New millennium sees biometrics bursting into the mainstream

Retina scans. Fingerprint mapping. Facial recognition scans. The turn of the new millennium has seen biometrics bursting into the mainstream as a secure way for granting individuals access to systems, devices or data.

Biometric technology is not limited to high-ranking individuals or organisations. We are already seeing it deployed in public places, including offices and condominiums that require a fingerprint scan to grant residents or individuals access to a building.

There are numerous appeals to biometrics as opposed to conventional passwords—chief among them, security. As biometrics are physical or behavioural human characteristics, they are unique to each person. So while you may be able to change your password each week, the same can't be said about your physical appearance or fingerprint, further solidifying its appeal. This is a stark contrast to passwords, which can be stolen or forgotten.

"The present password-based security system which is widely used revolves around a set of reworkable key binding and key generation systems called fuzzy commitment, fuzzy vault and fuzzy extractors. However, a password is reworkable, meaning it can be changed," says Dr Jin Zhe, Course Coordinator, Master of Business Information Systems, School of IT, Monash University Malaysia.

"This means, the confidential details of an individual are under threat in the event the password is forgotten, lost, or stolen. Because it is revocable, the attacker can obtain multiple templates from the same source. If they gain multiple templates from the same source, then they can retrieve critical information, and the system is compromised."

Dr Jin has extensive experience working in the field of biometric cryptosystems and is currently involved in the creation of Bio-PIN, a secure set of algorithms which can be incorporated into any biometric cryptosystem. Bio-PIN is the result of a collaboration between Monash University Malaysia, the Electronics and Telecommunications Research Institute (ETRI), and Yonsei University in South Korea.

What makes Bio-PIN unique compared to other existing systems is an extra layer of encryption that protects the raw biometric data.

Traditional devices that have biometric inputs, like smartphones, are merely biometric sensors. What is stored in the phone is raw biometric data. Similarly, in immigration departments, the biometric features of a person are stored in a centralised database.

"The problem is, if the centralised database is compromised or stolen, this becomes a privacy breach. And this is the reason why we are encrypting the biometric data in a protected form. It means, even in the event the biometric database is stolen or compromised, everything that the attacker gets is encrypted, or what we call transformed data," said Dr Jin.

Bio-PIN is a standalone algorithm that can be incorporated into the various types of biometrics systems in existence today.

"We develop a library so any system that wants to use our algorithm, just needs to call our library and we can implement our system wherever they want," Dr Jin said.

"Biometric is very commonplace, and a lot of companies have their technology to capture the biometric data. What we do is, we incorporate our algorithm to their biometric templates.

Dr Jin says he first began his research on cancellable biometrics, before working with his students on developing key-binding schemes to combine the former and the latter.

He is now awaiting feedback from ETRI to see if any additional development is required to the algorithm he has created.

One of the key terminologies which will be at the heart of any biometric systems is one-to-many and one-to-one matching schemes.

The authentication process of a one-to-one scheme typically involves one process of authorisation before the key is unlocked. An example would be a system that prompts us to present it with identification cards that have embedded chips. Once the card is recognised, the user will be prompted to present his biometric credentials, like a fingerprint, for instance.

A one-to-many search, on the other hand, is pretty straightforward. Biometric credentials are all that is needed to be presented for the verification process to authorise access.

"A one-to-many search means you don't have any Identification Cards (IC) and you don't have to provide anything else. You only need to present your physical biometric attribute, so it goes straight to the database to search which one is the right person,” Dr Jin said

"We are going to embed the Bio-PIN technology into both the one-to-one and one-to-many schemes for identification. “

Dr Jin says biometric cryptosystems will strongly impact and complement the secure identity management industry such as manufacturers and vendors of biometric systems. Its benefits will be felt by industries such as healthcare, consumer electronics, cloud services, and a whole host of other services that require secure identity management.