A news story about facial-recognition software used to dispense loo-roll in China reminds us that technology may not always be able to overcome human fallibility.

There was an amusing report in the British media this week: one of the major tourist sites in China is using hi-tech facial recognition software to solve a somewhat low-grade problem. Authorities at Beijing's Tiantan Park have installed face-scanning cameras in one of the park's busy public toilets. The machines are programmed to dispense just 60 cm of paper to each visitor, making sure that no one takes more than their fair share, thereby tackling the apparently serious problem of people stealing the loo-roll and taking it home with them.

A public inconvenience

The story seems funny but it raises several questions that apply to the wider use of biometric authentication factors:

• The solution (facial-scanning software that won't dispense loo-roll to the same person within a nine-minute period) is hi-tech and expensive to install. It's a very costly solution to prevent people from stealing a very low-cost, basic product. Would a cost-benefit analysis of the solution show that overall it saves the park money, even when the risk of repairing broken machines is factored in?
• It raises the question of privacy. Should people have their identity recorded just because they need to spend a penny?
• Is it sensible to use advanced technology to solve what is in fact a problem of social etiquette? A (human) bathroom attendant might be able to control the amount of paper given out to each visitor just as well, while also providing that essential person-to-person contact, which reminds us of our responsibilities to trust and respect each other (and to leave some loo-roll for the next person to visit the facilities!).

The weakest link is the human

The overall problem seems to be that, if people feel they are not being watched or monitored in some way (by a machine or a human), then we are liable to try to bend or flout the rules and shirk our responsibilities – and then there is also the element of human error. Overall, humans are the flaw in the system.

When it comes to protecting sensitive corporate data (which is far more valuable than Chinese loo-roll), we have now moved on to multi-stage authentication processes to ensure that only authorised, trusted persons can access systems (whether payment systems or other systems containing sensitive data). Passwords are seen as passé – with good reason, as they can be stolen, shared and guessed, while they don't provide any authenticated data on the user.

Systems security has progressed to multi-factor authentication, including “what you know” (passwords or PINs), “what you have” (a key/fob) and “who you are” (biometric authentication). Crucially, there is no scrutiny of the activity or reasoning behind an access request, according to Jeff Carpenter, of security and identity services company Crossmatch. More importantly still, companies are not tackling that “one inescapable flaw in the system”: the human. Carpenter writes in Bobsguide: “Whenever any security system has an over-reliance on human participation there is an easily identifiable weak point in the system, and it is always the weakest point in the system that will be subject to the greatest scrutiny from unwanted actors.”

Human weak points companies need to tackle

So what are the human 'weaknesses' companies need to tackle in order to better protect sensitive (or financial) data? Carpenter suggests the following:

1. dissatisfied employees who might bear a grudge against the company and might therefore want to compromise access to a system;
2. other third parties with access and malicious intent;
3. honest employees who might share their authentication data through carelessness or misplaced trust;
4. honest employees who might provide access to identifiable unauthorised individuals, again through error or misplaced trust;
5. confusion over what the security policies actually are;
6. failure to navigate the authentication process correctly;
7. failure to recall passwords designed to be complicated to remember; and
8. subsequent lockouts from guesswork.

Carpenter goes on to discuss the advantage of using other authentication factors, such as the geolocation and time of access to the system, saying: “'When you act' and 'where you act' authentication factors are particularly pertinent for company employees with access to sensitive or valuable data that is of interest to cybercriminals.”

But this brings us back to the story about Tiantan Park's public toilets, which seems to contain a seed of truth: we can use the most advanced technology available but the human component will always be the weak point in any system to access goods (or sensitive financial data). We can continue to invent ever more complex authentication methods for cyber criminals to hack – or we can focus more on the weaknesses derived from human input, e.g. through education on security policies and authentication protocols. This won't stop all the criminals but it might reduce unauthorised access considerably.