12 June 2012

Biometric phones

Via Tyler Cowen, who comments "I like this one:"
NY Times | 32 innovations that will change your tomorrow

A team of Dutch and Italian researchers has found that the way you move your phone to your ear while answering a call is as distinct as a fingerprint. You take it up at a speed and angle that’s almost impossible for others to replicate. Which makes it a more reliable password than anything you’d come up with yourself. (The most common iPhone password is “1234.”) Down the line, simple movements, like the way you shift in your chair, might also replace passwords on your computer. It could also be the master key to the seven million passwords you set up all over the Internet but keep forgetting.
I don't want to disparage these reserchers; I havent read their papers and I don't have time to soon. But from what I know from hanging around a biometrics lab, this is exactly the sort of thing that works great until it doesn't.

I've heard schemes to unlock computers based on the unique rhythm of people's typing, to enable car ignition based on how people get in, and to unlock doors based on people's walking gates. They all work great in the lab, then you get in the real world and someone can't unlock their laptop because they have a blister on their thumb or a split on their finger, and they can't use their phone because they have a brimming cup of coffee in their dominant hand, and they can't get in their office because they have a heavier-than-usual gym bag over their shoulder. Then people get frustrated because the machine is locking them out, and it's completely opaque about why, so they start thinking about how they're typing or walking or lifting their phone, and then it's even worse because they're doing in consciously not unconsciouly, essentially trying to imitate themselves, and the whole thing spirals into resentful anger.

Maybe this system for phones works great. I'd like to see more things like this, where our computing devices recognize us instead of us actively authenticating ourselves. Beyond the general problem, I see two specifics with this phone scheme.

(1) How do you unlock the phone when you're not answering a call? What if you're answering a text message, or just want to look something up, or initiate a call? Do you have to put the phone up to your ear as if you're answering a call, then put it back down again to look at it? And do people do this the same was as if the call was real?

(2) How will my phone respond when this occurs:
Mrs SB7: Honey, your phone is ringing.
SB7: Who is it?
Mrs SB7: Brian.
SB7: Can you get it; I'm up to my elbows in raw chicken. Just tell him we'll be there at seven.
I suppose you can have a back-up or override password for cases like this, or for when your phone isn't responding because, e.g. you're trying to answer while jogging across a parking lot in rain instead of sitting calmly at your desk. But (a) there's nothing to stop an attacker from using this secondary system to bypass their inability to mimic you biometrics, and (b) if people pick terrible passwords when passwords are the only means of security, won't they choose even worse passwords when they are the secondary, less-used, method?

Again: don't take this as a specific criticism of the unnamed Dutch & Italian researchers. I only make this critique because this is exactly the sort of research that gets put into some mangled and fanciful university press release and unskeptical journalists pass on without really understanding and then never comes to fruition and then subliminally causes people to be disappointed by the progress of technology.


PS I have not kept up with this research in about five years, but last I knew it was believed that the shape of your ear could be used as a unique identifier. If phones have front-facing cameras (and you have a short haircut) that would be an interesting way of unlocking the phone, at least for answering calls.

No comments:

Post a Comment