Biometrics accuracy will depend on registration

The key to solving the problem of personal identity theft is not biometrics, but ensuring that the initial registration process...

The key to solving the problem of personal identity theft is not biometrics, but ensuring that the initial registration process for each individual is accurate.

That was the core message from IT security expert Fred Piper, a professor at London's Royal Holloway College, speaking at a packed annual British Computer Society/Institution of Electrical Engineers Turing Lecture in London in late January.

Biometrics does not provide proof of identity, said Piper. "The importance of registration is often overlooked. If you are impersonated at the registration process, there is a problem because all biometrics does is confirm that someone is the person who registered."

He believes that in the debate about ID cards too much reliance is put on biometrics. "The government is premature in announcing biometrics as the answer to ID theft," he said.

Piper pointed out that all biometric techniques have a false acceptance and rejection rate. "The acceptable balance between the two depends on the application," he said, and added that an ID card is one application where total accuracy is required.

"The only proof of who you are is when you are joined by an umbilical cord to your mother," he said. "Once that has been cut, you rely on removable tags and procedures for your identity."

He said the only way of being confident about identity is to take a DNA sample and implant a chip while a child is still connected by the umbilical cord. However, this solution is not practicable because DNA recognition cannot yet be automated.

In his lecture, Piper said companies are beginning to recognise IT security as a business enabler. If users are having problems selling IT security to the board, he said they should tell bosses that security does not slow down or degrade systems, but enhances it.

Piper is confident that current security algorithms are robust. "Very few attacks break the algorithm," he said, "They exploit the mistakes of the enemy - sometimes people are daft enough to do what you want."

He said that as encryption is now at 1,024-bits or even 2,048-bits, there is a long way to go. It took 300,000 volunteers four years to crack the 64-bit security code by 2002.

Read more on IT risk management