Starting January 2017, Singapore’s government will begin collecting iris images from citizens and permanent residents when they register or re-register for a new National Identity Registration Card or passport, according to the Ministry of Home Affairs.
The change was announced as part of amendments to the National Registration Act, which passed in Parliament in November but will go into effect in January. The iris images will be used as a complementary verification method to photographs and fingerprints.
Government Adoption Of Biometrics
Over the past few years, governments around the world have started warming up to the idea of collecting their citizens’ biometric identities. This includes fingerprints, which are already required for passports in many countries, or more recently iris scans, now required in both India and Singapore.
Some governments, such as the U.S. government, have even started collecting some citizens’ biometrics in secret or by requiring the collection of biometric identities when applying to various federal services. So far, governments seem much more interested in using biometrics as identification for citizens than in enabling citizens to authenticate to various services with their fingerprints or iris profiles.
Biometrics: Password Or Username?
Ever since Apple launched its TouchID fingerprint-based authentication system as an alternative to passwords and PINs, there has been a debate about whether fingerprints are even appropriate as password replacements, or whether they are more like usernames.
Governments seem to have made up their minds and are starting to treat biometrics as some sort of permanent, unique usernames that can be collected from all citizens, so they can more easily identify everyone. This could be useful for solving crimes faster or for cutting bureaucracy for various government services, but it can also be argued that it’s an encroachment on citizens’ right to privacy.
In parallel, mobile companies have started implementing biometrics as passwords. Password or password-like systems need to allow users to change their codes in case they are stolen. We’re already seeing what a bad idea password reuse is with every major data breach.
Now imagine that everyone has one or two of these passwords for life, and they can never be changed. This sounds like a terrible idea from a cyber security point of view, yet this seems to be the situation in which we are right now with biometrics.
While we get to use biometric identities as passwords in day-to-day life, governments have begun collecting these biometric profiles in centralized and hackable databases. Keeping everyone’s unique biometric IDs in centralized databases that can be hacked have already proven to be a bad idea, even if biometrics weren’t used to authenticate to mobile payments or other sensitive services. Using these hackable biometric IDs as passwords as well just multiplies the risk and potential damage.
The End Of Biometrics As “Password Replacements"?
If everyone decides that it’s okay for governments to require our biometric profiles because of the benefits that this entails, then we need to at least stop using them as password replacements. This may be easier said than done, because there’s already significant inertia in the technology industry to use fingerprints and other biometrics as password replacements. The banking industry is also now starting to deploy biometrics as authentication mechanisms, although some services will also require PINs or other verification methods.
We now have governments and the tech and banking industries pushing biometrics in two different and incompatible directions that will eventually make our security even worse than it is now with all the password re-use. It’s not clear how this story will end, but chances are governments may be on the right side of history here, as biometrics make more sense as usernames than they do as passwords. Therefore, the technology industry may eventually have to come up with yet another easy-to-use alternative to passwords, as more data breaches of fingerprint and iris scans data breaches occur.
Stay on the Cutting Edge
Join the experts who read Tom's Hardware for the inside track on enthusiast PC tech news — and have for over 25 years. We'll send breaking news and in-depth reviews of CPUs, GPUs, AI, maker hardware and more straight to your inbox.
I never considered biometrics as secure beyond user name replacement. Once compromised by whatever means, it cannot be changed. Biometric identification needs to be backed up by something that cannot easily be surrendered against your will to be reasonably secure. Biometrics alone can easily be overcome with force.Reply
Chips under the skin.Reply
That isn't any more secure since anyone can do drive-by read-out without your consent.19073904 said:Chips under the skin.
We're headed towards a really dark future.Reply
No one is putting a chip under my skin.Reply
All of this is for our own good, citizen(read subject)Reply
That is until someone hacks the database, obtains your bio-metric data, forges it and then steals your identity for good Then you're status as a person is for ever invalidated because unlike a compromised credit card you CANNOT be issued new retinas, finger prints, or DNA.
Woah! Biometrics for username!! Now that's how to do it. I hope this is an option in Windows 10.Reply
It is an option for Windows 10.Reply
After that we will be like cows.Then they will give us a number like in prison , and that's it , your name is insignifient , the important thing willbe your number.Reply
And everybody will talk about freedom and democracy. Everybody will be just a number.
You already have a social security number used for taxes and most other government-related stuff. Your name is only a secondary identification in your numbered file which makes it easier to find.19083196 said:After that we will be like cows.Then they will give us a number like in prison , and that's it , your name is insignifient , the important thing willbe your number.