IBM 5 in 5: Biometric data will be the key to personal security

Editor's note: This IBM 5 in 5 prediction about biometrics is by IBM Fellow and Speech CTO David Nahamoo.

Everything we do online, or via a computer, requires authenticating who we are – user IDs and passwords are our safeguard. But the security isn’t foolproof. Our IDs and passwords can be stolen and our mobile devices can be lost or stolen.

Over the next five years, your unique biological identity and biometric data – facial definitions, iris scans, voice files, even your DNA – will become the key to safeguarding your personal identity and information and replace the current user ID and password system.

It’s not all about what you know

We know that security improves by combining different biometrics with different methodologies. So, we typically use three ways to authenticate each other:

•    What you have: a badge or ID card
•    What you are: how you look, speak, walk
•    What you know: a secure piece of information or password

Think about what we have to do to authenticate our access for something online: create user IDs and passwords; set up hint questions and site keys for dozens of accounts. Personally, I have a very difficult time remembering more than 50 account log-ins and passwords that I have.

Smart device, smart security

We have been moving from devices like desktops and laptops to smart devices such as mobile phones and tablets – all property that is easily lost, stolen or misplaced. These devices are not yet outfitted with operating systems and security elements that are as strong as immobile devices of the past. Biometric security can strengthen those weaknesses.

Biometric data will allow you to walk up to an ATM and access your bank account by simply speaking your name and looking into the camera. Yes, we’ve all seen the thriller sci-fi movies where a person is forced by the villain to scan their eye or finger to unlock a door. But that’s fiction. In reality, ATM cameras using facial and iris recognition may be able to detect stress, pupil dilation, and changes in heart rate and breathing patterns to establish a confidence level that the user is not in danger.

We can take advantage of the advanced technology being used in the smart devices, such as microphones, touch screens and high definition cameras to fully employ biometric security options. While there is already some adoption of facial and voice recognition, combining these and other biometric data points in the near future can eliminate the hassle of memorizing, storing and securing account IDs and passwords and at the same time give users a greater security confidence.
Think this topic is the most-likely prediction, or maybe just the most innovative, among the Next 5 in 5? Vote for it by clicking "like" on IBM's smarter planet.  


  1. I would never use biometrics as my password as the US is already forcing you to make much of your biometric data public when you enter the US. So essentially they could easily fake your ID using that information (for a voice pattern they would simply have to record some vocal interactions when speaking with the immigration officer at the airport). So why should anyone want to use that as password for a bank account or the like??

  2. The pattern recognition that a user can perform is greater than that of a device. A device cannot work on instinct or intuition. So at enrolment time enough memes have to recorded in a hashed way for future handshakes to protect again man-in-the-middle attacks. However...

    # stop now if don't want to read my ramblings!

    Having said that I would far rather rely on a system of shared secrets/questions and "scoring" between people I spent 8 years at boarding school with than a system that checks recorded information at enrolment time. It could protect against, collusion and duress.

    I think there are systems yet to be developed based around social networking which remove the need for enrolment - PERIOD and protect against man-in-the-middle attacks. We live and breath a networked always-on-world, if the need is important enough, you will do anything to help your friends. (Trust/Identity/Relationships/Redefining MONEY)

    If we create a network that we assume has integrity, that I think it's safe to say it really would be the number of the beast.

    In the short term, I think the instituions and actuaries could do much more to offer the end-users choice for authenication. Some people like passwords, some like passwords they will change every month, some like dongles and 6 digit generators - some don't. Please could we the users have some choice to choose the level of security and risk we would like to have and pay accordingly? Instead of policy being dictated on us? My bank has now issued me one generator for my personal account and one for business, and still not published any information in the event the battery goes flat or the cat eats it. Did someone say - "Just visit my LOCAL branch...."

    "Please Sir - can we have some CHOICE"

  3. As a person with Usher syndrome, I hope retinal identification doesn't become mainstream. Most people's retinas change over time, adding some unreliability to retinal scanning. MD (wet and dry), Stargardts, Usher, RP, detached retinas are all diseases that will serve as a bane to retinal identification. Bear in mind, 1 in 10 people has a retinal disease, add to that the small changes healthy retinas make over time and retinal identification looks like a poor choice of authentication. - dru

  4. I think people need to getup with the times. A iris scan is the way to go. The future is here people stop living in the past.

  5. The future is based on CHOICE & SECURITY... STAY TUNED THE FUTURE IS NEAR...


  7. It might not be within 5 years, but I am sure it needs to come. Where some persons find long passwords easy, they are definitely a challenge on small devices in motion and with "thick fingers" getting old... Or others prefer the sequence of mystery questions where in my case I struggle to find even 2 meaningful questions with a unique and easy to reproduce answer and spelling, especially if you grew up in multiple countries, with multiple languages, and different culture. So in the (near?) future, may be a combination of finger snipping and phone waiving will be included. Going ahead and researching this important area, definitely gets my vote, and having done enough research, I am sure it will be easy to still leave people a choice.

  8. Superb thought.. The one which can really come true... beware of Biometric sensors like voice detector or retina identifier as the voice may change as per the climate even henc the people may be into trouble without taking money outside... and even retina may change its size if the user gets with some issue like dibetic or hypertention. - Sreejith Nair

  9. "Walk up to an ATM and access your bank account by simply speaking your name and looking into the camera".
    Are you really advocating biometric authentication without any physical card?
    If the False Accept Rate is not infinitessimally small, then occasionally the ATM is going to grant you access to someone else's bank account. What's the acceptable error rate? One in a million? And given the Sensitivity-Specificity Tradeoff, do you suppose are we prepared to tolerate the correspondingly high False Reject Rate?

    I say this needs a lot more work, even at the concept level. Five years? I think not.

  10. There is the risk that the use of biometric information to protect financial assets could result in an upsurge of gruesome crimes where body parts are removed by criminals to enable them to gain unauthorised access to accounts.