National ID card and biometrics in banking

Even the most incompetent Governments are aware that a card or fingerprint reader is not the answer to the national security issues.

The mobile is. On every level.

I'm sure the sheer popularity of biometrics gladdens the heart of vendors, but when are we going to get answers to these and other questions? The thread on swiftcommunity that Chris Skinner cites ran dry without a single response to any of my questions. 

There is so much that is litereally unreal about these technologies. I repeat for the umpeenth time, What are they going to do when a biometric gets stolen?

I have seen biometric vendors actually open their presentations with clips from "Diamonds Are Forever", or "Minority Report". These are fiction for heavens sake!  Worse, in "Diamonds ..." James Bond shows how easy it is to steal and replicate someone else's prints! It's surreal.

For the 11 out of 11 bankers who have been won over, I'll show you:

- the failed Australian warehouse fingerprint attendance system

- Heathrow Airport withdrawing their fingerprint system

- the prison where inmates could fake warder's prints

- Tampa Police dropping their face recognition system

- Failure of face recognition at Boston Logan Airport  

Not to mention advice from the UK Government's CESG (the peak information security authority) that to avoid spoofing, biometrics are best used in supervised locations.  Good idea in branches but where does that leave ATMs? 

Cheers,

Stephen Wilson. 

I don't write biometrics off because of their past failures.  I write them off because of the dozen or more really fundamental issues that nobody seems able or willing to answer.

Biometrics really is the Wild West of information security.  There are dozens of vendors and competing technologies, none of them interoperable, many based on research that is barely out of the labs, no standards for testing performance, an endemic reluctance to reveal false detect and false reject rates, usually no mention at all of failure to enroll rates, no answers whatsoever on the show-stopping question of revocation, state of the art liveness detection being debunked on "Mythbusters", and the most flagrant, gimmicky marketing, appealing to science fiction movies as if there were case studies. 

Does anyone even care about these issues?  I'm astonished sometimes that in the banking sector, where security professionals are properly conservative and sensitive to snake oil, respected commentators can exhibit such credulity over biometrics. 

Cheers,

Stephen Bloody Wilson

Lockstep.

I don't really want to get into a rumble but it's all about 'cost effective'.

Biometrics and cards are costly and have very limited effectiveness in a limited range of applications. Just because someone has deployed them doesn't mean they're realistic everywhere, now or in the future. 

The most compelling argument against biometrics is well demonstrated by the failed Chip and PIN fiasco and it applies equally to Biometrics - they won't protect us until every bank, merchant, government and citizen on the planet has their own biometric card and biometric card reader or finger/eye/ear scanner.

Then you have another problem - once everyone magically has one how do you keep the bits in between safe? 

There might be a few roll-outs of biometrics and the U.S. might love their fingerprint scanners at the airports until a disease outbreak, but it's not the most cost-effective solution. There are billions of people and millions of places that haven't ever seen them and even though Mythbusters and James Bond wouldn't be able to easily fake a finger in an advanced system, that isn't what is being deployed. Even the best fingerprint and biometric systems can be fooled if you understand how they work and it is a moot point if the information travels across a network.

The most advanced fingerprint system uses IR to read the pattern of blood vessels under the skin so suposedly it needs a 'live' finger to show warm blood flow and even that could be fooled with a 'finger' made from a piece of plasma TV screen - even if it is slightly more difficult than using a jello baby the Mythbusters could probably pull it off and bear in mind once done - any fingers could be faked.

If you want to go all sci-fi and Mission Possible then how far away are we from being able to steal a few hairs from a brush and grow a cloned thumb in the lab the back of our our pet rat? Quantify that risk. Tomorrow, in 5 years. How long will it take to roll out this biometric solution and what will the biometric bonanza really cost?

Without using this forum to point out the obvious reasons that the mobile solution will win, governments know it provides much better opportunities for public safety and is easier to deploy because their citizens already have one.

No matter how hard the gadget salesmen lobby government, any solution proposed can't really be forced upon people, and especially so if they have to pay billions more for it. With mobile ID - billions already have one, so if mobile ID is introduced what are people going to do, throw them away and say they'd rather pay more to have a card to carry? The government could save enough to afford to give mobiles to the few who don't have them and win some votes rather than lose government (and a lot of money) trying to force an alternative.

