Wednesday, January 18, 2006

Biometrics on game controllers?

Joystiq poses a question about the use of biometrics in Xbox 360 controller to verify an Xbox Live user's identity or as an aid to parental controls:
Why? Because there are very frequent scenarios (especially when playing PGR3!) that require users to sign in, sign out, and sign in again. Because parents can't remember the passwords required to lock their kids out of certain content, but never forget their fingerprints. Because it'd be awesome (and a bit scary) to have your friend's console pull up your gamer profile instantly at the simple swipe of a finger. Because it's unsafe to enter your passwords into an Xbox 360 in a room full of people who you may not trust with the password to your Hotmail account. Because of the cool factor. Because anything that helps us avoid that godawful texting interface is a blessing. Because I'd like to make sure that my actual presence is verified prior to every purchase that rings up a charge on my credit card. Period.
These could be very useful applications for biometrics on the Xbox 360. While it may seem like a great feature, I don't think that it is a good idea. It may be handy as a way for parents to forgo the use of passwords at the home console, making it work for multiple consoles brings up a couple of issues:
  1. Privacy. There's a big difference between storing your fingerprint on your local console (a 1:1 system) and using it online (1:N). To do that, your prints would have to be stored online and transmitted whenever used. If any part of that process were compromised, the affect would be more dangerous than a lost password. That raises serious privacy concerns.
  2. Feasibility. I don't know much about the technical details, but I don't think that those biometric readers are all that accurate. 1:1 systems are "fuzzy." That is, they store the minimum amount of data points about a fingerprint to make a match. Since they only have a small set of prints to work with, that isn't a big deal much. In large scale systems (say 1:250000), the amount of points to match are much, much higher to avoid false matches. That would take extra horsepower. I don't know how much, but it may make the system less feasible from a technical perspective.
  3. Accuracy. An Avaya study on a 1:100 scale system found a false match rate (FMR) of 0.02% when requiring a single swipe of the user's digit. If that rate held up in a 1:250000 user scenario, that's 5000 false matches. That doesn't inspire confidence.
While it may look like a good idea on the surface, I don't think that it would (or should) work out in practice. I know I wouldn't want to send my fingerprints to anyone, let alone Microsoft.

As always, thanks for the consistently smart and stimulating content, Vladimir and company! I always look to Joystiq for the latest news and opinions that rise above regurgitated press release fare.



Blogger Blo said...

I was having a discussion about this issue over lunch. We brought up the idea of using a secondary attribute to corroborate the biometric scan, but I just now thought about using the scan in reverse.

By using the (optional) biometric as a checksum or ID confirmation, that reduces the need for high accuracy. Also, it allows the use of it to be an option for those people that would like the peace of mind that their transaction and such are going through a second level of ID check. The system being accessed (Xbox Live, Amazon, etc...) would need to support this, but it wouldn't be an intrinsic function of the system itself.

I write "Check ID" on the back of my credit cards. It doesn't _always_ work as some clerks just don't care enough, but when it happens, I'm appreciative. It matters to me that someone (or some system) would be willing to take the time and effort to help ensure my financial/identity safert.

That's my opinion and I'm sticking to it.

Wed Jan 18, 02:39:00 PM PST  
Blogger brad77 said...

That could come in handy as a secondary form of ID verification, but I don't see how that would remove the necessity for high accuracy. Why use such a system if you couldn't count on it to work?

Of course, it would offer a lot more protection than say, your mother's maiden name.

Wed Jan 18, 04:38:00 PM PST  

Post a Comment

<< Home