The biometrics revolution is here. Are we ready?

You can always count on Associate Professor of Electrical and Computer Engineering Hafiz Malik to scare you with dystopian stories from the frontiers of our tech-dependent world. When we talked with him last year, the terrifying thing of the moment was the political “deepfake” — AI-generated video and audio of candidates that are barely distinguishable from the real thing. When we reached out for a check-in a few weeks back, the anecdote he entertained us with was even weirder: Recently, researchers were attempting to pressure test facial recognition systems at ATMs and automated transit access points in China by donning custom 3D-printed latex masks that mimicked the faces of real individuals. Scarier yet, their faked faces were lifelike enough to fool the machines.

Malik says be prepared to hear lots of stories like that as companies and governments attempt to integrate more biometric-based security into consumer-facing technologies. (Just last week, for example, Amazon announced it was debuting a new payment system that allows consumers to pay with their palmprint at retail stores.) Malik says the motivations for this push toward biometrics are at least two fold. One is convenience. While old-school security devices like ATM cards or car keys actually work relatively well, it’s also easy to forget them as you’re rushing out the door. This quality also gives biometrics an inherent security advantage, because stealing or losing information that’s literally part of your body is obviously more difficult.

That doesn’t mean these technologies, at least in their current incarnations, are foolproof. Malik has demonstrated with his previous research the vulnerabilities of voice recognition-based systems. Many can be tricked by low-bar “replay attacks,” which use playback of someone's recorded voice; or by more sophisticated “cloning” attacks, where a sample of someone’s voice is used to generate faked audio of them saying just about anything. Similarly, he says some of today’s facial recognition systems can be fooled without even going to the trouble of 3D-printing a lifelike human face. In some cases, all it takes is a paper printout, which could be easily sourced from just about anybody’s social media account. 

Malik says because of these vulnerabilities, greater use of biometrics is going to demand more robust defenses than exist today. In his own research, he’s currently working on a facial recognition system built around what he calls “liveliness detection.” In addition to recognizing your face’s physical attributes and depth of field, Malik’s system looks for properties like eye blinking, skin temperature, blood pressure and skin reflectance — all things which would foil a 3D-printed mask attack. In addition, he says data security of these stored biometric indicators is paramount. “You can get a new pin number, but once somebody steals your biometrics, they’re basically gone for good,” Malik says. He thinks that’s probably why we’ve seen relatively few stories about data breaches of companies who are using these kinds of technologies. They’ve had to double down on security because the stakes are so high.

Given this “forever” nature of biometrics, some might wonder whether it’s worth all the effort. After all, criminals and hackers are smart people, and if (when?) they get a hold of our fingerprints, palmprints and “faceprints,” won’t we inevitably end up back where we started — abandoning these high-tech tools for less convenient but more resilient systems like car keys and pin numbers? Is the biometric revolution, in fact,  just doomed to be a promising, but passing fad?

Malik doesn’t think so, but he says the framing of the question captures exactly the balance of competing priorities that underlies biometrics — and nearly all similar security issues.

It comes down to a problem of “scale,” which he explains encompasses not only how broadly these systems will be deployed but our values about speed, convenience and security. Do we crave detethering from ATM cards and pin numbers every time we want to buy something? Do we really desire to be rid of car keys? Would we love to own a connected vehicle or smart home that recognizes us and our preferences the second we enter them? Do we want to quickly navigate international airports without the need for paper passports and human-staffed security checks? If the answer is yes, biometrics can definitely help us deliver that future. But it won’t be without its risks and compromises.

“A border crossing that uses human security officers — they’re going to be able to spot a 3D-printed mask, so in that sense, the system is very robust,” Malik explains. “But it’s also probably slower and definitely requires a lot more labor than a machine that can simply scan your face. So it’s a question of what kind of costs and vulnerabilities we as a society are willing to tolerate to gain that speed and convenience in more of our everyday lives.”