Meanwhile it probably helps to have a little think about how many people there are who don't like the idea of biometrics (and how strongly many of them feel) and how it doesn't take too many opponents to make it impractical and very costly. Firstly there'll be opposition, then comes vandalism, how do you deal with that at millions of ATM machines etc? What's easier to maintain - a basic slot which dispenses money or a model with a biometric  fingerprint reader?

What do you do when someone catches a killer flu using the fingerprint scanner at the ATM and there's a panic? Is there a risk that terrorists could use them as a vector for an attack?

What's the fall-back? What's the extra cost for securing them against vandalism as simple as a graffiti attack? 

Cards - well they're just so 1950's that by the time the latest generation of cards is fully deployed there'll be a couple more generations of humans with no desire whatsoever to use them.

Just because some people are doing it and 11 bankers without any expertise about technology have been schmoozed into agreement doesn't mean it'll fly.

Did you ask those bankers how many of them invested in CDO's? Try and sell them some CDO's this week. You may get a similar result with biometrics within a couple of years.

The most foolish thing to do would be to assume that because the credential is 'biometric' it has some magical abilitities to make the whole system safe, and even then it is of no practical use unless every single person carries a reader and turns it into a new security nightmare.

Sure you can trust that 'policeman/repairman' at the door is actually a 'cop/plumber', why he's even got his own reader to check his 'credentials' for me.
Really?
I'll use my own thank you, and even then I'm probably going to ring his boss on a published number (using my mobile) before I'd trust he's really who he says he is.

I don't think the banking industry is really very perceptive about the younger generation. The young do not have the same historical view of banks that the older generation has and will never really adopt the values of the old institutions, which even many of us have seen disappear. You can't keep offering the same old intrusive, unsafe and 1950 style solutions to the next generation of customers unless you don't care whether you're in business in 10 years time.

The whole flawed biometric concept is cringeworthy. The mobile wins every rational and impartial analysis on every level, unless of course you are in the card or biometric business.

It'll take a lobotomy to change my mind or at the very least some blinkers and double-dose of thorazine - or whatever those bankers were taking when they came up with the idea of investing in subprime mortgage backed CDOs.

At least even Stephen Hawking can handle mobile ID and transactions, he'd have a bit of trouble with the 'smart card' or the fingerprint reader.

Get real, it's not Ken and Barbie Land and the 1950's out there. It's the 21st century and there are easier, better, more practical and more inclusive possibilities.

With respect Chris, instead of simply bowing to the inevitable, why can't you answer the questions I've asked over and over on this blog and on swiftcommunity ... 

- what to do about identity theft?

- what are acceptable false accept, false reject and fail to enrol specs?

- what degradation in accuracy is permissable when trying to interoperate between vendors?

- what to do about false detect / false accept tradeoffs when security and customer convenience are at odds?

Cheers,

Stephen Wilson, Lockstep.  

OK, so Chris Skinner has withdrawn.  It's a pity, because he does not appear to have yet engaged with the issues I've been trying to raise in good faith.  For the benefit of others who are still listening, and who care to avoid any false sense of security, his answers do merit follow up ...

Stephen Wilson (SW) - what to do about identity theft?

Chris Skinner (CS) - That's the point of adding biometric, or other identification techniques, to chip & PIN or passwords. 

I think he has missed the point.  The question was, what if someone steals my biometric?  If my password or smartcard is compromised, I get a new one, but with biometrics that isn't possible.  Once someone has created a faithful copy of my fingerprint, how can I be given a new one?  There are said to be interesting novel refreshable biometrics being researched, but nobody should buy security technologies that are fresh out of the lab.  

[Sadly, the usual response to this question is "liveness detection" but that's a flawed answer for two reasons.  Firstly and most obviously, liveness detection is easy to spoof (see Mythbusters).  Less obvious but actually more important is the point that no security system should ever be designed on the basis of some core technology being assumed to be perfect.  A sound end-to-end biometric security system should be designed to cope with the in-principle compromise of the measurement.  Advocates cannot duck this responsibility with a claim that liveness detection makes identity theft impossible.  The "What If" question always remains, and the onus of proof lies with the security provider.]

SW - what are acceptable false accept, false reject and fail to enrol specs?

