Biometrics are supposed to be a fundamental pillar of modern authentication:
Biometrics is supposed to be one of the underpinnings of a modern authentication system. But many biometric implementations (whether that be fingerprint scanes or face recognition) can be wildly inaccurate, and the only universally positive thing to say about them is they're better than nothing.
Also — and this may prove critical — the fact that biometrics are falsely seen as being very accurate may be sufficient to dissuade some fraud attempts.
[...] Roger Grimes, a defense evangelist at KnowBe4, wrote on LinkedInabout the National Institute of Standards and Technology (NIST) evaluation ratings. As he explained: "Any biometric vendor or algorithm creator can submit their algorithm for review. NIST received 733 submissions for its fingerprint review and more than 450 submissions for its facial recognition reviews. NIST accuracy goals depend on the review and scenario being tested, but NIST is looking for an accuracy goal around 1:100,000, meaning one error per 100,000 tests.
"So far, none of the submitted candidates come anywhere close," Grimes wrote, summarizing the NIST findings. "The best solutions have an error rate of 1.9%, meaning almost two mistakes for every 100 tests. That is a far cry from 1:100,000 and certainly nowhere close to the figures touted by most vendors. I have been involved in many biometric deployments at scale and we see far higher rates of errors — false positives or false negatives — than even what NIST is seeing in their best-case scenario lab condition testing. I routinely see errors at 1:500 or lower."
[...] In independent testing, many biometrics simply do not accurately deliver on their promise. On top of that, many vendors, including Apple (iOS) and Google (Android), make marketing choices in their settings, where they choose how stringent or lenient the authentication is. They do not want a lot of people being improperly locked out of their phones, so they choose to make it less strict, in effect giving a greenlight to device access by higher numbers of unauthorized people.
Remember those videos showing phones letting in the children or siblngs of a phone user when using facial recognition? That's a big reason why.
Another key factor is theoretical accuracy versus real-world accuracy. Consider two popular phone authentication methods: facial and fingerprint recognition. In theory, facial recognition is much more discerning because it can consider a larger number of datapoints. In practice, though, that often doesn't happen.
Have you seen any children or siblings getting phone access via fingerprint? Facial recognition has to deal with lighting, cosmetics, hair change and dozens of other factors. None of that is in play when using fingerprint recognition.
There is also a distance issue. With facial recognition, a device needs to be a precise distance from the face to read it accurately — not too close, not too far. I personally use an iPhone with Face ID and I typically see failure 60% of the time.
(Score: 3, Insightful) by SomeGuy on Wednesday December 07, @07:13PM (9 children)
Less accurate than we thought? No, they are only less accurate than idiot higher up managers who watch too many movies thought. And "we" already knew that.
Biometrics are SHIT. At best it is some convenient way to "lock" some unimportant personal device, but it NOT real security, never has been, and never will be.
(Score: 4, Touché) by JoeMerchant on Wednesday December 07, @07:57PM (8 children)
~2005 I worked for a radiotherapist / entrepreneur software marketer who wanted to use fingerprint scanning to ID patients prior to delivering therapy.
Us: sure, that's a great addition to reduce mistakes...
Him: what do you mean you'll also need to have an option to select the patient by name/ID from a list? I log in to my laptop every day using my fingerprint?
Us: ... (Him continuing to dominate the conversation then abruptly walking out the door before we can really tell him what's up.)
Rinse, lather, repeat variations of the above for most of a year. Finally:
Us: There is a chance that two fingerprints can be mistaken for each other (we've told him this at least 5 times previously but it didn't sink in before today): we should (must, really) always show the patient Name/ID & photo and ask for confirmation before proceeding.
Him: ??! (genuinely perplexed) You mean fingerprint readers aren't 99.999999999% guaranteed unique (like on TV)?
Us: Yes, try more like 99 44/100%, or one patient mis-identification per several hundred treatment series, particularly when used at busy clinics with dozens of treatment plans active at a given time. Also: our (ever so polite - would NEVER interrupt him to tell him anything) Japanese radiotech can't get the reader on her laptop to recognize her fingerprint 2 days out of 3.
Him: !!!?! Why do they even allow people into laptops using these things if they don't work!!!?!?
Us: (that shrug we have given him 100 times before when repeating ourselves about things he doesn't want to hear...)
