How do you know that the person with whom you are interacting is who he or she says they are? The reason I got to thinking about this came about through a rather strange route.
As you probably know, I’m originally from England but I currently hang my hat in Huntsville, Alabama. I moved here for the nightlife (that’s a little Alabama joke right there). One of the funny things about living in the USA is how some of the television programs that Americans would swear were homegrown actually originated in the UK. Take the USA’s Three’s Company, which first aired in 1977, for example. This was based on the UK’s Man About the House, which was originally released in 1973. Similarly, the USA’s Sanford and Son, which first ran in 1972, was based on the UK’s Steptoe and Son, which first saw the light of day in 1962.
Having cast aspersions about Americans, I should note that my wife (Gina the Gorgeous) — who is, in fact, a New Worlder herself — and your humble narrator were recently caught out this way ourselves. We’ve been very much enjoying the first season of the Ghosts sitcom, which premiered on American TV in October 2021. I was completely taken off-guard to discover that this was, in fact, adapted from a British series of the same name that was first broadcast in 2019. The good news is that there have been three series of the British production (and a Christmas special) thus far, with a fourth series already commissioned (filming is poised to commence as I pen these words), so Gina and I have been happily binge-watching the UK offering on HBO Max for the past couple of days.
One of the characters in the UK series is a Catholic Tudor nobleman called Humphrey Bone, who essentially managed to behead himself (you had to be there). For reasons that are too convoluted to go into now (but that involved a French woman and group of plotters, who we thought were also French, but who turned out to be English), this is when I started to ponder the question of how you know with whom you are interacting.
It would be great if our wonderful world were populated only by nice people who wouldn’t go where they weren’t invited and who wouldn’t take anything to which they weren’t entitled. Unfortunately, the world in which we live has a lot of the other sort of people. The news is rife with stories of things like data breaches and identity theft. As a result, two of the things we need the most of are access control (to prevent people from going where they shouldn’t), and authentication (to grant access to data and systems only to those deserving and/or entitled to such access).
One approach involves the use of passwords. An exchange from yesteryear with respect to access control might have gone something along the lines of the following:
Guard: Who goes there?
Guard: What’s the password?
Guard: Slip in!
The problem is that it’s easy to forget this sort of password. It’s also easy for someone else to overhear it. And it’s a pain in the nether regions if everyone has to learn a new password every day.
When it comes to authentication, it’s not so long ago that simple passwords like “guest” were all the rage. These days, by comparison, you need to have a mix of at least 15 uppercase and lowercase letters, numbers, and special symbols. I have so many of these passwords that it makes my head spin.
As one solution to the pervasive password problem, there’s an increasing drive towards the use of biometrics, which are body measurements and calculations related to human characteristics. Biometric authentication (or realistic authentication) is used in computer science as a form of identification and access control. According to Grand View Research, the biometrics technology market will be worth approximately $60 billion by 2025, which is only three years away at the time of this writing.
So, what sort of biometrics are we talking about, and what are the fundamental flaws with existing approaches? Well, I can’t tell you how glad I am that you asked this question. You are worth every penny that I’m not paying you. A short list is as follows:
Fingerprint Recognition: This is great for identification, like when a criminal touches something while executing a crime, but it isn’t as good for authentication. For example, fingerprint scans don’t work too well in dirty environments or when the finger in question is wet, oily, or sweaty (like after an intensive workout, which — it should be noted — is rarely a problem in my case). In addition to the fact that your favorite finger might find itself pressing a spot where thousands of unsavory digits have pressed before, there’s also the problem that when you use a fingerprint scanner you leave a trace that the person behind you — if of a nefarious nature — can lift off and use later for perverse purposes.
Retina Recognition: Like fingerprints, the retinas at the back of our eyeballs are unique for each person (and each eye). Unlike fingerprints, retinas cannot be copied, although I did once see a science fiction movie in which… but mayhap we shouldn’t meander there. Despite what some people will tell you while trying to spread FUD (fear, uncertainty, and doubt), these scanners employ low-level beams of light that pose no threat to the eye. On the other hand, the fact that you might have to lean over and keep your eye close to the scanner for 30 seconds may make your back ache. Also, this 30 seconds-per-person drastically limits the number of people that can be processed over a given period of time.
