Human Ear Could Be Next Biometric System 154
narramissic writes "A team of researchers at the University of Southampton, UK, has received funding from the UK's Engineering and Physical Sciences Research Council to learn whether otoacoustic emissions (OAE), the ear-generated sounds that emanate from within the spiral-shaped cochlea in the inner ear, can be used as a viable biometric technology like fingerprints and IRIS recognition. According to a report in New Scientist, someday instead of asking for passwords or pin numbers, a call center or bank would simply use a device on their telephone to produce a brief series of clicks in the recipient's ear to confirm the person is who they say they are." Try faking that with gummy bears.
Gummy bear in my ear! (Score:3, Funny)
It won't come out! STICKY!!! Thanks timothy.
Re:Gummy bear in my ear! (Score:5, Informative)
Use a straightened fishhook, the barb will make the gummy bear easy to remove. Just be sure to wait until the gummy bear is warm and soft. And insert the hook very gently. And stick the hook through a cork first, to limit the depth it can penetrate -- measure by sticking the hook into the ear until it hits the gummy bear, then add 1/4 inch (about 1/2 cm). THIS IS VERY IMPORTANT. The length of hook sticking out of the cork should be distance to gummy bear in ear canal + 1/4 inch.
If the hook pulls out of the gummy bear, put a piece of ice in the ear, wait until it melts, then try again.
Or so I've heard (muffled, of course).
Mod parent up! (Score:2)
Re:Mod parent up! (Score:4, Funny)
And the most useful thing I've read on /. in years!
Re: (Score:2)
And stick the hook through a cork first, to limit the depth it can penetrate -- measure by sticking the hook into the ear until it hits the gummy bear, then add 1/4 inch (about 1/2 cm).
So in order to make a safety device to prevent you from sticking the hook to far in the ear, you need to stick the hook into the ear. Personally, I'd use something else to measure.
Re: (Score:2)
You're wasting your time. The gummy bear protects the ear drum -- as long as you don't push the hook through the gummy bear when measuring, you're not going to damage the important parts of your ear.
Note to self: DO NOT PUSH FISHHOOK THROUGH REMAINING EARDUM.
Re: (Score:2)
Then take a sibling of the gummy bear in question, and measure its smallest width. That is the amount you should add.
Biometrics are great (Score:5, Insightful)
Re: (Score:2)
I disagree, biometrics are great for both.
They are particularly good when used as an additional, hassle free, authentication factor. ex. Please enter your PIN, now touch the screen here (to verify fingerprint). Or, please tell me your social security number and hold the phone to your ear while we play this tone (to verify ear response). Or, please enter your password, now look into this camera (for retinal scan).
I agree biometrics are also great for identification, particularly with phones + this ear ID
Re: (Score:2)
> I disagree, biometrics are great for both.
Any authenticating factor that cannot be changed in the event it is compromised is _not_ great.
Re: (Score:2)
Re: (Score:2)
A fingerprint cannot be compromised. A biometric identifier is not like a password. it is not meant to be secret. Think of your fingerprint as... well... like a public key cryptographic fingerprint really. Your public key fingerprint isn't secret. in fact, you generally want to distribute it as far and wide as possible. What makes it useful is that there is a corresponding private key that only you have that can be matched to said public key. A physical fingerprint is similar, everyone knows your fingerprin
Re: (Score:2)
Well said sir.
I believe a lot of people here are jumping to the conclusion that biometrics sucks because it's not very useful at all for network verification. There are other things that work better there (key tokens).
When you're dealing with a physical device or, as a great example that you used, have a person monitoring the process they are just fine as part of a multifactor authentication.
Re: (Score:2)
> A fingerprint cannot be compromised.
