By Walter Lee


“Open Sesame.”

This is a phrase that has delighted generations of children as they first cheered Ali Baba on in the Arabian Nights, and then in the Disney adaptation of it. We marvelled at how smart (and lucky) he was, and how silly the thieves were to use a password that anyone could have overheard to keep their treasure safe.

But guess what? For the past 30 years, we’ve been in the same boat as the thieves – using pass codes and PINs to secure our bank accounts and confidential information. And ironically enough, some of us even use “OpenSesame” or some variant of it as our safeguard. Not surprising, perhaps, given that around half¹ of us use the same password for all our accounts. Convenient and easy to remember, maybe, but sound? Hardly likely. They can be stolen or speculated upon easily, especially considering that 17%² of us have made lucky guesses at one time or another. Not to mention one cyber attack happening every 39 seconds³, the 4,800 websites that are compromised every month⁴, or the majority of passwords used, re-used and re-hashed across multiple sites⁵.

Clearly, we need a solid alternative. Cue biometrics, the logical next step and new safety frontier. Revolutionising how we protect our identities in the digital world, it doesn’t rely on a PIN or password (what we know) or card (what we have). Instead, it relies solely on who we are, i.e. via face, iris or fingerprint recognition to digitally verify we are whom we claim to be, and not someone masquerading as us. A “cell-fie” (pun totally intended), or a secured biological snapshot of ourselves, that we use to unlock our phones, get past immigration control or withdraw cash in some countries.

Of course, like all else, biometrics are not foolproof. They can be susceptible to presentation attacks (a.k.a. identity spoofing, which is what happens when a cyberattacker uses a photo, mask or video replay to pretend to be that person). This is where “liveness detection” comes in. As its name suggests, it ensures that the subject behind the camera is a living, breathing person, and not a fake or even a twin. And for greater security, multi-modal biometrics, which combines and layers at least two types of technologies (such as face recognition with iris verification) to identify us. Not on a standalone basis, but working in conjunction to protect our digital identities.

That said, unlike what many assume, not all biometric technologies are equal, and not all systems are so well-equipped. Which, perhaps, is why there are controversies surrounding its use, not least of which is the fear of identity theft.

There are three parts to a biometric device: the hardware (e.g. face or iris scanner), the software that converts and compares the data (the human eye may be tricked, but not a sophisticated machine learning algorithm, for example) and the database that the software uses in order to work its magic. All three play a role in how robust a system is, and simply having something with “biometric” on it does not mean it’s secure. A flimsy combination lock may do the same job as a high-quality, high-security, long shackle one, but you certainly wouldn’t count on it to repel burglars at home or in the office.

Understandably, it’s harder to gauge the mettle of a biometric system than a padlock’s, but independent verification [e.g. the U.S. National Institute of Standards and Technology (NIST)], accreditation, customer testimonials and the number of active systems go some way towards it. Ultimately, though, the real test is in the use: it needs to accurately, and seamlessly, process thousands of faces almost instantly, in all sorts of scenarios, from busy transport hubs such as airports to skyscrapers to stadiums and concert halls. At the same time, it has to be sophisticated enough to keep increasingly advanced cyber attackers out. Not an easy feat indeed, especially since we would also require it to be frictionless, so that it does not end up being more trouble than it may be worth.

And just as we would not simply bolt the entrance and leave our windows and back door to chance, a biometric system is only as strong as its weakest link. There isn’t such a thing as a perfect algorithm, unfortunately – even the most secure algorithm was written by humans, and anything that is created by one person, can be broken by another.

That’s why securing our identity is still fundamental – on an individual, business and governmental basis. On one level, it’s about giving only the right people the right access to your information. That’s where silos – however much the business world hates this word – come in useful, because it’s very much about keeping things to a need-to-know basis. The classic balancing act, in fact, between respecting individual data privacy, and providing the critical data that’s required.

On another level, it’s also about mindset change. Making sure that whoever has access to the data treats it like the precious treasure it is, and not lose the entire city’s personal details after a night out on the town⁶ .

¹ https://financesonline.com/password-statistics/
² https://financesonline.com/password-statistics/
³ https://www.varonis.com/blog/data-breach-statistics
⁴ https://www.varonis.com/blog/data-breach-statistics
⁵ https://dataprot.net/statistics/password-statistics/
⁶ https://edition.cnn.com/2022/06/24/asia/japan-amagasaki-usb-data-intl-hnk/index.html