Biometrics are seductive: you are your key. Your voiceprint unlocks the door of your house. Your retinal scan lets you in the corporate offices. Your thumbprint logs you on to your computer. Unfortunately, the reality of biometrics isn't that simple.
Biometrics are the oldest form of identification. Dogs have distinctive barks. Cats spray. Humans recognise each other's faces. On the telephone, your voice identifies you as the person on the line. On a paper contract, your signature identifies you as the person who signed it. Your photograph identifies you as the person who owns a particular passport.
What makes biometrics useful for many of these applications is that they can be stored in a database. Alice's voice only works as a biometric identification on the telephone if you already know who she is; if she is a stranger, it doesn't help. It's the same with Alice's handwriting; you can recognize it only if you already know it. To solve this problem, banks keep signature cards on file. Alice signs her name on a card, and it is stored in the bank (the bank needs to maintain its secure perimeter in order for this to work right). When Alice signs a check, the bank verifies Alice's signature against the stored signature to ensure that the check is valid.
There are a bunch of different biometrics. I've mentioned handwriting, voiceprints, and face recognition. There are also hand geometry, fingerprints, retinal scans, DNA, typing patterns, signature geometry (not just the look of the signature, but the pen pressure, signature speed, etc.), and others. The technologies behind some of them are more reliable than others, and they'll all improve.
"Improve" means two different things. First, it means that the system will not incorrectly identify an impostor as Alice. The whole point of the biometric is to prove that Alice is Alice, so if an impostor can successfully fool the system it isn't working very well. This is called a false positive. Second, "improve" means that the system will not incorrectly identify Alice as an impostor. Again, the point of the biometric is to prove that Alice is Alice, and if Alice can't convince the system that she is her then it's not working very well, either. This is called a false negative. In general, you can tune a biometric system to err on the side of a false positive or a false negative.
Biometrics are great because they are really hard to forge: it's hard to put a false fingerprint on your finger, or make your retina look like someone else's. Some people can mimic others' voices, and Hollywood can make people's faces look like someone else, but these are specialized or expensive skills. When you see someone sign his name, you generally know it is him and not someone else.
Biometrics are lousy because they are so easy to forge: it's easy to steal a biometric after the measurement is taken. In all of the applications discussed above, the verifier needs to verify not only that the biometric is accurate but that it has been input correctly. Imagine a remote system that uses face recognition as a biometric. "In order to gain authorization, take a Polaroid picture of yourself and mail it in. We'll compare the picture with the one we have in file." What are the attacks here?
Easy. To masquerade as Alice, take a Polaroid picture of her when she's not looking. Then, at some later date, use it to fool the system. This attack works because while it is hard to make your face look like Alice's, it's easy to get a picture of Alice's face. And since the system does not verify that the picture is of your face, only that it matches the picture of Alice's face on file, we can fool it.
Similarly, we can fool a signature biometric using a photocopier or a fax machine. It's hard to forge the vice-president's signature on a letter giving you a promotion, but it's easy to cut his signature out of another letter, paste it on the letter giving you a promotion, and then photocopy the whole thing and send it to the human resources department...or just send them a fax. They won't be able to tell that the signature was cut from another document.
The moral is that biometrics work great only if the verifier can verify two things: one, that the biometric came from the person at the time of verification, and two, that the biometric matches the master biometric on file. If the system can't do that, it can't work. Biometrics are unique identifiers, but they are not secrets. (Repeat that sentence until it sinks in.)
Here's another possible biometric system: thumbprints for remote login authorizations. Alice puts her thumbprint on a reader embedded in the keyboard (don't laugh, there are a lot of companies who want to make this happen). The computer sends the digital thumbprint to the host. The host verifies the thumbprint and lets Alice in if it matches the thumbprint on file. This won't work because it's so easy to steal Alice's digital thumbprint, and once you have it it's easy to fool the host, again and again. Biometrics are unique identifiers, but they are not secrets.
Which brings us to the second major problem with biometrics: it doesn't handle failure very well. Imagine that Alice is using her thumbprint as a biometric, and someone steals it. Now what? This isn't a digital certificate, where some trusted third party can issue her another one. This is her thumb. She only has two. Once someone steals your biometric, it remains stolen for life; there's no getting back to a secure situation. (Other problems can arise: it's too cold for Alice's fingerprint to register on the reader, or her finger is too dry, or she loses it in a spectacular power-tool accident. Keys just don't have as dramatic a failure mode.)