The rest of your reasoning seems to flow from this initial assumption, and it's this assumption that I think is so dangerous about biometrics. (I grant that, if this were true, your reasoning holds)
There are different ways of analyzing your fingerprint and distilling that down to what is essentially a hash that can be compared against. A simple skin pattern shape analysis is the most familiar, but as every spy movie in the last three decades has shown that can be c
Re: (Score:2)
Re: (Score:2, Insightful)
Re: (Score:3, Insightful)
Because while most biometrics provide a specific identity with at least some kind of reliability, they do not prove that the person wanting to get authenticated as being that identity actually _is_ that identity.
See, you may be the only person in the world whose ear makes that specific click pattern. But anyone in the world can carry a device that makes that exact click pattern as well.
Same with fingerprints or DNA; it's your DNA, it most often can't be confused with anyone elses DNA, but you leave it every
Re:Biometrics are great (Score:5, Insightful)
> Biometrics are useless as identification since, as we have seen, they are easily spoofed.
You're exactly missing the point - any self-respecting system must expect fraudulent impersonation.
We can all present ourselves to Slashdot as Cmdr Taco, but come password time most of us would be thwarted. If the password went away in favor of a fingerprint (or earprint), as soon as somebody lifts it and posts it, we can all be Cmdr Taco. Until he changes his fingerprints.
But if his fingerprints were just a substitute nickname/login id, even after they are posted online we'd still have to crack the secret to convince the system we're the real enchilada.
Re: (Score:3, Informative)
Meh, that's why biometrics are good for multifactor authentication.
It just makes it that much harder. You have to have a fake eyeball, fake fingerprint, fake testacles and his password.
In most cases, I think they are overly complicated for identification. I'm sure there are some places where they are good though.
Re: (Score:2)
> good for multifactor authentication. It just makes it that much harder.
We call that "security through incovenience." Using non-secret information as a secret adds hassle, not security.
Re: (Score:2)
Not necessarily. Any "security" can be broken, the more steps (or factors) there are, the more difficult and tedious it is to break.
The nice thing about some biometrics is that for the real user, it's not really inconvenient at all. As I said earlier, some examples would be "Enter your PIN, now touch the screen here", "Tell me your social security number then hold the phone to your ear" or "enter your password, now look into this camera".
All very simple and convenient for the user, I'd even go so far as t
Re: (Score:2)
Let me add with another example:
A common (and very lucrative) ATM scam with older ATM's (that don't include preventative security features and have dumb customers) is to install "skimmers" over top of the ATM card reader that will obtain track data every time a customer uses the ATM. The trick was they would also install a small camera next to the ATM to read the PIN entered.
They would later on just watch the video, make a copy of the card and withdraw a bunch of cash from your account (card writers are in
Re: (Score:2)
Card readers often don't need cameras most of the time, sadly, since your pin is actually on the fucking card (when it shouldn't be, when the banks say it isn't) in many cases.
Finger print readers will be installed over fingerprint readers, cameras will be installed over cameras, and probulators will be installed over probulators.
Authentication MUST be done with secret information.
Any biometric that can be unobtrusively obtained is essentially public information.
Re: (Score:2)
Card readers often don't need cameras most of the time, sadly, since your pin is actually on the fucking card (when it shouldn't be, when the banks say it isn't) in many cases.
Finger print readers will be installed over fingerprint readers, cameras will be installed over cameras, and probulators will be installed over probulators.
Authentication MUST be done with secret information. Any biometric that can be unobtrusively obtained is essentially public information.
I work in an industry where I would know, and you're 100% incorrect in PIN information EVER being stored on the card. It's not even possible since you can change your PIN even after the issue of your card and card readers do NOT write to the card. Compliance with Visa requires that the PIN be encrypted on the pin pad itself, whatever device it's connected to only deals with an encrypted PIN, the bank itself has to receive the encrypted PIN and verify it.