CS - The minimum possible, as proven by the successful roll-outs, such as the 80% of banks in Japan that use palm and vein biometrics

But how do we know if "minimum possible" is good enough?  Does anyone even know what the error rates and Failure to Enrol rates actually are for the Japanse ATMs?  I don't.  But I do know that these stats are remarkably hard to come by in any biometric installation, and in many government systems are kept secret. This is security 1970s style, not good practice.

In any case, the Japanese ATM experience is not altogether relevant to the UK National ID card that was the subject of this thread.  What actual quantitative False Match and False Reject rates will the government specify?  What actual measured performance limits will bank branch fingerprint detectors be required to operate under?  If the government ID card has a published specification of say 5% False Match Rate, and the bank branch equipment has the same spec, and if there is still a mistake (as there will inevitably be) then who is going to be liable for any bad consequences?  

SW - what degradation in accuracy is permissable when trying to interoperate between vendors?

CS - Why don't you read this and open your eyes.

I have read this press story but it doesn't mention accuracy, so I'm not sure how it's supposed to open my eyes. 

But moreover I've actually studied the standard refered to in the story -- ISO 19092 -- and it doesn't address my concerns.  In fact, it acknowledges them, and raises many more.  For instance, ISO 19092 says:

Assessing error rates for biometric devices is clearly part of the technical testing process. Beyond that, however, there is little agreement. A review of the technical literature on biometric device testing reveals a wide variety of conflicting nomenclature and protocols.

And

[Performance] testing is always performed with voluntary, supervised, and therefore cooperative, users. Volunteers might even be provided an incentive to correctly use the system, thereby lowering false non-match rates. False match rates are determined by the coincidental matching of two individuals' measures. These are called “zero-effort” impostors. The vulnerability of the false match rate to determined impostors and the effect on false non-match rate of uncooperative users is never  measured.

That is, the latest ISO standard for biometrics highlights that testing systemically over-estimates the security of these systems.

It's also telling that in the whole of ISO 19092, as far as I can tell, there is only one instance of a recommended limit for the acceptable performance of biometrics in practice.  It states:

For verification systems, the corresponding false non-match rate of the biometrics shall be consistent with equirements for convenient operations, and shall not exceed [10 to the power of minus 2].

I'll come back to that a little later ...

CS - Customer convenience is improved through speed and ease, and customers prefer this way and beyond over PINs and passwords ( I have too many studies to cite in this area).  And security ... [sic] that's why Japan, Switzerland and others are using biometrics.

I don't think that answer engaged with the real issue. 

Any biometric detector exhibits both false accepts (or matches) and false rejects (or non matches).  False rejects are inconvenient to customers;  false accepts (where the system mistekenly recognises a user) cause security breaches.  Inescapably, the lower the false reject rate, the higher the false accept rate, and vice versa (this niggling little detail often goes unnoticed by lay people who have been led to believe that biometrics just work, like on "Minority Report"). In any biometric system the trick is to strike the right balance -- you cannot arbitrarily increase "speed and ease" and "security" at the same time. 

As mentioned, ISO 19092 recommends a false non match rate in "verification systems" (that would include ATMs) of no worse than 1 in a 100.  Now, if you can find Detection Error Tradeoff curves (they are surprisingly hard to come by, assuming nobody has anything to hide) then you can look up the False Match Rate that corresponds to the 1% False Non Match benchmark.  Testing by the UK Government CESG has showed the following:

• Hand print ..............................  2%
• Face (Method 1) ......................  6% 
• Face (Method 2) ..................... 30% (yup, 1 in 3 false detect)
• Fingerprint (Methods 1, 2 & 3) ... Not Applicable.

For the three different fingerprint methods examined, none of them could achieve a False Reject Rate as low as 1% and therefore there are no corresponding False Detect statistics.  And as stressed by standard ISO 19092 itself, these test results reflect accidental "zero effort" False Matches; they do not reflect the security performance under concerted attack. 

Going back to the questions at the start of this thread, my specific concern in the cross-over of national ID and banking relates to policy.  In a closed system, a bank can make its own decisions about security versus convenience.  But in an open system, where the government issues ID cards for national security, and expects banks to use them, getting the balance right is going to be harder.  It will also necessitate total transparency of false reject and false accept statistics, accepted public domain test methods, and I suggest, still better tests that indicate resistance to concerted attack, and not just accidental detection errors.  

