One of Rich Tennant’s 5th Wave cartoons has two gamers sitting at a game console, one saying to the other: "There’ll be a short pause while it sequences your DNA to determine your preferences." We shouldn’t laugh, because today’s joke could become tomorrow’s reality.

We have become extraordinarily dependent on telling systems who we are to obtain access to myriad services: logging to the corporate network, internet banking, ATM machines, web sites and so many more. Mostly, that access is granted based on simple password authentication. And increasingly often, criminals are exploiting the inherent weakness of this authentication. The situation will become more serious as digital signatures – now legally binding – become more widely used because in most cases the digital signature itself will only be protected with a simple password, and once a password is compromised perfect forgeries are possible.

Biometrics, or the use of specific physical characteristics to prove identity, is held out as the solution to the identification and verification challenge. Some of this promise is valid, but there is also much marketing hype obscuring practical problems and touting technologies for inappropriate applications.

Current biometric systems use fingerprint, voice, hand geometry, face recognition, iris scan, retina scan, signature analysis and keystroke cadence.

There are two key characteristics of biometric identification that need to be kept in mind: (1) unlike a password or token, if your biometric authentication is compromised, you can’t change it; and (2) understanding false acceptance rate (FAR) and False Rejection Rate (FRR) in the context of your application is critical.

The commoner and inexpensive technologies are susceptible to compromise: voice (record and playback) and fingerprint (gel impressions have fooled most readers on the market). Keystroke cadence, hand geometry and signature analysis are not as distinctive (i.e. have higher FAR) than fingerprints. Retina and iris scanning is very accurate, but expensive and intrusive.

The appropriate technology depends strongly on the application, and verification and identification are very different requirements. Verification confirms a claimed identity, and in general is less of a challenge than identification, which is the process of telling who someone is without a priori information. Someone uttering a pass-phrase for a voice recognition system, in the presence of a guard, to prove their identity can provide strong verification, but at an unattended control point it is easily fooled. Similarly, a fingerprint taken under supervision is more reliable than an unsupervised operation, where someone could be presenting a gel or latex impression of a fingerprint.

For verification, if the FAR is 0.1%: the chance of someone wishing to impersonate you being falsely accepted is 1 in 1000, which in many cases will be acceptable.

Identification on the other hand is far more demanding. Consider the problem of identifying possible terrorists by scanning faces at an airport. If the FAR of the system is 1 in 1,000 (which may sound good), and you scan 10,000 passengers a day, you will have 10 false alarms. If there is only one known terrorist passing through per month, you will have 300 false alarms for one real one, and in all likelihood the system operators will have started ignoring the alarms long before the real one arises – not least because terrorists will have taken the trouble to analyse the system to try to defeat it and push up the FRR.

The most accurate technologies incur a cost in usability and time as well as in money. Retina and iris scans require users to put an eye close to a camera, which some find intimidating and uncomfortable, but also takes time – hardly practical for screening a jumbo jet full of passengers.

The simplest way to improve accuracy and security is to use more than one factor by using a combination of something you know (password), something you have (token, smart card, etc.), and something you are (biometric); but also as the cost of biometrics comes down people are turning to multi-modal biometrics, for example combining voice recognition with a fingerprin. This brings the FAR down dramatically: if each has an FAR of 0.1%, the combination will have an FAR of 0.0001%, (assuming independent characteristics). The FRR, on the other hand, is approximately the sum of the individual FRRs: if both systems had an FRR of 0.1% the two together will have an FRR of 0.1999%.

The relationship between FAR and FRR varies, but in general, adjusting for a higher FAR decreases FRR, and you can keep the FRR of the combined system no worse than the original systems whilst making the combined FAR vastly better than the individual systems. We know this form our own experience: you may mistake someone for a friend, but realise the error when you hear the voice; or you may think the voice is wrong, but the face, walk and mannerisms will convince you. Perhaps your friend has a cold!

We can be sure that biometrics will become more important as we rely more on remote access and computerised systems, and it will be ever more critical to ensure we apply them correctly.