Body of evidence: Biometrics and YOU

Feeling your way around non-password access systems

The proliferation of password protection has become an assault on the senses. The rise of biometric authentication is helping to create some balance, enabling verification with a simple interaction, which, for many, is the fingerprint reader on a mobile phone. And once you start using the fingerprint/phone combo for NFC payments, the convenience it offers soon becomes habitual.

So, no passwords, no pain – battery life notwithstanding, of course.

Biometric methods of user verification are, as the science implies, going to get the measure of one’s biology – something that’s unlikely to change, except by accident or deliberate design.

One of the higher profile facial recognition payment implementations has been the MasterCard Identity Check app, better known as “selfie pay”, piloted in Canada and the Netherlands for corporate card holders. Setting up requires you blink as you prepare to take a selfie. Fingerprint detection is also an option, but as not all phones have these readers and yet every phone these days has a camera, facial recognition to verify payments would seem set to mushroom.

MasterCard relies on Daon’s IdentityX for the biometric functionality – a multimodal identity verification platform that offers mobile devices what the company describes as the “triumvirate of Face, Voice and Touch ID options”.

The MasterCard Identity Check app has other layers of security including encryption and geolocation from the device. Yet for the user, all they’re likely to notice is the swift, password-free effectiveness of selfie pay. A biometric application that makes the trade, not only from your credit card but of your personal appearance in exchange for convenience.

Biometrics gets domestic

At Apple's recent WWDC, senior vice president of software engineering Craig Federighi revealed a new feature in iOS 10 Photos called Advanced Computer Vision that uses deep learning techniques to go beyond face tagging to enable object and scene recognition, performing “11bn computations per photo”. It’s a trick that Netatmo announced with its Presence camera at CES, to identify people, animals and models of cars. It’s a spin-off from its Welcome home security product that also relies on deep learning.

Master card identity check photo Mastercard

MasterCard uses Daon’s IdentityX – a “triumvirate of Face, Voice and Touch ID options” but you must blink

While iOS 10 will sort out your photos in clusters, Netatmo’s application of computer vision has a biometric twist, as the Welcome camera features a built-in realtime facial recognition algorithm. The company’s founder and chief executive Fred Potter explained for us the task of getting a satisfying facial at home without relying on a massive online image database to deliver the money shot.

“A computer vision algorithm is not a static work," Potter said. "It’s not something you can purchase and then it becomes an asset. It’s a dynamic work because you will use the results of the data of the algorithm that is running on the camera to enhance and fix your algorithm. Currently, we only have 97 per cent of good recognition; we still have three per cent of error. When the user says it’s the wrong recognition, this will help the algorithm to be more efficient. It’s always ongoing work.”

While the likes of Facebook, Picasa and iCloud own servers stuffed full of labelled photos, Netatmo’s approach functions on a local level with its artificial intelligence algorithm having gone through intensive training.

“The technique we are using is called RCNN, recursive convolutional neural networks. We show two pictures and we train the machine to say whether these two pictures are the same person or a different person. To do that you need to train the machine with a very large set of pictures that you know are the same person or are different,” Potter said.

A biometric home system of this kind does at least bypass all the red tape regarding compliance, as all you’re doing here is monitoring rather than interacting with a secure verification service. Typically, Netatmo’s Welcome captures video and sends alerts of unknown faces are sent to your phone or desktop. If you want to know how it works in the home, the El Reg review is featured here.


While numerous biometric authentication modalities such as iris, face, fingerprint and vein pattern recognition can simplify payments and border crossings, the user has to engage with the process to enable verification. However, there are other biometric approaches that work in the background to remove authentication barriers.

Heartbeat recognition is touted as one such option that effectively provides continuous authentication so long as the user is wearing something like a wristband. With the Nymi Band, the monitoring is simply an ECG (electro cardiogram) tracking the unique pulsating signature of the individual’s heart. Although it does suggest background authentication, the wristband still needs charging up and, of course, you have to remember to put it on.

Nymi band

Nymi’s Band relies on your heartbeat's disctinctive pattern for verification

This particular modality has also raised a few interesting questions: Could a heart-transplant recipient pass as another person? Would someone in the throes of a heart attack be unable to unlock their mobile phone to call for help? Or could the stimulating effects of say, Bolivian marching powder impact on verification acceptance, with the algorithm assuming transactions were being made under stress?