No, it is not public domain after being attained onc
Re: (Score:2)
Here is some more information about PIN's and standards:
http://en.wikipedia.org/wiki/PCI_DSS [wikipedia.org]
http://en.wikipedia.org/wiki/PINpad [wikipedia.org]
Re: (Score:2)
Likewise your username is necessary public information, but I doubt most people would prefer a system that takes a secret, checks it against every entry in the passwd DB, and a
Re: (Score:2)
> Traditional keys fall squarely into the non-secret category,
Why is that? Is the cut of my house key publicly available? Do my regular activities leave copies of it around town? Can someone call me on the phone and send a few clicks at my ear and deduce my key's pattern? Seems to me that a traditional key, like a password, is private; a secret that is just as secure as I keep it.
> Secrets aren't the only way to do security.
That's true. You could arm some of your best friends and sit them in fron
Re: (Score:2)
But if his fingerprints were just a substitute nickname/login id, even after they are posted online we'd still have to crack the secret to convince the system we're the real enchilada.
I'd argue against even that.
1. It creates too much correspondance with the real world.
2. If you use it everywhere, chances are you're lazy and have the same password as well... (Remember why the first worm was so successful? All it did was try PASSWORD=$USERNAME and PASSWORD="password".) So if they crack one of your accounts, they now have a reasonable attack vector everywhere else.
3. If an account with your fingerprint on it gets compromsed, what do you do? Cut that finger off and grow a new one? Even so,
Re: (Score:2)
Plus they are getting better. Instead of a place to set a finger, they ahve them now where it's a bar you run your finger over..it reads it like a mag strip. So no spoof based on previous prints. That was the biggest real world threat to fingerprint...I said biggest, not only.
There is a really simple solution (Score:2)
Just embed a RFID chip under the skin.
Re: (Score:2)
You haven't seen the "Charlie Jade" series, have you.
Re: (Score:2)
My religious childhood in the early 1980s taught me that having a chip buried under my skin is really the mark of the beast.
Re: (Score:2)
ear wax (Score:4, Funny)
me + ear wax == suspected terrorist?
cochlear implants (Score:2)
Cochlear implants are subversive tools for the anarchist identity.
Re: (Score:2)
Re: (Score:2)
Cochlear implants are perceived by some elements of the deaf community as a sinister means of destroying their culture.
Re: (Score:2)
Cochlear implants are perceived by some elements of the deaf community as a sinister means of destroying their culture.
Aren't they also lobbying for the blind to kill their dogs ?
(although I too have heard of this from multiple sources)
Re: (Score:2)
It gets better - the cochlea changes with time and exposure to loud sounds, ask any musician over 60. You + rock concert == not you anymore. There's temporary damage that heals, and long-term damage that doesn't. The cochlea can be damaged even without noticeable hearing loss. The brain constantly adapts to match the OAE's with the listener's preconceptions of the environment. You don't hear sound, your brain makes it up based on stimulus from the cochlea.
Still, there may be enough to go on from the lo
Re: (Score:2)
me + ear wax == suspected terrorist?
No, it's another way of banning rock music. Loud music damages the cochlea and interferes with TEOAE's.
Musician == terrorist!
I'm waiting for my wife to spew coffee out of her nose when I tell her about this. She's a doctoral audiologist. :-).
Re: (Score:3, Funny)
Re: (Score:2)
You're right, no faking with gummy bears - duplicating the ear-generated sounds will require slightly more sophisticated tape recorder technology...
And I'd like to know where they get their super hi-fi phones. It's regularly hard enough to hear people on cell phones, never mind the echo from their inner ears...
I can't wait for the medical applications for remote echography ("Did you put the gel on ? Good, now press your phone firmly just above the navel" "Oooh It's a boy ! I'm mailing you the pictures").
FFS. (Score:5, Insightful)
We are poised to make the same idiotic "Hey guys! Let's use biometrics for authentication!" mistake that we've made all the other times.
So, you can test the structure of somebody's ear by clicking at it and recording the result. Does this mean that you can infer the structure of someone's ear just by clicking at them and recording the result, thus allowing you to, with a dash of DSP, fake their ear structure on future tests? I'd want to be Very sure that that wasn't possible. A system where you can get somebody's Super Secret Biometric Secure Security ID just by calling them up and making funny noises would be even worse than the issues with fingerprints as authentication methods.
