For the London Free Press – May 19, 2007

Read this on Canoe

We routinely use passwords to confirm who we are to do many things, such as access to various systems and services. Effective passwords are difficult to remember, especially for the number of them we seem to need.

Biometrics have been touted for some time as a solution, but biometric authentication has its problems as well. This issue was addressed in a paper by the information and privacy commissioner of Ontario, Ann Cavoukian, and biometrics scientist Alex Stoianov.

Biometrics refers to systems that use physical characteristics to recognize who we are. Examples include fingerprints, iris, retina, face, hand or finger geometry, and voice.

Done poorly, biometric technologies can be highly privacy-invasive. Biometric data, once collected, can be stored, shared and used for numerous purposes, inviting potential discrimination and identity theft.

It also can lead to serious security issues. A stolen or leaked card number or password can be changed, but we only have two thumbs.

There are thus two main risks. The first is the identifiers will be used by the party holding it for purposes unintended by the individual. The second is the identifier might fall into the wrong hands. Given the number of data leaks that seem to occur, those are valid concerns.

The central message of the report is that biometric encryption technology promises a “positive-sum” win-win scenario for all involved. The authors believe privacy and security are not opposites and do not need to be traded off.

The report discusses privacy-enhanced uses of biometrics, with a particular focus on the privacy and security advantages of biometric encryption. In that model, the actual biological identifier, such as our thumbprint, is not actually stored anywhere.

Instead, you use the thumbprint to encrypt or code some other information, like a password or cryptographic key, and only store the biometrically encrypted code, not the biometric itself.

To authenticate yourself, you might use a smartcard and your thumbprint that would re-generate that password or key.

The technology uses concepts such as public/private key encryption. While the technology can be complex and not easy to understand, its use by the consumer is simple.

This approach allows allows for long, complex and more effective passwords or keys that we don’t have to remember. It also allows the advantages of biometrics without the risks of storing biometric information.

For organizations requiring authentication or identification of individual users or customers, the report is a good summary of how biometrics can be used for authentication in a privacy friendly way.