Україна досі не є частиною Росії Слава Україні🌻 https://news.stanford.edu/2023/02/17/will-russia-ukraine-war-end
(Score: 2) by krishnoid on Wednesday December 07, @08:31PM (3 children)
I mean ... the answer's right in his *own* title.
(Score: 3, Informative) by JoeMerchant on Wednesday December 07, @08:57PM (2 children)
Oh, he didn't call himself that. His self assigned title was unique and shall not be repeated here lest he do an internet trawl for himself and find this. Last I heard he relocated 3000 miles away and I hope he only moves farther in the future.
This is the same clown that used to make fun of people who use supercomputers by pointing out that a lot of the algorithms run on them aren't implemented well and could be done on a regular computer. Once, he even said: "hell, you might find an optimization in my code..." but I don't think his own thought / statement really sunk in for him because: two months later when we did find an optimization in his algorithms that gave us a 100x speedup and reduced his system's need for a supercomputer cluster to just a single ordinary PC, you could see his visions of his baby fall apart in front of his eyes - he really wanted that pricey cluster of shiny hardware to impress the users.
Україна досі не є частиною Росії Слава Україні🌻 https://news.stanford.edu/2023/02/17/will-russia-ukraine-war-end
(Score: 2) by RS3 on Wednesday December 07, @09:30PM (1 child)
Sounds like Frank Abagnale, Jr. [wikipedia.org] Just sayin'.
(Score: 2) by JoeMerchant on Wednesday December 07, @09:55PM
That was a good movie. This guy was nowhere near as much fun to be around, he thought he was, but smiling while he spewed his BS got to be nauseating in a hurry.
Україна досі не є частиною Росії Слава Україні🌻 https://news.stanford.edu/2023/02/17/will-russia-ukraine-war-end
(Score: 2) by RS3 on Wednesday December 07, @09:09PM (3 children)
This probably applies to all walks of life, but it particularly bugs me when someone who is not a tech expert but is 100% argumentatively and arrogantly sure of something and won't back down. For sure none of us are perfect, but the fierceness of the arguing is what gets me.
I have to wonder what his motivation was for the absurdly strong stance? I might have asked him where he got his "information", and why does he thing the fingerprint reader and its software is infallible? Maybe he's also a code monkey? Maybe he knows perl? :)
I know a tiny bit about the medical world and one of the reasons they like to ask people for their name and DOB is to see if they're awake, alert, brain functioning, etc. They'll (medical workers) notice subtleties in response delay, eye movement, etc.
Speaking of which: a good friend thought he was all clever using his thumbprint to unlock his phone. About 8 or so months ago he fell down some steps and an embankment and was unconscious. Turned out he had some medical problems which strongly contributed. Someone called EMTs, he was taken to hospital.
Guess what the ER people did? If you guessed they put his unconscious thumb on the phone and got in, you'd be absolutely correct.
If you guessed that he no longer uses his thumbprint, you'd be also correct.
(Score: 3, Interesting) by JoeMerchant on Wednesday December 07, @09:25PM (1 child)
>what his motivation was for the absurdly strong stance?
This one? He married "up," and wanted to prove his worth before retiring on his wife's parents' money, so this was his big 'proving myself worthy' project. Also, pathological need to be called the smartest guy in the room - always. He worked in academic circles, controlled a bit of grant money, his grantees would fawn all over him laughing at anything resembling a joke and always complimenting him on how smart he was. In the year I worked around him, his grantees only brought him results agreeing with what he told them he wanted to hear, and he loved it comically. On the other hand, he also hired a nuclear physics simulation expert PhD whose simulations weren't exactly showing what he wanted them to, that relationship wasn't so cheerful, and those results never seemed to make their way into the company "progress reports." I part of my job was advising on course of the product development, which he of course had opinions on everything, but I only agreed with about 33% of them. As our conflicts played out to show I clearly made the better choice one after the other, he really started to openly despise me. It wasn't that I would disagree with him - that he sort of liked, what he really hated was when something he staked out as "his" preference was proven to be the clearly inferior choice, and no amount of soft delivery of the message would help.
>Maybe he's also a code monkey? Maybe he knows perl? :)
Matlab. I made half a million bucks in a little under five years translating various Matlab projects into C++ for use by "real" people outside of academic labs, including his.
>they put his unconscious thumb on the phone and got in
Which, ironically, was more to his benefit than detriment in this case I would guess.
I mean: how many movies showing someone hacking off a finger or thumb or whole hand to gain access to whatever do we need to see before the obvious sinks in?