Re: (Score:3, Insightful)
Even if you can't infer it... I could call the bank, while at the same time calling you. If I relay their beeps and resulting sounds fast enough it might just work.
Re: (Score:2)
Actually, they must be using relatively simple impulse response sampling, the same thing used to record impulse responses of acoustic spaces for use in convolution reverb units/plug-ins. Those can be very easily recorded and reproduced. Having something that fits in your ear and can't be visualy detected that can fool an in-ear detector would be very difficult. If it was worth going deaf to have a surgically implanted fake OAE response, maybe.
But as I mentioned above, OAE's change. This process could on
Re: (Score:2)
Ah its ok, some places will put this in to make people feel important. You can con your PHB into having his Colonic Map tested "for security" heh, heh. Anybody else with a clue will stick with tried and tested methods.
Reminds me of my bank's shithouse new "TWO FACTOR!!" authentication scheme. They take something you know (password) and something everyone has (a code, SMS'd to your mobile phone). I mean for fuck's sake - its pretty much the equivalent of them taking out a full page ad in the paper. "Dear Phx
Re: (Score:2)
They take something you know (password) and something everyone has (a code, SMS'd to your mobile phone).
Um, they don't SMS the same code to everyone, you know?
Commonwealth Bank does something similar. They have your mobile number, and when you want to do key actions on NetBank they generate a random number and send it to you via SMS, then you then have to enter it into the web site within a couple of minutes. It just means that even if someone gets hold of your online banking user/pass, they also have to physically steal your phone in order to clean you out. It's not infallible but it's definitely better th
Re: (Score:2)
SMS goes over the GSM control channel as plaintext. Hence the "everyone" has part.
Re: (Score:2)
I know a few hearing aid users. I have been told by at least one that hearing aids tend to become loose over time as the ear stretches. I don't know how it would affect the acoustical properties of the ear.
Re: (Score:2)
I always knew that a silent night sounded like a non-stop symphony of cicadas, but I thought everyone heard that.
They don't?
Seriously, when I was about 2 I told my mum that that noise was "the stars twinkling". She thought I meant crickets, but this noise is different, similar to the high pitched noise you sometimes get out of CRTs, but less constant.
Interestingly, the only time I remember it ever stopping completely was once during a power failure. It's not too irritating but it's definitely there if I focus on it.
PIN numbers, eh? (Score:2)
Re: (Score:2)
The automated ATM machines that use K's KDE destop environment, you mean?
Reservoir Dogs... (Score:2, Funny)
A series of clicks you say... (Score:4, Funny)
"Hello?"
*click* *clickclickclick* *click* *clickclick* *click*
"What was that Flipper? Timmy's trapped on a raft and floating out to sea?"
"But what's that got to do with my bank balance?"
Re: (Score:3, Funny)
"Hello?"
"There are three flowers in a vase. The third one is green."
Wow, body acronyms (Score:4, Insightful)
What's up with "IRIS" in all CAPS? I see this pretty regularly. But iris isn't an acronym, it's just a part of your body. I guess "IRIS recognition" sounds more James Bond-y than plain old "iris recognition."
Re: (Score:2)
Its just someone trying to relive the glory days of SGI.
Re: (Score:2)
IRIS is an acronym for IRIS Recognition Is Sweet!
Dr Who wouldn't depend on Gummy Bears... (Score:2)
Try faking that with gummy bears.
Any "Dr Who" fan knows you need to use Jelly Babies.
Re: (Score:2)
The current doctor would use his "psychic paper", which seems to fool most things, even RFID readers...
This should work unless . . . (Score:2)
urine analysis (Score:5, Funny)
Some problems with the NewScientist proposal (Score:2)
First, as some people have already posted, there is the problem of identity theft through recording the signal from the ear.
Second, will there be a sufficently clear signal? In a typical telephone receiver, the microphone is near the mouth of the speaker, not next to the ear. And telephone S/N ration is not that great to begin with.
