Biometrics may not be the perfect solution for security, but they can be useful — as long as they’re robust and well thought out. TouchID is all well and good, but you wouldn’t secure a nuclear site with it. Well, movies aside, you probably should secure a nuclear site with a fingerprint, regardless. But this new system from Swiss researchers is a step in the right direction.
Lambert Sonna Momo headed up a collaboration between his company, Global ID, and the École polytechnique fédérale de Lausanne (EPFL), which combines the former’s biometric tech with the latter’s crypto chops.
On the biometric side is a 3D vein imaging tech Sonna Momo helped put together. “Nowadays you can easily and cheaply create fake fingerprints,” he explained in an EPFL news release. “2D vein recognition technology is already used throughout the world, but the system has its flaws. With 3D analysis, the risk of counterfeits is essentially non-existent.”
Essentially, superficially similar patterns are easily differentiated when you add another dimension to the imaging. The scanner itself is relatively cheap, too — around $300 — and has been tested with a wide variety of people and skin types — it’s a major consideration in biometric optics.
EPFL, for its part, created an equally important aspect of the system: the data handling and encryption. After all, you can’t reset your fingerprint, retina or veins — once they leak, they’re compromised forever. And fundamentally, privacy is important with such things.
So EPFL’s crypto lab put together a homomorphic encryption scheme that allows the scanner and ID system to analyze data without ever decrypting it. That also means data can live on the device and connectivity can be disrupted without disturbing security. A fringe benefit of the scheme is that if the data is stolen or leaked, patterns built into it will point at the device from which it came.
Sonna Momo is hoping the tech will prove useful in hospitals, where positive identification is critical for care, and places where quick but accurate IDs must be established, like banks.
source: techcrunch