (protection level 3 out of 10)
The proportion of our fingers to our palms is just as unique as our fingertip patterns. Palm scanners make use of this phenomenon by measuring the relevant parameters and using them for identification purposes. The advantage here is that it doesn’t matter if the fingers are clean or dirty, or whether a Band-Aid is wrapped around a finger. The main disadvantage however consists of the size: To scan an entire hand, the surface must be large enough to lay a hand on – something which is seldom the case for mobile devices. For access to a company facility, however, this procedure is definitely usable.

Black on white: handwriting recognition (protection level 4 out of 10)
Our method of writing or even pressing the keys on a keyboard is learned behavior and variable, and for that reason not as secure as an inherited characteristic. Nevertheless, individual handwriting and even one’s own typing pattern are much more difficult to counterfeit than a fingerprint. That is because, in comparison to a pattern composed of various lines, this type of security check is preceded by a long period of observation and analysis – which on the other hand makes its use in everyday situations more difficult. The reason: To avoid returning a premature error message, the system needs to be fed with relatively comprehensive data for checking and comparison purposes. Nevertheless, the end results are impressive.

Ears wide open: Earprint identification (protection level 5 out of 10)
Even if it might not seem like it at first glance: Our ears are unique as well. Even identical twins display different ear shapes. As a result, comparable to fingerprints, unique earprints can be made and used as security control elements. There is one limiting factor, however: Who presses their ear to a phone before the conversation begins? And pressing your ear to a computer screen would certainly be confusing to other passengers on a train. Although this procedure is relatively secure, its chances of being adopted on a mass scale are slim.

Goes where you go: Gait analysis (protection level 6 out of 10)
In contrast to the more cumbersome earprint authentication process, the gait recognition research performed by the University of Darmstadt represents a highly inconspicuous method of personal identification. The researchers use the motion and acceleration sensors in smartphones to analyze the user’s gait and then store this as a code. As soon as the user pulls the phone out of his or her pocket, the device is already unlocked. But if a thief were running away with the phone, it would prevent him from accessing it, since the culprit’s gait would not match the encoded security information. The disadvantage of this system: After a longer break in motion, the identification data are no longer present, and the user needs to enter his or her PIN number to gain access. For couch potatoes, this kind of security protection would at least provide a measure of motivation to get up off the couch.

Speech and voice recognition (protection level 7 out of 10)
In comparison with the other biometric security characteristics, our voice possesses a decisive advantage, being relatively easy to transmit. This makes voice recognition an ideal tool for querying information at a distance. The Volksfürsorge insurance company for instance employs this security tool to grant telephone access to field service workers for various kinds of information in the company database. The procedure however is less suitable for protecting data stored on devices: Loudly dictating keywords into your phone during meetings or in open plan offices could presumably detract from your popularity.

Under the skin: vein recognition (protection level 8 out of 10)
You can’t counterfeit what you can’t see. This includes the vein pattern of a person’s palms, which is different for everyone. This procedure uses infrared light and image sensors to identify the pattern of blood vessels below the skin, on the basis of which it can authenticate people using a corresponding reference pattern. At CeBIT 2015 Fujitsu demonstrated its “PalmSecure” vein recognition system, which can be used on notebooks or access sluices for data centers. Even a single finger is enough. Some 100,000 automated tellers in Brazil are already equipped with a corresponding sensor. The great advantage of vein recognition: This characteristic remains constant, even if the user’s voice, gait or handwriting may change over time.

Here’s looking at you, kid: retina scanning (protection level 9 out of 10)
Retina scanning is currently considered the most secure biometric method. The scanner measures the blood veins below the eyeball and compares this with the values stored in a database. Since this pattern is virtually impossible to counterfeit, the method is typically used for high-security applications – while remaining largely out of the question for everyday security applications.

It all comes down to the right mix: biometrics + password = security (protection level 10 out of 10)
As is everywhere the case in the field of IT security, complete protection is impossible. No system is 100% secure and even the human body can be fooled or counterfeited. To raise the bar in matters of security, there is no other way than to combine different characteristics and procedures with one another – and to be on the safe side, never use a password consisting of the digits “1234”.

Security CEBIT RSS Feed