Україна досі не є частиною Росії Слава Україні🌻 https://news.stanford.edu/2023/02/17/will-russia-ukraine-war-end
(Score: 0) by Anonymous Coward on Thursday December 08, @04:02AM
> > Maybe he's also a code monkey? Maybe he knows perl? :)
>
> Matlab. I made half a million bucks in a little under five years translating various Matlab projects into C++ for use by "real" people outside of academic labs, including his.
From your description of working with this blowhard, I have to ask if putting up with him was worth a $100K/year...in exchange for five years of your life?
Yes, I've worked with/for a few jerks too, but I got out long before wasting five years on any of them.
(Score: 0) by Anonymous Coward on Thursday December 08, @05:07AM
Seems like it was a good idea to use his thumbprint.
Works well enough for most scenarios - e.g.
a) pesky kid "borrows" my phone and tries to unlock it and install games to play. Nope, won't work.
b) I get knocked out in some medical emergency and medical personnel can use my phone to contact people, guess what I last ate, etc
c) If bad guys are willing to KO me and use my fingerprints to unlock my phone, they'll be willing to torture me till I unlock my phone for them.
Meanwhile I save a lot of time since I don't have to spend many seconds unlocking my phone. Just a split second is enough.
So who is the stupid one? If your phone has really top secret stuff then sure use some passcode instead of fingerprint. But I don't keep my top secrets on my phone...
(Score: 0) by Anonymous Coward on Wednesday December 07, @07:21PM
The airport security algorithms are about as effective as baggage handling.
(Score: 5, Insightful) by Rosco P. Coltrane on Wednesday December 07, @07:57PM (5 children)
I lost a few fingers and toes to chronic neuropathy a few months ago. If my cellphone relied on fingerprints to unlock, I'd be properly screwed.
Here's the thing: if you lose a body part that's used to identify yourself, you're hosed because body parts don't grow back. If your body part measurements are stolen and used to impersonate you, you're hosed because body parts can't be replaced. That's why a non-intimate identification factor is useful: when it's compromised, you replace it.
And that's not even factoring in the fact that they aren't 100% accurate - something everybody has known for a long time.
Biometrics are a very bad idea. It's only secure if you have a James Bond or Mission Impossible idea of what biometric security is.
(Score: 3, Informative) by JoeMerchant on Wednesday December 07, @08:01PM (4 children)
I touched my right index fingertip to a hot iron when I was just old enough to reach it standing on the ironing board. To this day, that fingerprint is... unique. Easily distinguished by humans, but the standard fingerprint feature extractors pretty much don't know what to do with it.
Україна досі не є частиною Росії Слава Україні🌻 https://news.stanford.edu/2023/02/17/will-russia-ukraine-war-end
(Score: 2, Insightful) by pTamok on Wednesday December 07, @08:25PM (3 children)
Welcome to the world where, if it works for a majority of people, its good enough, and anyone for whom it doesn't work is forgotten about.
People with disabilities get this all the time.
(Score: 3, Interesting) by JoeMerchant on Wednesday December 07, @08:33PM (2 children)
There are laws, but the question is: if you have a disability, what's your capacity to pursue lawsuits?
Our kids have severe to profound autism, we have run up against lawbreaking school systems their entire lives. There seems to be an art to making a credible threat of legal action to get things moving in the right direction - first thing you need to make that work is a lawyer that the school board actually recognizes as a threat of trouble for them. Finding such a lawyer has been a perpetual challenge (best one we ever had got himself thrown in jail for a couple of years shortly after he helped us...)
Україна досі не є частиною Росії Слава Україні🌻 https://news.stanford.edu/2023/02/17/will-russia-ukraine-war-end
(Score: 2) by bzipitidoo on Wednesday December 07, @10:59PM (1 child)
A _good_ counselor who knows the ropes of the school system can help. If you have that, you may not need to retain lawyers, at least not often. I daresay you already know this all too well, but schools will railroad students that they view as troublesome, and they will cut corners to do it. Have an unqualified person issue the diagnosis they want, not caring and perhaps not even fully cognizant that it is backwards and unethical to make data fit a conclusion, perhaps hold a meeting the object of which is to bully the parents into accepting the diagnosis, maybe by presenting it as pretty much a fait accompli, baffle the unprepared parents with seeming expertise backed by lots of fancy language and official looking forms, then off the kid goes. Drugged, or sent to special ed, whatever, just as long as it gets the kid off their minds. I have heard this called "laying the tracks then running the train". A counselor experienced with this sort of thing can shut that all down. They almost always back down when found out, as they know that if they press ahead, they're very likely going to end up fired.