Paying lip service

Voice biometrics can be either active, requiring a pass phrase, or passive, where the technology can analyse your voice as you speak to an agent. The latter approach is called Text Independent Voice Biometrics and all have to do is talk. It’s this element of background verification that’s becoming increasingly important to banks and vendors - emerging as an attractive improvement in user experience.

Nuance, the company behind the Dragon NaturallySpeaking and Apple’s Siri speech recognition software, also offers voice biometrics and has now clocked up 75 million users and over three billion verifications. Here, the task isn’t to recognise words and transform them into text but to authenticate the speaker from their unique voiceprint.

One customer, Barclays Wealth, uses Nuance voiceprint recognition to forward a customer to an agent. Account queries are then dealt with personally, eliminating not just frustrating obstacles for the customer but, likewise, removing the grind of client interrogation – the worst part of an agent’s job.

There are other benefits too, as Brett Beranek, Nuance senior principal solutions marketing manager for enterprise told us: “Voice biometrics also changes the dynamic of fraud prevention to actual prosecution. A lot of fraud teams spend their time deflecting fraud. They deflect fraud from one channel and the fraud leaks to another.

“With voice biometrics you actually have evidence that you can submit to law enforcement and basically prove in a court of law that it is a very specific individual that perpetrated that fraud or that attempted to perpetrate fraud. It’s not only more secure but allows organisations to do something about the fraud.”

Of course, getting blighted by a sinus-stuffing cold or bout of laryngitis could cause the system to reject the speaker but Beranek reckons if your mother can recognise your voice, then the voice biometrics will too. “We have an algorithm to detect a recording. It’s not foolproof, it doesn’t work one hundred per cent of the time but it works in the high nineties. And so we can prevent most, not all, but most of these social engineering attacks,” he said.

“Our first level of defence is low grade recordings and playback. I record my voice on a mobile, I play it back through a speaker – those are easy to detect because there are huge bands of low frequency audio that are not present to what a human voice would have.”

What he describes as high-definition recording is a different matter though and the focus is on audio signatures that reveal the way the sound has been reproduced.

“It’s not like you look at the audio wave and go: ‘Aha, there’s the difference between a real human voice and playback’. These audio characteristics are really minute. We just took a whole bunch of recordings and a whole bunch of live voices that are being inputted into the system and compared the two. And we had the deep neural network find what the differences are.”

Learning to behave

BehavioSec specialises in Behavioural Biometrics and has 50 million users with another five to 10 million in proof-of-concept trials. The company developed its authentication system for PC users but more recently produced behavioral biometric identification profiling for mobile.

It works by looking at the rhythm and the timings of key commands and how they are entered. All of this checking happens in the background with the user’s behavior learned quickly to create a profile. Numerous metrics are monitored, the most basic being flight (the time taken in between key presses) and press, the time spent on the key itself. How you use the mouse is observed too, such as the speed and arc of travel. Likewise, on a mobile phone’s screen, the pressure and where you press on buttons is monitored, as well as accelerometer and gyroscope metrics.

Johan Dalnert, BehavioSec's chief marketing officer, told us: “It’s all weighted, so they’re not of equal importance. Over time our algorithm will adapt to your behaviour. If your first 99 transfers were sitting down and your hundredth was on the bus, you will probably not get a very good behaviour score because you’re on something that is shaking but the bank wouldn’t necessarily stop that. It’s just an indicator for the bank to look for other anomalies, for other things that look suspicious. So we’re helping the bank focus on where to look and we’re giving them a lot more decision intelligence without disturbing the end user.”

BehavioSec metrics

Typing "El Reg" in BehavioSec reveals the timing differences in key press and flight

This decision intelligence lets the bank choose whether to proceed as normal or introduce an additional verification step, all without the user being immediately shut out of the system. By using this near-realtime tool in risk assessment, the bank is free to make up its own rules. It could perhaps decide to rely solely on positive behavioural biometric scores to allow transfers of up to £500 in an effort to deliver a better user experience. It might also choose to lower that threshold in the wee small hours when the user’s biometric scores are looking a little tried and emotional.

You can even try this for yourself. BehavioSec has its own Keystroke Timing Tool. It’s a Javascript simulation but it gives an immediate insight on how the company monitors behavioural biometrics and harvests profile data.

