Biometrics for authentication: how the future of technology is going to change our lives
We ask experts if the ‘safest biometric identification yet’ is too high a price to pay for convenience
Fortune tellers of old would, for a small fee, read your palm and attempt to predict your future. Today, there is another kind of palm reading, powered by technology, which seeks to confirm your identity. Your palm is unique: that particular combination of veins, lines and creases is like no other. That makes it a prime candidate for use in the field of biometrics, joining other techniques such as fingerprint, facial and voice recognition. Your palm could be used to usher you through passport control, enter the office, pay for goods and much else. But as these biometric techniques accumulate, concern is growing about weak security and the long-term effect on personal privacy.
Such systems may be convenient, but are they wise?
Palm ID is already being used in a few places around the world, including Jeju International Airport in South Korea. But last week, global giant Amazon announced the launch of its system called Amazon One. Its initial roll-out is small: only at a couple of Amazon Go shops in Seattle where shoppers can pay for goods quickly and easily. But there are big ambitions. “We plan to offer the service to third parties like retailers, stadiums and office buildings, so that more people can benefit from this ease and convenience,” says Dilip Kumar, vice president of Amazon’s physical retail business.
How does it work? Computer vision technology scans your vein and line patterns to create a “palm signature”. You connect that palm signature to a payment card. Then you pay for items merely by holding your hand over a scanner. Combined with the “Just Walk Out” experience of Amazon Go shops (which use cameras and sensors to bill you for what you pick up and walk out with) it’s the ultimate in frictionless shopping. You do not even need a phone. You simply walk in, grab what you want and wave your palm as you leave.
It’s not only speedy – palm ID is also billed as the safest form of biometrics yet devised. Unlike facial recognition, your palms are not visible at a distance and thus cannot be used to authenticate you without your permission. Naman Aggarwal, Asia Pacific policy counsel at digital rights organisation Access Now, says it’s a more accurate system, too. “All biometric techniques have different false acceptance rates and false rejection rates. Palm ID does seem like an improvement within the realm of biometrics. But the problem [with all of them] is that they exist in your body, they are a measurement of your bodily attributes. If they get compromised, you cannot change them. That is where the real human rights harm happens.”
Passwords, chips and PINs can be changed. If they are breached, you can get new ones and stay in control. Not so with biometrics. Their weakness was memorably highlighted in 2008 by the German hacker group Chaos Computer Club, when it published the fingerprint of Germany’s then interior minister (and biometrics enthusiast) Wolfgang Schauble, having lifted it from a glass he had been holding at a public event. While you cannot subvert a palm signature in this way, your security still depends on the vigilance of the organisation holding it. A breached biometric server could compromise the privacy of an entire population – but even if that breach never happens, questions still remain about who might have access to it, who it might be sold to and whether copies are being made.
Digital rights group EFF warn users of “multimodal” databases that combine various biometrics with other data points such as name, address and GPS location. For its part, Amazon has assured the public that “nothing is more important to us than earning and maintaining customer trust … we designed Amazon One to be highly secure.”
We are sharing a crazy amount of our information for benefits that are not proportionate. Why does Amazon, or anyone developing any sort of ID, need to use biometrics for authentication?
Naman Aggarwal, Asia Pacific policy counsel at digital rights organisation Access Now
Amazon is not the only company working in this field. Market research organisation Fact.MR predicts that vein recognition will be a billion-dollar industry by the end of this decade, and several companies are offering assurances that it will enhance our lives and make onerous tasks easier. “They feel that it creates a better experience for the user,” Aggarwal says. “But they don’t realise the risk they are putting that user in. It’s creating a system that can be abused later.”
As biometric authentication becomes more widespread, particularly on smartphones, Aggarwal believes we are being seduced by convenience without considering the implications. “We are sharing a crazy amount of our information for benefits that are not proportionate,” he says. “Why does Amazon, or anyone developing any sort of ID, need to use biometrics for authentication? Do I really want to give out biometric information in order to speed up a transaction by a second or two? There are less intrusive ways of going about this.”
In this era of Covid-19, the case for biometrics is being pushed harder. With cash and PIN keypads deemed to be health hazards, frictionless payments and admission systems seem to be eminently sensible, and Amazon is stressing the contactless nature of Amazon One. Aggarwal, however, disputes whether the biometric argument has become stronger in the pandemic. “People are really concerned about touching things right now,” he says. “The narrative has become stronger, possibly based on a flawed flow of thought. The argument has not.”
One thing is clear, though. Our palms hold information that is extremely valuable. Not just for fortune tellers, but for big business, too.
Updated: October 11, 2020 10:01 AM