BBC Home
Explore the BBC


Page last updated at 17:19 GMT, Friday, 7 November 2008

The pitfalls of biometric systems

How easily do biometric ID systems fall down, and can they be fooled completely? In the second part of his look at biometric security, Dan Simmons asks if being unique is enough to keep us safe.

Face recognition

Biometric ID systems rely on one central idea - that we are all unique. That notion appeals to our own vanity.

It is tempting to think biometric systems are the perfect way to identify us.

But it is not that straight-forward. Consider fingerprints. Manual workers can have theirs rubbed off and swimmers need to wait until their fingertips dry out to be identified. It is also possible to lift and copy prints.

There are cultural concerns too. In Japan people tend to dislike the idea of touching something, so some Japanese ATMs analyse the palm of the hand while it is held over a scanner.

False negative

The introduction of face recognition scanners at Manchester Airport in August in a trial to speed up passport queues revealed some of the shortcomings of relying on biometrics.

Face recognition uses the contours of the face and the relative distance between the eyes and nose to spot people.

"You can tune the system so it's less fussy about getting an exact match to the biometric data on record," said Ant Allan of analysts Gartner.

"Or you can make it demand a more exact match, so you can make it stronger security.

"That means that users probably have to provide a number of samples, which reduces the convenience."

"There is the potential for error and user frustration because of that."

The most common error biometrics systems make is when they say "no" instead of "yes" - a false negative.

Far more dangerous is a false positive, where the system gives a thumbs-up to an imposter.


"Some of the technologies are known to be vulnerable," said Ant Allan adding that there had been reports of iris recognition systems being fooled by digital photographs.

I think this stresses the sensitivity that this kind of technology has
Ant Allan, Gartner Analysts
"That might depend upon the complexity of the system," he said. "The higher-end systems certainly have techniques where they wouldn't be fooled by that, but there are certain systems deployed in commercial and government use where these kinds of attacks can succeed."

The latest iris and fingerprint systems now look for live subjects and are much harder to dupe.

Voice identification is also catching on fast. It has been used in court cases for some years and Canadian stockbroking firm TD Waterhouse is using it to automatically verify its customers before they start trading - completely automating the system.

In Spain, Bankinter runs the Kivox voice recognition system created by voice experts, Agnitio. It is used internally to verify the ID of staff.

Agnitio expects other banks in the UK and Europe to start using its service within the next 12 months. But just how unique is our voice? Click took the chance to test the Kivox Authenticator.

Dan Simmons made two telephone calls saying clearly 10 sets of four numbers, so the system could build a voice profile and recognise him when he called back.

And sure enough when he did, it let him in, although he did get a few false negatives. It did not like the throaty tones of his voice in the morning, or when background noise was too high.

All the attempts Click made to fool the system failed.


Agnitio were so confident, the company offered to introduce Click to a pair of identical twins in order to test it. Unfortunately, when Click agreed the pair were unavailable for filming.

So Dan asked his brother to try and break into the system. He did it with comparative ease.

In a statement, Agnitio said: "Agnitio's Kivox demo system is a basic tool to show how voice biometrics works. It has not been calibrated to a real live scenario.

"We have set the demo's False Rejection Rate very low to make it more accessible. Consequently, the False Acceptance Rate increases.

"For a 'live system' we will always bring the False Acceptance Rate down, as required by our customers. Please note, there will always be false positives."

Said Ant Allan: "There is work to be done. Even if the technology itself is sound and even if in other situations it works well, or well enough, I think this stresses the sensitivity that this kind of technology has, on the way it's used, how the system is set up, on the circumstances, the environment and so on.

"It's interesting, given the problems that we've seen with small-scale implementation of biometric projects, these large scale implementations are really opening themselves up to significant failures.

"That's not necessarily likely, but it's certainly a possibility."

The BBC is not responsible for the content of external internet sites

Has China's housing bubble burst?
How the world's oldest clove tree defied an empire
Why Royal Ballet principal Sergei Polunin quit

banner watch listen bbc sport Americas Africa Europe Middle East South Asia Asia Pacific