With biometrics from voice, behaviour and even heart monitoring set to put verification into the background, it looks likely that we’ll regard fingerprint or facial recognition to be as irritating as two-factor password authentication is now. Perhaps inevitably, systems that know us, inside and out, will become the norm and “anonymity” will be just a word in the dictionary. ®

Similar topics

Other stories you might like

  • If you're Intel, self-driving cars look an awful lot like PCs

    Hardware capabilities, latest feature updates? You'll get what you pay for

    Intel's vision of the computing architecture of autonomous vehicles is similar to that of PCs, with pricey models getting better hardware and the latest software, and cheaper self-driving cars getting the bare minimum.

    The segments of premium and mid-range cars will need extra compute and over-the-air update capabilities to enable increasing levels of autonomous driving, said Erez Dagan, executive vice president at Mobileye, Intel's self-driving car system division, speaking at the Evercore ISI Autotech & AI Forum this week.

    On the other hand, low-end vehicles will have basic equipment, sensors, and features as mandated or incentivized by regulations like the EU's General Safety Regulation, which focuses on improving driver safety.

    Continue reading
  • Researchers finger new APT group, FamousSparrow, for hotel attacks

    Espionage motive mooted in attacks which hit industry, government too

    Researchers at security specialist ESET claim to have found a shiny new advanced persistent threat (APT) group dubbed FamousSparrow - after discovering its custom backdoor, SparrowDoor, on hotels and government systems around the world.

    "FamousSparrow is currently the only user of a custom backdoor that we discovered in the investigation and called SparrowDoor," ESET researcher and co-author of the report Tahseen Bin Taj explained in a prepared statement. "The group also uses two custom versions of Mimikatz. The presence of any of these custom malicious tools could be used to connect incidents to FamousSparrow."

    The group can be traced back to 2019, the researchers claimed, though the attacks tracked in the report made use of the ProxyLogon vulnerability in Microsoft Exchange starting in March this year. Victims were spread around Europe, the Middle East, the Americas, Asia, and Africa - without a single one being discovered in the US, oddly.

    Continue reading
  • Is it a bird? Is it a plane? Nah, it's just Windows suffering from a bit of vertigo

    Up above the streets and houses, XP's flying high

    Bork!Bork!Bork! Windows XP continues to hang in there – quite literally – as the operating system does what it does best some 90 metres above the London's River Thames.

    The screen, spotted by Register reader Andy Jones while safely ensconced within the confines of an Emirates Air Line gondola, appears to be in something of a boot loop. It looks to be endlessly resetting as the UK capital city's cable car attraction grinds itself along the kilometre or so between the Greenwich Peninsula and the Royal Docks.

    Continue reading
  • How many Android containers can you fit on your VM?

    The Register speaks to Canonical about running the OS in the cloud

    Interview Developers targeting Android are spoiled for choice with their platforms.

    There are a variety of options available for running Android application development environments these days. Even Microsoft has promised that its upcoming Windows 11 will eventually be able to run the apps on the desktop and has long since supported the mobile OS via its Your Phone app, even while smothering its ailing Windows Phone with a cuddly Android pillow.

    For Canonical, however, Anbox remains a cloud product, according to Simon Fels, engineering manager and is therefore unlikely to feature in any desktop version of the company's Ubuntu distribution any time soon, although with September's announcement it will now cheerfully scale from the heights of the cloud down to a single Virtual Machine via the Appliance version.

    Continue reading
  • Infosys admits it still hasn't fully fixed Indian tax portal

    Deadline came and went, but over 750 'resources' are still hard at work

    Infosys has admitted it has missed the Indian government's deadline to fix the tax portal it built, but which has been a glitchy mess since its June 2021 launch.

    The portal was introduced to make filing taxes more efficient. It delivered the opposite – India's government was forced to extend filing deadlines amid user complaints that they found the portal impossible to use. The portal was even placed into "emergency maintenance" mode at one point, during which it was completely unavailable.

    Infosys was shamed by ministers and on August 22nd was given a September 15th deadline to fix the portal.

    Continue reading
  • Here's an idea: Verification for computer networks as well as chips and code

    What tools are available? What are the benefits? Let's find out

    Systems Approach In 1984, artificial intelligence was having a moment. There was enough optimism around it to inspire me to explore the role of AI in chip design for my undergraduate thesis, but there were also early signs that the optimism was unjustified.

    The term “AI winter” was coined the same year and came to pass a few years later. But it was my interest in AI that led me to Edinburgh University for my PhD, where my thesis advisor (who worked in the computer science department and took a dim view of the completely separate department of artificial intelligence) encouraged me to focus on the chip design side of my research rather than AI. That turned out to be good advice at least to the extent that I missed the bursting of the AI bubble of the 1980s.

