Bio-PIN: Taking biometric security to the next level

Retina scans. Fingerprint mapping. Facial recognition scans. Increasingly,  biometrics are being adopted as a secure means to grant access to systems, devices or data.

The use of biometric technology isn’t limited to high-ranking individuals or organisations. We’re already seeing it deployed in public places, including office and apartment buildings that require a fingerprint scan to grant access to workers or residents.

Biometrics have several advantages over conventional passwords – security being chief among them. As biometrics are physical or behavioural human characteristics, they’re unique to each individual. So, while you may be able to change your password each week, the same can't be said about your physical appearance or fingerprint. Passwords, obviously, can be stolen or forgotten. 

"The present password-based security system that’s widely used revolves around a set of reworkable key binding and key generation systems called fuzzy commitment, fuzzy vault, and fuzzy extractors. However, a password is reworkable, meaning it can be changed," says Dr Jin Zhe, from Monash University Malaysia’s School of IT.

"This means the confidential details of an individual are under threat in the event the password is forgotten, lost, or stolen. Because it’s revocable, the attacker can obtain multiple templates from the same source. If they [do this], then they can retrieve critical information, and the system is compromised."

More security, compatible with existing systems

Dr Jin has extensive experience in the field of biometric cryptosystems, and is currently involved in the creation of Bio-PIN, a secure set of algorithms that can be incorporated into any biometric cryptosystem. 

Bio-PIN is the result of a collaboration between Monash University Malaysia, the Electronics and Telecommunications Research Institute (ETRI), and Yonsei University in South Korea. 

What makes it unique compared to existing systems is an additional layer of encryption that protects the raw biometric data.

Traditional devices that have biometric inputs, such as smartphones, are merely biometric sensors. What’s stored in the phone is raw biometric data. Similarly, in immigration departments, the biometric features of a person are stored in a centralised database.

"The problem is, if the centralised database is compromised or stolen, this becomes a privacy breach. And this is the reason why we’re encrypting the biometric data in a protected form. It means, even in the event the biometric database is stolen or compromised, everything that the attacker gets is encrypted, or what we call transformed data," says Dr Jin.

What makes it unique compared to existing systems is an additional layer of encryption that protects the raw biometric data.

Bio-PIN is a standalone algorithm that can be incorporated into the various biometrics systems already in use. 

"Biometric is very commonplace, and a lot of companies have their technology to capture the biometric data. What we do is, we incorporate our algorithm to their biometric templates.”

Dr Jin began his research on cancellable biometrics, before working with his students on developing key-binding schemes to combine the former and the latter.

He’s now awaiting feedback from ETRI to see if additional developments are required for the algorithm.

An algorithm to rule them all

The key terminologies at the heart of any biometric system are one-to-many and one-to-one matching schemes. 

The authentication process of a one-to-one scheme typically involves a single process of authorisation before the key is unlocked. An example would be a system that prompts us to present an identification card with an embedded chip. Once the card is recognised, the user will be prompted to present biometric credentials – a fingerprint, for instance.

With a one-to-many search, however, biometric credentials are all that are required for the verification process to authorise access.

"A one-to-many search means you don't have any identification cards, and you don't have to provide anything else. You only need to present your physical biometric attribute, so it goes straight to the database to search which one is the right person,” Dr Jin says.

"We’re going to embed the Bio-PIN technology into both the one-to-one and one-to-many schemes for identification.“

Dr Jin says biometric cryptosystems will  play an increasing role in the secure identity management industry, particularly among manufacturers and vendors of biometric systems. The benefits will be felt in sectors including healthcare, consumer electronics, cloud services, and a host of other services.