Third, compression algorithms optimized for speech might or might not suppress the signal from the cochlea (think VOIP).
Overall, a typical case of sensationalist journalism that
Re: (Score:2)
"In a typical telephone receiver, the microphone is near the mouth of the speaker, not next to the ear."
The article mentions using a separate high def mic embedded into the speaker of the phone. This means that we will all needs new handsets for this to work.
Your point about VOIP is valid, and was my first thought on the matter. A lot of large call centres these days use VOIP trunks between the building and the actual carrier. The quality is normally always extremely poor, and the filtering will almost cert
Re: (Score:2)
Typically these signals are recorded with very fancy and very small microphones that are inserted into the ear canal by a licensed audiologist. But that is for research purposes, and MAYBE its possible to get something usable for a biometric ID without semi-invasive microphones...
Interestingly OAE is a binaural effect. It comes from the auditory cortex, not the ear, so you can literally put a sound into the right ear and record the emission out the left ear.
OAE is thought to be a reflex response connected
Diablo (Score:3, Funny)
Re: (Score:2)
Not boomer-proof (Score:2)
General "Bloodbath" McGrath. (Score:2)
Problem... (Score:2)
The article states that these so called OAE:s can be recognized using hyper-sensitive microphones. This is a bit of a problem since phones tend to have microphones of rather poor quality compared to those required.
Furthermore, since the method requires sensitive microphones, it can't be expected to work at all, since there are a lot of noises around us which can affect the authentication process. Not to mention the signal quality required. I don't see this working over a telephone in a foreseeable future
Condenser microphones are not waterproof either .. (Score:2)
Condenser microphones (which are very sensitive for their purpose) aren't waterproof either; that's why blowing in such microphones could/would alter it useless, or as professional thief-catcher depending it's size...
If they are using it over the phone, they either have to use a custom phone set or be very good with their error correction to work together with all the existing ((low) budget) phone systems over the planet.
Horsehit (Score:2)
"...instead of asking for passwords or pin numbers, a call center or bank would simply use a device on their telephone to produce a brief series of clicks in the recipient's ear to confirm the person is who they say they are."
Complete bollocks. Phones doesn't have anywhere near the reproduction characteristics for the received click to be near the same as the original. The OAE response depends on the stimulus characteristics.
And they certainly don't have the ability to return the OAE signal as anything remo
Won't work for everybody (Score:2)
Telephone: speaker != mic (Score:2, Interesting)
Surely unless they're loud enough to cause discomfort, the echos wouldn't travel far enough to be picked up at the phone mic?
I'm deeply offended! (Score:2)
It changes (Score:2)
From the article:
"...changes in the acoustic emission with time are a sure indicator of changes in the physiological status of the peripheral auditory system. This property has been used as a sensitive indicator of changes caused by noise or therapy on a patient's ear."
So this method is sensitive to normal physiological changes within the inner ear. If I just came from a concert, can I still check my bank balance by phone? What if I spent a week at the lake? What if some lint from my pocket has found its
No! (Score:2)
We must fight this tyranny!
The ear grows your entire life (Score:3, Insightful)
Wouldn't that change the sound?
Re: (Score:2)
and won't ear hair muffle it?
This is a plao (Score:2)
by the Ear Seekers. I know this day would come..sure, press you ear to the device, then nom nom, no more brain.
Rectal ID is Next (Score:2)
Seriously, all our orifices are unique. Why not rectal probes?
Great (Score:2)
So, now, instead of just chopping off your finger, they'll cut off your head.
Or remove the inner ear, which is probably going to be much more messy, and just as fatal.
Just great.
Ear wax (Score:2)
'nuff said.
Wait A Minute..... (Score:2)
Otoacoustic Emissions (Score:2)
The clicks are NOT for measuring the shape of the ear canal. The human ear has an active feedback mechanism both to improve dynamic range and to aid in frequency discrimination.