It was said that I'm sounding a bit monotonal on this topic.  I'm sorry if anyone's bored by all this, but then again, you'd hope for a reasonable attention span (and attention to detail) for a topic of such importance and controversy. I simply want to know if these debates are occurring.  As things stand, I am not even sure that the right questions are being asked let alone worked through.  

Cheers,

Stephen Wilson, Lockstep.  

And can you imagine a hacker spoofing a financial institution's (log-in) site and fool people in entering their biometric credentials? Where can I contact this organization to refer them to the best authentication security? I'm not peddling. It's not my system but I do know that these guys have the best system.

Very interesting debate on biometrics. My central question is what problem is being solved by the introduction of biometrics.  The unit cost of any given transaction will increase, I agree with most of the comments that the benefits of fraud detection are limited and the false positives outweight those benefits.

Suggest that we need to focus on the security already in place.  For example, merchants actually checking the signature on a credit card receipt and if concerned verifying with the credit card company.  Over the last three months, I started to sign with my receipts with various cartoon character names - no one has asked a question.

Risk based authenication seems very reasonable as well.  If I am drawing money out of an ATM in an area I have never used before - send me an SMS.

I want to develop products and services that enable a partnership with the client to increase security instead of forcing the client to adopt another level of inconvience for marginal benefit.

Good thread, please keep the conversation going.

This is fun and wish I had found sooner.  It appears there are two residual points raised in this post, and which are outside Chris's original point:

1. biometric accuracy or error rates
2. identity theft, ie theft of the biometric object

These are important points to consider in choice of a solution, but hardly reasons to write off biometrics, so I am not sure what point is being made in this original post, nor in the responses to reasoned comments.

In the old days the fail rate of signatures on cheques was not zero.  The fail rate on pin at the ATM is significant, esprcially when you factor in the x hundred customers who used the compromised machine around the time of compromise.  It is indisputable that the current methods offer fail rates greater than zero, and it will be hard to get it publicly any more accurate than that.

So we have fail rates on the something you have [card], something you know [pin].  We have two choices, and that is to strengethen those attributes somehow, or explore something you are. 

 Point 2 is irrelevant because there are enough biometric solutions which fail on dacapitation.

Error rates are another matter, and fall squarely into the security approach of managing multiple attributes which in aggregate will produce higher success rates.  

The desired goals of an identity system are a good place to start, rather than goals of identity system sellers (such as myself) and cost-effectiveness will likely prevail in the end.

I'll skip the House of Lords version and put it in a nutshell.

Governments need to control revenue and expenditure and they don't want anyone getting more or paying less than they should. Immigration roughly falls into this, complicated by the odd terrorist and criminal. (Governments are also very keen to link the mobile to the ID and will eventually go DOH! why don't we just make it the ID?)

Banks don't really want to do anything, they don't really think they have a problem, especially now that Chip&PIN has displaced the fraud elsewhere to such as internet banking, and banks have shifted that liability to the customer*.  Fraud isn't bad enough to send the banks broke in the normal course of business and the government will always bail them out, after all it's a criminal issue, not the bank's fault. It would be handy to ensure that the customer was the only one who could withdraw or spend their money but overall it's not much of an issue, it's more about satisfying government money laundering and terrorist financing laws, otherwise banks wouldn't care to 'know' most of their customers.

Customers are starting to see it as an issue, especially those nameless statistical consumers who are getting defrauded.

Citizens want to go about their business and spend their money wherever they like, on whatever they like, whenever they like. They want to do it without getting mugged or having their money stolen or their credit rating ruined.

At present citizens are 'taxed' every day from the second they have electronic currency. It actually seems ridiculous to me that we would exchange good cash for dodgy electronoic money and then let every Tom Dick and Harry whittle away at it every time they try to spend it, and then see themselves liable for their losses with a system they did not create.

There is more to ID than using your bank card or registering for the dole.

The only way ID can work is if everyone can ID everyone else when they interact. Why leave out the Community Service worker or the Council Inspector, or our kids on the internet or any other individual who might interupt the quiet enjoyment of life - especially if they aren't who they say they are. You mightn't be worried about it today but you will be tomorrow.

In the unlikely event a biometric solution could be deployed then theoretically it would displace criminal activity to other areas, as those criminals just don't seem to go away. Ask the CCTV's and the Chip and PINS if you don't believe me.