Voice Recognition: This looks good on films, but its efficacy has been dramatically degraded by awesome advances in artificial intelligence (AI) and machine learning (ML), which allow human voices to be analyzed and subsequently imitated using software. Take Lyrebird AI, for example. This little scamp can listen to a person speaking (or a recording of that person speaking) for a minute or so and extract a “digital signature.” Using an enhanced text-to-speech capability, it can then say whatever you want it to say while sounding like the person you wish it to imitate.
Facial Recognition: In some cases, this works well, although it can be spoofed by identical twins. It’s also possible for selected facial features to be duplicated in such a way as to fool many of today’s AI systems. In the case of access control, there’s also the fact that women in some Islamic traditions (and one small sect of approximately 600 practitioners in the Jewish tradition) wear burqas or burkas, which makes facial identification a bit of a nonstarter in their case.
All of which brings us to the guys and gals at a company called nVIAsoft, whose name is derived as follows: ‘n’ for infinite, ‘V’ for verification, ‘I’ for identification, ‘A’ for authentication, and “soft” for software. (If the truth be told, as of course it should be, the “soft” portion of this moniker is a bit of a red herring — a hareng rouge, if you will — because the nVIAsoft solution involves a mix of both hardware and software.)
The chaps and chapesses at nVIAsoft have developed a contactless hand biometric scanner technology called verihand that can be deployed and employed for both access control and authentication.
Using verihand for access control (Image source: nVIAsoft)
In this case, the hand can be held as far away as 5 to 6 inches from the scanner, which uses a custom-developed sensor to look subdermally (beneath the skin) and observe the veins and other aspects of the whole hand; that is, the fingers and the palm. By comparison, in the case of authorization, the hand can hover over a mouse-size sensor connected to a computer’s USB port or embedded in a system like an ATM or a voting machine, for example.
The results from the scan, which takes only a couple of seconds, are converted into a digital signature that can be compared to existing signatures on file. Like fingerprints, these signatures are unique. Unlike fingerprint scanners, this contactless hand approach leaves no trace that can be copied. Furthermore, the contactless approach is also an advantage in these days of the coronavirus pandemic and whatever I fear may follow it in the future.
This access control aspect of the technology will be of interest for a wide variety of use cases, from health care facilities to factories to critical infrastructure establishments. Also, transportation environments like the security areas at airports and the turnstiles at train stations. Other use cases include ATMs, access to private lockers, and even payroll time trackers (just present your palm instead of punching a card).
Similarly, the authorization aspects of this technology also support a wide variety of use cases, including digital vaccine IDs, voter IDs, and national IDs, acting as a backup to things like driver’s licenses and passports, and ensuring that only authorized personnel get to see your tax and medical records, for example.
Eeek — I almost forgot to say that nVIAsoft’s verihand technology can be deployed on-prem or in the cloud. An example of an on-prem deployment might be in the case of a home access system in which the user trains the system to recognize the palm biometrics associated with any family members, and all future access control activities (i.e., comparing new scans against existing ones) are performed locally. By comparison, in the case of airport security and passport control, for example, any digitized palm scans will be compared to other scans residing in the cloud. Using nVIAsoft’s technology, these cloud-based scans are stored in a blockchain, which — by its very nature — cannot be hacked or changed.
The folks at nVIAsoft are still in their startup phase and are looking for investors. At the same time, they are actively targeting “low-hanging fruit” in the form of education, healthcare, and government deployments.
For myself, I can envisage numerous applications for this technology. For example, one of the things I’ve been involved with recently is securing data at rest (DAR), which refers to data that is stored on something like a solid-state drive (SSD) in the form of a self-encrypting drive (SED). As I wrote in an earlier column — Secure Your Data at Rest, Stupid! — “The folks at DIGISTOR offer TAA compliant, NIST Validated, and FIPS-certified SEDs that feature pre-tested and pre-integrated multi-factor authentication (MFA) and pre-boot authentication (PBA).” I can easily see nVIAsoft’s verihand forming a key portion of the MFA used to secure the DAR. How about you? Would you care to share your thoughts on possible uses for this technology?