Skip to content
Naked Security Naked Security

Is the US about to get a nationwide, privately owned, biometrics system?

Two US biometric companies have partnered to research a private, nationwide biometrics system.

Two US biometric companies, SureID and Robbie.AI, have partnered to research a private, nationwide biometrics system that could combine fingerprint and facial recognition data.
SureID runs a nationwide fingerprint collection system designed to make identity and background checks less painful. Users go to one of around 800 fingerprint collection stations around the US and scan their digits. A few hours later, SureID will deliver the user’s background check to their employer, landlord or whichever other authority they choose. Robbie.AI sells an AI-powered facial recognition technology.
By combining the two technologies, SureID hopes to create “the United States’ first nationwide biometrics gathering system for broad consumer-focused initiatives”. The idea is to use facial recognition to confirm that the person providing the fingerprints is legitimate.

Is it secure?

The worry with biometric authentication has always been that someone might crack it by replicating a person’s features. In the past, when companies have claimed high levels of security for their biometric systems, hackers have figured out a way past them.
For example, researchers pilfered publicly available photos online, created 3D-animated renditions that could be displayed on a smart phone, and then used them to fool facial recognition systems.

That approach wouldn’t have fooled Apple’s FaceID system. It uses projected dots and infrared imagery to create a point cloud that it translates into depth information. That means that it needs a real 3D face, rather than a 2D image of one, to grant access.
Still, that didn’t stop hackers from cracking FaceID anyway. Just a week after Apple released the device, Vietnamese security company Bkav fooled the system by printing a silicon mask wrapped around a 3D frame and 2D infrared images of a person’s eyes.
The more sophisticated the system, the harder hackers must work to circumvent it. And SureID is extra confident about the security of Robbie.AI’s facial recognition in any case, because it is based on bone structure geometry, it says, adding:

Even weight gain or loss, glasses, and darker rooms do not impact Robbie.AI’s results.

No matter how good the system is that scans your face, there’s always the possibility that a hack might be found in the future that fools the technology. In the meantime, though, there is another worry.

Storing your data

The system that performs the recognition is only one part of the identity management system. The other part has to store that data, and do so securely. While every organization that ever stored any biometric data anywhere will claim that it’s secure, we know that nothing is ever 100% secure, and there’s always the danger that the database itself could be compromised.
This has happened before. One of the most worrying examples came in 2014, when hackers from China compromised the Office of Personnel Management’s computers and stole the fingerprints of 5.6 million people.
Another came more recently in January this year, when one journalist purchased access to India’s Aadhaar national ID database, and another acquired access to an admin account.
Nevertheless, the companies are steaming ahead with their research. They said:

In the future, we hope to use this innovation to respond to customer issues immediately, alert people of fraud in real time, and potentially provide instant authentication to vehicles, IoT devices and smart homes.



I attended a Cyber Crime Symposium last week (Chester was there speaking also!) where a Presenter Christopher Pierson was the most excited presenter in the world about facial (and full body) recognition. You won’t get on public transportation without getting scanned. It can tell your mood, sleep level, it was insane. He refused to mention any questions about security concerns. It was a bit,,, horrifying. His big line – do it for the children… I wonder if he means like google does…


The only thing scarier than a national biometric database that’s run by the government…
is a national biometric database that’s run in deference to a board and investors expecting a profit.


The level of data linking involved is bad enough, but that it’s being held by a private company??? I have no faith in private companies acting in the public interest or in an ethical manner in any way, not with millions of dollars at stake.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!