I suppose it's ok to deploy a half baked solution if you're not going to live very long and just want a tidy profit to spend, or you like the idea of almost immediately having another mess to clean up somewhere else. In the scheme of things Biometrics and smart cards are less than half baked and only in the realms of fantasy could they provide any solution to the ID problem.  They'll just displace it elsewhere.

If anyone is thinking about it then think a little further ahead than your nose and for god's sake don't listen to the lot who told you to deploy CCTV on every corner and that you could deploy Chip and PIN on just some.

Biometrics will have the same result as Chip and PIN - No-one will be protected until every shop on earth has a reader - at best it might merely displace crime elsewhere.

Hopefully a bit of fiscal tightening will see the urge to splurge on half baked never to be realised solutions to nothing. Even if one assumes that biometrics could be 100% reliable, which it isn't, then it still doesn't solve anything if it only solves it fro a few in a few places. 100% coverage with a less than perfect solution will be better than partial coverage with a perfect solution. The difference here is that thje biometric solution ids both less than perfect and it requires total coverage to be effective.

I don't care to be distracted by false-positives and false-negatives because although they are an issue, they are not the issue. Is everyone making the assumption that all methods have equal costs?

Mobilisation is the solution, and to a lot more than just ID.

Biometrics just costs too much that is the issue - they aren't cost effective and have a  very limited range of applications. Remember that unless you are paying for it, it had better work for something other than transactions so others will share the cost and the consumers will actually use it and it will actually be useful.

Anyone want to get bold with prices? What are we prepared to pay to have all our ID needs provided?

What do biometrics really cost on a per head per year basis? Apples for Apples please - if it's biometrics or a card, then we all need a reader too - thank you.

User pays is an option but Mobile ID would I imagine be around £20 to enroll initially and and a similar amount per person per year. I'd be able to manage it on that for the whole UK covering government and financial transactions within reason. I'd estimate $U25 per person per year in the US and I'll throw in microtransactions and free mobile 'bank' accounts for the unbanked.

What will it cost per person to use an alternative such as biometrics and smart cards?

I expect total silence from the biometric and card crowd from this point. They just don't have a clue how much it will cost, and it doesn't really matter because it just isn't a solution it's a pipe dream, unless there's been a breakthrough on cost in the last minute or two.

Biometrics has as much likelihood of effective global deployment as the chance of Warren Buffet and Bill Gates donating their fortunes to pay for it. 

Let's get over the biometric fantasy before we end up with electronic dogs sniffing our asses at the airport, after criminals have stolen our eye, ear, and finger prints. Whoever said that biometrics is renewable and that a thief is only stealing the data about my biometric, not my biometric - well what are you going to do to fix it, change the software on every reader? Half baked madness. We've been using biometrics for years, photographs. Has that solved the problem? Are you blind?

*On another related issue - I'd like to thank those members of the House for their quick movement on the internet banking liability issue. It would appear that a few are not only awake, but a wake up to what's going on. They're actually doing the banks a favour anyway - sort of. Personally I'd be probably be better off if the banks were left to continue making such astounding errors of judgement, but ethically it is the right thing so I'll just congratulate those who agreed with me.

Why not make the transaction and ID system sellers liable liable for losses too. I'm up for it - are you?

Money where your mouth is.

In response to Colin Henderson's points ...  

I have been trying to make a few points:

• The capabilities of biometrics are often exagerated and appear to be overestimated by those who are setting policy.  Vendors persist in talking about "unique biological features" which implies to lay people, perfect discrimination.  If you accept that your fingerprint is "unique" then you can be forgiven for believing that a fingerprint detector will be able to tell the difference between you and every other person.  But it can't. 
  
• These devices fail at astonishingly high rates.  As mentioned, the false reject and false match rates of fingerprint detectors is typically well over 3%. Even iris detection in the field can have accuracy around 96%. 
• Please don't think I am seeking perfection, but I am seeking a more moderate choice of words by biometric vendors, and attention to detail on the part of advocates and policy makers.  The policy implications go far and wide.  If biometrics are far from perfect, then how will liabilities be sorted out when a government issued biometric is falsely matched when used to open a bank account?  The fact that quoted biometric performance figures, even when you can find them, tend to be overstated as an artifact of the best available test procedures (this according to the latest ISO standard) exacerbates the false sense of security that I believe goes with all biometrics today. 
  