    The outcome of all this was that I studied formal methods for hardware verification at a point in time where hardware description languages (HDLs) were just getting off the ground. These days, HDLs are a central part of chip design and formal verification of chip correctness has been used for about 20 years. I’m pretty sure my PhD had no impact on the industry – these changes were coming anyway.

    Continue reading
  • Imagine a fiber optic cable that can sense it's about to be dug up and send a warning

    Forget wiring cities with IoT devices – this could be how wide-scale sensing gets done

    Imagine an optic fiber that can sense the presence of a nearby jackhammer and warn its owner that it is in danger of being dug up, just in time to tell diggers not to sink another shaft. Next, imagine that an entire city's installed base of fiber could be turned into sensors that will make planners think twice before installing IoT devices.

    Next, stop imagining: the tech is real, already working, and was yesterday used to demonstrate the impact of an earthquake.

    As explained to The Register by Mark Englund, CEO of FiberSense, the company uses techniques derived from sonar to sense vibrations in fiber cables. FiberSense shoots lasers down the cables and observes the backscatter as the long strands of glass react to their environment.

    Continue reading
  • Unable to test every tourist and unable to turn them away, Greece used ML to pick visitors for COVID-19 checks

    Inside the software built to figure out groups of potentially infected, asymptomatic passengers

    Faced with limited resources in a pandemic, Greece turned to machine-learning software to decide which sorts of travelers to test for COVID-19 as they arrived in the country.

    The system in question used reinforcement learning, specifically multi-armed bandit algorithms, to identify which potentially infected, asymptomatic passengers were worth testing and putting into quarantine if necessary. It also was able to produce up-to-date statistics on infections for officials to analyze, such as early signs of the emergence of COVID-19 hot spots abroad, we're told.

    Nicknamed Eva, the software was put to use at all 40 of Greece's entry points from August 6 to November 1 last year. Incoming travelers were asked to fill out a questionnaire detailing the country and region they were coming from as well as their age and gender. Based on these characteristics, Eva selected whether they should be tested for COVID-19 upon arrival. At its peak, Eva was apparently processing between roughly 30,000 and 55,000 forms a day, each form representing a household, and about 10 to 20 per cent of households were tested.

    Continue reading
  • Angry birds ground some Google Wing drones in Australia

    Between COVID and corvids, locked-down Aussies can't catch a break - or a coffee lowered from the treetops

    Some of Google parent company Alphabet's Wing delivery drones have been grounded by angry Australian birds.

    As reported by the Australian Broadcasting Corporation, and filmed by residents of Canberra, ravens have attacked at least one of Wing's drones during a delivery run.

    Canberra, Australia's capital city, is currently in COVID-caused lockdown. It's also coming into spring – a time when local birds become a menace in the leafy city. Magpies are a particular hazard because they swoop passers-by who they deem to be threateningly close to their nests and the eggs they contain. Being swooped is very little fun – magpies dive in, often from a blind spot, snapping their sharp beaks, and can return two or three times on a single run. Swooping is intimidating for walkers, and downright dangerous for cyclists.

    Continue reading
  • Memory prices to dive in late 2022, says Gartner

    Firm says 40 per cent of a server's bill of material costs are tied to memory

    Prices for DRAM and NAND flash are set to fall, sharply, in the second half of 2022 according to analyst firm Gartner.

    In a memo published last week and obtained by The Register, the firm predicts “oversupply” of memory chips will develop as demand eases and supply increases. A “significant price reduction” is therefore likely, the firm states, without offering a more precise estimate of how far prices will fall.

    The memo appears to be is directed at hardware manufacturers and advises them to start designing products that use more memory or keep memory and price the same but add other components – better CPUs, batteries or screens are suggested - to keep overall bill of material costs the same while also making devices more attractive.

    Continue reading
  • AWS announces new region in the Land of the Long White Cloud – New Zealand

    Hopes three availability zones will be hobbit-forming for local businesses and government agencies

    Amazon Web Services has announced it will build a Region in New Zealand and light it up by the year 2024.

    The forthcoming Asia Pacific (Auckland) Region will feature three availability zones - a configuration AWS rarely exceeds.

    The cloud colossus has said it will spend US$5.3 billion in New Zealand over the next 15 years, some of which will be capital expenditure on its new bit barns.

    Continue reading

Biting the hand that feeds IT © 1998–2021