(Score: 2) by JoeMerchant on Thursday December 08, @12:51AM
>They almost always back down when found out,
We have found this to be true, but depending on the school district there are limited facilities and resources they can offer once you have backed them into the corner where they realize they are going to have to do something for your child. Our older one was a constant battle for services, his brother two years younger has lesser needs but pretty much got anything we had won for his older brother just for the asking.
We have found that there are good and bad people at all levels of the system, and a large number who just don't want to upset their bosses. When the principal or the majority of the school board is bad, you might win legally prescribed services but they are going to be delivered in a such a way that you might rather not have them.
All in all, it is easier to move the whole family to a district with better services than it is to try to "fix" a backwards one.
Україна досі не є частиною Росії Слава Україні🌻 https://news.stanford.edu/2023/02/17/will-russia-ukraine-war-end
(Score: 2) by inertnet on Wednesday December 07, @09:20PM (7 children)
I've thought about biometrics in the past and came to the conclusion that the most reliable would be a 3D entire skeleton scanner, or a DNA 'sniffer'. Either should of course give a result within a few seconds. As these solutions won't become practical for at least several decades, I just don't bother with biometrics. Years ago I did come up with a method to mathematically reduce a set of minutiae to their essence, eliminating size components for easier and faster comparing, but dropped the whole thing when I realized that biometrics are a dead end (pun intended).
(Score: 3, Insightful) by JoeMerchant on Thursday December 08, @12:57AM (6 children)
The DNA sniffer is already here and being used for things like real time anthrax detection in important building ventilation systems. It's pretty pricey, but should be adaptable to individual i.d. discrimination.
However, when you shake hands how much DNA do you exchange? What would it take to obtain a target subject's DNA, amplify it, and use that to "break in"?
Україна досі не є частиною Росії Слава Україні🌻 https://news.stanford.edu/2023/02/17/will-russia-ukraine-war-end
(Score: 2) by inertnet on Thursday December 08, @08:33AM (3 children)
Agreed, DNA could only be used for identification, not for unlocking anything. A skeleton could, because that's a lot harder to fake.
I'm assuming that current DNA sniffers may be able to determine where on the evolutionary tree a sample belongs, but I suppose they're not yet able to identify individuals.
(Score: 2) by JoeMerchant on Thursday December 08, @10:54AM (2 children)
I think current sniffers are tuned for species identification and the value of tuning them for individual identification is too low to justify the cost.
The hurdle I know of is the amplification process in the system that was described to me involved a petri dish letting airborne organisms quickly multiply. Human DNA would need a different amplification process, but the technical DNA code matching for individual identification might actually be easier...
Україна досі не є частиною Росії Слава Україні🌻 https://news.stanford.edu/2023/02/17/will-russia-ukraine-war-end
(Score: 1) by Runaway1956 on Thursday December 08, @01:35PM (1 child)
So, I could program my doors to allow the dog to pass, but deny cats entry? I'm on board with that!
Abortion is the number one killed of children in the United States.
(Score: 2) by JoeMerchant on Thursday December 08, @02:58PM
Prices I heard for the anthrax sniffer systems were mid to high six figures. The kind of thing you might deploy at the SuperBowl or similar.
Our cat has an RFID chip and a flap that reads it and only lets in our cat, has worked well for a couple of years now. The flap is nothing exotic, they're all over Amazon.
Україна досі не є частиною Росії Слава Україні🌻 https://news.stanford.edu/2023/02/17/will-russia-ukraine-war-end
(Score: 2) by Common Joe on Saturday December 10, @04:46PM (1 child)
The DNA sniffer won't work for biometric identification. Consider the two examples:
Especially with the secondary DNA transfer, it wouldn't be hard to get DNA of the target victim and use that for "biometric identification".
(Score: 2) by JoeMerchant on Saturday December 10, @05:09PM
I agree for mainstream applications like unlocking your smart phone.
For high security applications where you wouldn't mind "signing in blood", or perhaps more appropriately a tissue sample from a stable organ, and waiting 30 to 90 minutes for the results... It could be used as additional confirmation.
Україна досі не є частиною Росії Слава Україні🌻 https://news.stanford.edu/2023/02/17/will-russia-ukraine-war-end