When we hear something, the physical shape of the cochlea performs the analog equivalent of a Fourier transform along it's length. The position of a hair cell along the cochlea determines which frequency it is responsible for sensing. Then, to better discriminate between neighboring frequencies, the ear generates counter tones out of
Re: (Score:3, Funny)
Re: (Score:2)
Re:why do we want this? (Score:4, Informative)
It does seem an odd one.
There is a unit at Southampton ECS that investigates a lot of these things. When I was there they were interested in gait recognition, though from the people linked from the page there it seems like this is more in the realm of the electronics side than the computer vision side.
Even TFS gives a use for it - verify that the person on the other end of the phone is who they say they are. Though I'd be surprised if standard phones would give enough resolution to be able to accurately gauge the biometric. If it even is a useful or reliable biometric.
Re:why do we want this? (Score:5, Funny)
When I was there they were interested in gait recognition,
"Ah, Mr. John Cleese! Our system has recognized your Silly Walk. Your transaction may proceed.
Re: (Score:2)
Re: (Score:2)
verify that the person on the other end of the phone is who they say they are.
Of course, like all other biometrics it's worthless for that, as there's nothing preventing someone else from presenting a device that would emulate the same biometric. Biometrics are inherently not secret and thus cannot be used to authenticate an identity.
This one at least gets spread a bit less than DNA or fingerprints; you don't leave it on anything you touch, but if it's really so easily measured that you could use a phone fo
Re: (Score:2)
> Still, I'm sure the biometrics crowd are just working their way up to suggesting colonic
> maps.
Well, at least that one isn't publically accessible (at least not for most people).
Re: (Score:2)
I didn't RTFA, but I suspect this method requires the head to be alive. Now, if you can detach a head without killing the person you may get a pass on the murder charge and instead get a Nobel prize, but don't come crying to me when it doesn't pan out and you wind up in jail.
Re: (Score:2)
That's the reason some companies are looking at vascular scans as the biometric of choice. No blood flow = no valid reading. Then again, you could rig up a box that would pump warm blood through the severed hand, but a system like that would look kind of suspicious when you took it out of your backpack at the checkpoint.
Re: (Score:2)
Re: (Score:3, Interesting)
...or notice that one of the guy's arms is substantially longer than the other.
I think that this is where a lot of the potential exploits fall down. Spy movies always show someone using a severed finger or plucked eyeball getting into a secure area that is never manned by an actual guard.
At the port where I work, the perimeter gates are
Re: (Score:2)
I'm glad someone finally realized that "requiring passwords to be changed" is for retarded users. Nothing pisses me off more than to have to change my highly secure password because of some asinine policy.
Re: (Score:2)
If people can't be bothered to remember passwords, that's their problem.
If people choose shitty passwords, that's their problem.
If people get their shit snooped sniffed or keylogged, that's their problem.
Nope, it's everyone's problem. Banks lost allot of cash because of fraud (I mean the kind perpetrated by individuals to banks, not banks to everyone else) - it gets passed on to every customer.
I can't see how most of the rest of the post relates to the type of telephony scenario you begin talking about, but perhaps that explains the flamebait mod.
Re: (Score:2)
No, it's the problem of the person and the bank.
If some schlub loses his ATM card he's required to report it in order to not be responsible for fraudulent charges. Banks are insured, and any sizable theft is pursued.
I have free checking, free savings, credit cards with no fees that I have never and will never pay interest on, and CDs. Everything is backed by the FDIC. If some retard (let's take Sarah Palin as an example) gets he shit stolen, I don't lose a dime. The only fucking way it could affect me i
why software if you can do this directly? (Score:2)
Sound is nothing more but waves, you could catch them in any "box" and capture the echo of it.
Some studios use their hallway as natural reverb for example, you could use a (modelable) box which would reflect the soundwaves to the sensor.
Since this system would be used by telephone, error correction needs to be built in too, every telephone has different frequencies and microphones, making the system prone to authentication spoofs. A telephone conversation/authentication over 4kHz would be for sure needing l