Theft-proof biometrics

At last, there is a biometric authentication technique that cannot be stolen. Or, well, it can, but at least it won't work any longer.

Drs. Philip M. Rodwell and Steven M. Furnell recently published "A non-intrusive biometric authentication mechanism utilising physiological characteristics of the human head" in Computers and Security (vol. 26, pp. 468-478). The technique, drawn from Dr. Rodwell's research, involves measuring the resonance of human speech as modulated by the geometry of the head it originates in. In other words, while pure voice recognition involves measuring things like cadence, volume, and pitch; and can be capture by high-definition audio recorders, this technique cannot be as easily captured. It requires measurements of the propagation effects inside the head to be taken at several points during speech. Consequently, if the head is separated from its owner, no further propagation would take place. Thus, the actual biometric authenticator is considerably harder to steal.

Of course, any authenticator can be captured and replayed. The measurements, in fact, are simply taken by two microphones. Simply placing two microphones in the required position and waiting for the victim to start blabbing may actually be enough. As the implementation is designed to be used in a mobile phone (indeed, Dr. Rodwell is sponsored by British mobile telephony provider Orange) such measurements cannot be terribly difficult to obtain. Presumably, the good doctor's have thought of ways to mitigate that attack as well.

Whatever you think of this technique, I am highly encouraged about the fact that people are thinking differently about security and trying to come up with novel concepts to help us be secure.

Published Mon, Feb 4 2008 10:56 AM by jesper
Filed under: ,

Comments

# HiltonT said on 06 February, 2008 04:22 PM

Hi Jesper,

What if Mr Bill Greatguy who is the CEO for Rich and Powerful Enterprises, LLC has an evil identical twin brother that was separated from him at birth, and an attacker finds out this information and approaches him.

So, then Mr Steve Nastyguy would have so similar a head and voice that he'd be easily able to walk up to this authentication device, claim to be his good twin brother, and the system would welcome him with open, yet metallic arms.

The only truly successful biometric authentication would be to have a person placed wholly in a machine that vaporised them and measured their entire makeup - lunch, genetic codes, hair dye and everything.  The problem is that once this information has been entered into the computer, it is rather unlikely that they would ever need to gain access to the facility protected by such a security system.  :)

# jesper said on 06 February, 2008 04:59 PM

Hilton, you are enumerating all the reasons I do not believe in biometrics!

# Alun Jones said on 06 February, 2008 08:03 PM

You also have to wonder if such a scheme correctly identifies the user when the person is stressed, or has a cold, bad sinuses, dental work, etc.

Of course, the other problem with biometrics is that whatever measurement you take, there are people who cannot provide it. Iris patterns are unavailable if you have aniridia; carpenters and cabinet makers often have no fingerprints; people with no vocal cords can't demonstrate their head's resonance, except by smacking themselves repeatedly. I can't see that becoming terribly popular.