A third, more minor problem, is that biometrics have to be common across different functions. Just as you should never use the same password on two different systems, the same encryption key should not be used for two different applications. If my fingerprint is used to start my car, unlock my medical records, and read my email, then it's not hard to imagine some very bad situations arising.
Biometrics are powerful and useful, but they are not keys. They are useful in situations where there is a trusted path from the reader to the verifier; in those cases all you need is a unique identifier. They are not useful when you need the characteristics of a key: secrecy, randomness, the ability to update or destory. Biometrics are unique identifiers, but they are not secrets.
Could we be constantly tracked through our clothes, shoes or even our cash in the future?
I'm not talking about having a microchip surgically implanted beneath your skin, which is what Applied Digital Systems of Palm Beach, Fla., would like to do. Nor am I talking about John Poindexter's creepy Total Information Awareness spy-veillance system.
Instead, in the future, we could be tracked because we'll be wearing, eating and carrying objects that are carefully designed to do so.
The generic name for this technology is RFID, which stands for radio frequency identification. RFID tags are miniscule microchips, which already have shrunk to half the size of a grain of sand. They listen for a radio query and respond by transmitting their unique ID code. Most RFID tags have no batteries: They use the power from the initial radio signal to transmit their response.
It becomes unnervingly easy to imagine a scenario where everything you buy that's more expensive than a Snickers will sport RFID tags, which typically include a 64-bit unique identifier yielding about 18 thousand trillion possible values. KSW-Microtec, a German company, has invented washable RFID tags designed to be sewn into clothing. And according to EE Times, the European central bank is considering embedding RFID tags into banknotes by 2005.
The privacy threat comes when RFID tags remain active once you leave a store. That's the scenario that should raise alarms--and currently the RFID industry seems to be giving mixed signals about whether the tags will be disabled or left enabled by default.
Gillette Vice President Dick Cantwell said that its RFID tags would be disabled at the cash register only if the consumer chooses to "opt out" and asks for the tags to be turned off. "The protocol for the tag is that it has built in opt-out function for the retailer, manufacturer, consumer," Cantwell said.
Wal-Mart, on the other hand, says that's not the case. When asked if Wal-Mart will disable the RFID tags at checkout, company spokesman Bill Wertz told Gilbert: "My understanding is that we will."
If the tags stay active after they leave the store, the biggest privacy worries depend on the range of the RFID readers. There's a big difference between tags that can be read from an inch away compared to dozens or hundreds of feet away.
Privacy worries also depend on the size of the tags. Matrics of Columbia, Md., said it has claimed the record for the smallest RFID tag, a flat square measuring 550 microns a side with an antenna that varies between half an inch long to four inches by four inches, depending on the application. Without an antenna, the RFID tag is about the size of a flake of pepper.
First, consumers should be notified--a notice on a checkout receipt would work--when RFID tags are present in what they're buying. Second, RFID tags should be disabled by default at the checkout counter. Third, RFID tags should be placed on the product's packaging instead of on the product when possible. Fourth, RFID tags should be readily visible and easily removable.
UPDATE: When such tools become widely available, hackers and those with less pure motives could use a handheld device and the software to mark expensive goods as cheaper items and walk out through self checkout. Underage hackers could attempt to bypass age restrictions on alcoholic drinks and adult movies, and pranksters could create confusion by randomly swapping tags, requiring that a store do manual inventory.
Grunwald's software program, RFDump, makes rewriting RFIDs easy. While there are significant malicious uses of the program, consumers could also use it to protect themselves, he said.
"Everyone should have the right, once they leave the store, to erase the RFID tags," he said. Deleting information on the tags would allow people to stop RFID checkpoints in stores and other places from tracking which products they are carrying, or which have been inserted under their skin.
Biometrics are seductive: you are your key. Your voiceprint unlocks the door of your house. Your retinal scan lets you in the corporate offices. Your thumbprint logs you on to your computer. Unfortunately, the reality of biometrics isn't that simple. 
I'm not talking about having a microchip surgically implanted beneath your skin, which is what 
