[SOUND] In this video we're going to look at biometrics. This is a type of authentication that you probably have seen in movies where people have to scan their handprints or speak into something or have their eyes scanned. And until pretty recently, movies were almost the only place you saw biometric authentication. But mobile devices have brought biometrics into the modern space, where now people use them every day to log into their smartphones. The examples that we're going to look at in this video, are all based on mobile devices, but in fact biometric authentication can work in any system where you need to uniquely identify a person. So biometrics deal with using a person's biology to identify them. We look for unique traits that will distinguish one person from another. So, that could include a fingerprint. A scan of their eye. Things like facial recognition or even voice prints. We're going to look at some examples today of how that's actually implemented and how well it works. And how these types of authentication mechanisms affect the usability of logging into a system. Without biometrics users log in to their devices either with a pin, which we've seen, or using a password. This can be frustrating. [SOUND] In fact, it can be so frustrating that sometimes people just turn this kind of authentication off. Biometrics can make it easier, and we are going to look at a few examples of biometrics that are already in place and available on mobile devices. Lets start with finger print recognition, which is something again that we've seen already used, and so we'll just very quickly at this working again. Facial recognition scans a person's face and identifies important points that everybody has on their face. That includes things like the corners of the eyes, the tip of the nose, the edges of the mouth and so on. The distance in proportions between these points are unique between individuals and so you can use that to identify people by taking a picture of their face and scanning it. Let's look as an look at an example of this in an App that's used on the iPhone where you can use facial recognition to lock away files. [SOUND] Voice recognition, uses patterns that everybody has in their voice. These are things that we can't consciously control. So it's not necessarily just our pronunciation, but it's our tone of voice, the pitch, the timbre and so on. Again, here's another App for the iPhone that uses voice recognition to allow access. One, six, three, seven. Seven, three, six, one. So, we've seen some of these different ways of biometric authentication. Let's talk about how we analyze the usability of those inputs. So for voice recognition, the person has to speak their password, or like we saw in this case, a series of numbers. That has medium speed because you have to take the time to actually say the phrase. If we look at that example that I did and showed you on my iPhone, it took me a lot longer to say those numbers then it would have to just type something in. However, typing in a long password, for example, might have enough errors or just take long enough to get right on the keyboard, that it would take longer than the voice recognition. So, we're going to say the speed's about medium. The efficiency's also medium. Here we're looking at the number of errors that a person can make. If you use it, very different tone of voice than you normally do, so if you speak high, if you have a cold the voice recognition may not actually recognized your voice. And so there is a decent chance for error. This can also happen not because of anything with the users voice, but if you happen to be authenticating in a noisy room or somewhere where there's a lot going on in the background. Seven, six, three, one. However it's quite easy for people to learn to use these systems in fact they're generally prompted to do what they have to do. And the memorability is quite easy you don't really have to remember anything because the system prompts you with what you're supposed to do. The only thing a person might have to remember is a past phrase. That wasn't the case in the app that we looked at, but that could be something that may be a little big difficult to remember, depending on the user. Facial recognition also has a medium speed. Takes a little bit of time for the system to actually pull up those points and recognize your face. It has medium efficiency depending on the lighting situation you're in. It's actually possible that they system wont recognize your face. Learnability is easy, all you have to do is out your face in front of the camera. And memorability is also easy. Fingerprint recognition is quite fast as we've seen in a few videos showing the fingerprint login for the iPhone. The efficiency's good, it could be that you get in the wrong position and it's difficult for the system to recognize you, but generally, as someone who's used these systems for quite a while, it's unusual that there's an error that keeps me from logging in. Learnability and memorability are both easy. You just stick your thumb or your finger on the pad and that's all you need to remember to do. But let's talk about analyzing the security of these systems, because that's something that's a little bit more complicated. We need to look at who can access the device. So if we're talking about somebody breaking the biometric authentication on a mobile device, they first have to get access to your phone and that's actually a big security barrier on its own. On the other hand if you're talking about using this kind of authentication for remote login to a system, then potentially, anyone with internet access can approach the computer or the system and try to authenticate themselves. So that actually makes a big difference in the security of these authentication mechanisms. This is something that we can see in other arenas too. You probably wouldn't use a four digit pin as your online password for your bank, but you would use a four digit pin to log in on an ATM because you also have to have the card with you. Similarly you would use a four digit pin on your mobile device because it's something that you keep with you, and it's hard for a random attacker to gain access to it. We also want to look at how easily they can replicate the biometric input. You certainly see examples where people are able to trick thumbprint recognition systems with something like a 3D printed thumbprint. In some systems, you can even do it with a photocopy of a person's thumbprint. But to do that, they need to get a copy of your thumb print that makes it difficult to replicate the biometric input even though it may be easy to trick the biometric recognition system once you have the thumb print replicated. Similarly, you may be able to get recordings of a person's voice, photos of their face or pictures of their eyes that you could use to trick a system, but again getting a person to say the right thing or getting a photo that is the right light or that has enough detail on their eyes is difficult. So replicating biometrics is actually quite hard. And you hear discussions about the security of biometric systems being low, because it's easy to trick the systems once you have the biometrics replicated. But that ignores the fact that it's actually pretty difficult to replicate biometrics. So to wrap up we can see that biometrics are easy to use. And they're relatively secure. Especially because they're common on mobile devices. Even though it's possible to break them, it's difficult to replicate biometric information and often you need to have the device because they're very common on mobile devices. When you analyze usability, we did a quick high level look at speed, efficiency, memor-ability and learn-ability, but you really need to do comparative usability. How easy are these to use. So you need to look at the useability of these authentication mechanisms, compared to one another and then think about what kind of security options they offer as well.