• I also think there has been inadequate debate over the false negative / false positive policies that need to be set between government and banks.  The objectives of these two stakeholders may be at odds, so how will the right compromise be met?  There is no agreed standard for measuring false positive and false negative rates.  So even if a policy compromise is debated and reached, how will it be enforced? 
  

Well actually we don't have proven and standardised liveness detection! Fingerprint liveness detection was debunked by Mythbusters. 

And in my opinion we don't have adequate contingency plans for recovery from biometric identity theft.  Various ideas get tossed around casually, like switching to different fingers, or injecting fuzziness into the templates, but these are just ideas.  None have been standardised much less actually deployed.  I contend that this is a bizarre and unprecedented way to treat security technology! 

To dig deeper ... 

• The trouble with swapping from one finger to another is that single fingerprints aren't actually good enough on their own.  This is why US Immigration has started capturing all 10 prints, to get better error rates.  
• The trouble with swapping from one eye to another is well ... you can only do that once!  
• The trouble with making templates fuzzy is that it necessarily compromises accuracy.  Trading off accuracy to get disaster recovery is a truly radical approach to security!

Meanwhile we still have people suffering the misapprehension that biometrics just cannot be spoofed.  The claim 'you cannot steal my biometric' keeps being made, and it's so not true.  

Cheers,

Stephen Wilson.  

Staying out of the arguments. I now use the IRIS system at Heathrow and love it. As an American who lives in the UK, I always had to wait in the long line and my passport got stamped every time I entered the UK. (which caused me to have to get extra pages).

Now, I just walk through the IRIS booths. I do think that sucess works well. (however, one of the reasons it is nice is because I tend to be the only person using the booths--not sure what it would be like waiting in line with a crowd of people.)

Michael Balk said : "Risk based authenication seems very reasonable as well.  If I am drawing money out of an ATM in an area I have never used before - send me an SMS. "

Well, thats just one of the things that our system offers! But the notification is not based on risk, its based on what the cardholder sets which I think is even better.

Cheers.

Clearly no solution will be 100%  immune to every attack on every level, however biometrics is just glossing over the flaws in the system and merely introduced another layer of potential flaws and problems.

All the worlds DNS's - (the things that turn the human name of a website into a number for computers - virtually every ISP and large corporate server) have been poisonable for years giving anyone 'in the know' the power to defeat almost every security system in existence and a fix has only just been released. All the anti-virus, secure certificate hooha and whatever else you think you've been using to potect yourself or your customers has been totally useless from the very first product you used to the latest rubbish. There are no secrets, only people who don't want to know them.

There is no 'safe' money in bank accounts, it's just that no-one has got around to stealing yours - yet.

I make the assumption that 'any transaction system which can perform transactions on behalf of the account holder without the participation of the account holder is fatally flawed'. Correct me if you think I'm wrong.

From the very beginning any such system will encourage fraud and that means that most of you must go back to the drawing board. Moore's law applies to both the power of hacker's computers and probably the number of hackers.

I'm sorry Marite,
a text message after I've been robbed, and only if whatever 'best guess' software used guesses right - is NOT best security, it's not even security. Can you deliver 10,000 SMS's per second? Of course not, that's why it is only useful with best guess software with hopefully only a few guesses per second, not even for every one of the 10,000 transactions per minute RBOS processes.

If you are going to shout at me via SMS after someone has stolen my money, it better be good news, like 'the bank will cover your loss', but I'd still be looking to see what other FI's could offer me - perhaps some real security for instance. Keep the best guesses for your own money, not mine.

One of our directors experienced a 'best guess' while buying wine in a distant vineyard where the credit card company guessed incorrectly. After 1 minute on the phone the card company not only lost that sale, they lost hundreds of thousands of dollars of business from everyone who heard about it with the choice to choose. None of them were the sort of customer any card company can afford to lose. There was a winner of course - the other card company.

Shouting from the open barn after the horses have bolted is NOT protection.

Biometrics may have a place in a future where the devices are more reliable and lower cost, but they do not have a place in everyday use in everyday life. The potential possible return is not worth the very real risk, not by a long shot, and the cost makes it not just foolish but downright irresponsible.

Hypothesis - Biometrics fail (for whatever reason) - where do you go from there?

What's the backup plan? Better have one. Perhaps jot down my number for when the inevitable happens.

Get real and fix the problems by fixing the problem, not creating a new problem in a doomed attempt to gloss over the existing flaws. There are more than enough already, and biometrics is not going to fix them.