Why security scans of the eye can be wrong

Remember those spy movies where the good guy is trying to break into a high-security facility and either a fingerprint or retinal scan is required to gain access? So the hero knocks out the person with security clearance, or puts a gun in his back and places their hand over the scanner or lifts up the eyelid and places it against the scanner to gain access.

Well a recent report from National Research Council, commissioned by agencies that include the Department of Homeland Security states that biometric systems are “inherently fallible.” So in the scenario above, what a bummer if the person with supposed security clearance now is denied access at a crucial moment.

Biometric systems are security solutions that identify individuals based on unique biological characteristics like fingerprints, retinal patterns, voice, or facial features.The weakness in these systems is that “characteristics largely perceived as positive identifiers actually can change over a person’s lifetime due to age, disease, or other factors. This can lead to false-positives or an inability for a system to make an ID at all.”

Why all the fuss? The Indian government has just announced a plan to provide its 1.2 billion citizens with state-of-the-art biometric identification cards. The cards will carry retina and fingerprint data and credit and criminal histories, and will be linked to a central online database. If the perception exists that biometrics are infallible, what a mess it will be if the government accuses you of not being who you say you are—because stored biometric data doesn’t match your current physical state.

The U.S. has also created a Biometrics Identity Management Agency (BIMA) that has a responsibility that spans the entire U.S. Department of Defense (DoD), and would specifically support the DoD’s “authoritative biometrics database” in the name of national security. They will be even able to identify people using samples of bacteria collected from their computer keyboards and mice.

However, the margin of error and human consequence is still too high to rely solely on these systems for definitive identification. Therefore the National Research Council recommends a portfolio strategy when it comes to biometric security systems—similar to a network in-depth strategy that relies on several levels of security systems for identification, verification and action.