Apple demonstrated "passkeys" at WWDC 2022, a new biometric sign-in standard that could finally kill off the password for good. TechCrunch reports: Passkeys are based on the Web Authentication API (WebAuthn), a standard that uses public-key cryptography instead of passwords for authenticating users to websites and applications, and are stored on-device rather than on a web server. The digital password replacement uses Touch ID or Face ID for biometric verification, which means that rather than having to input a long string of characters, an app or website you're logging into will push a request to your phone for authentication.

During its WWDC demo of the password-free technology, Apple showed how passkeys are backed up within the iCloud Keychain and can be synced across Mac, iPhone, iPad and Apple TV with end-to-end encryption. Users will also be able to sign in to websites and apps on non-Apple devices using an iPhone or iPad to scan a QR code and Touch ID or Face ID to authenticate. "Because it's just a single tap to sign in, it's simultaneously easier, faster and more secure than almost all common forms of authentication today," said Garrett Davidson, an Apple engineer on the Authentication Experience team.

Illinois residents are eligible to receive part of a $100 million class-action settlement after Google was accused of violating privacy laws in the state. From a report: The tech giant was accused of violating the Biometric Information Privacy Act regarding its use of a face regrouping tool in the Google Photos app. Google used the tool to sort faces it spots in photographs by similarity. However, according to the suit, the company did not receive consent from millions of users before using the technology. As a result, Illinois residents who appeared in a photo on the app between May 1, 2015, and April 25, 2022, may be eligible for payment.

What each claimant will be paid isn't known although a similar settlement involving Facebook saw 1.6 million users receive between $200 and $400. Payment amounts will depend on the number and validity of claims. Snapchat was also accused on violating Illinois privacy laws in a class-action lawsuit filed last month. It is still unclear when (or if) the case will move forward and potentially lead to a settlement.

India has withdrawn a warning that asked users to not share photocopies of their national biometric ID following a widespread uproar from users on social media, many of whom pointed that this is the first time they were hearing about such a possibility. From a report: A regional office of UIDAI, the body that oversees the national biometric ID system Aadhaar, warned users on Friday that "unlicensed private entities" such as hotels and theatre halls are "not permitted to collect or keep copies of Aadhaar," a 12-digit unique number that ties an individual's fingerprints and retina scan, and people should avoid sharing photocopies of their Aadhaar to prevent misuse.

Mastercard is launching a "controversial" biometric payments programme in stores, as the card company tries to keep pace with nimble fintechs and bigger competitors such as Amazon. From a report: Retailers that sign up to its pilot scheme can allow customers to pay in-store with a gesture such as a smile or a wave. The system, which requires customers to enrol first, could also be connected to loyalty programmes and purchase history. "Payments is a wide space, and we are trying to offer what customers want," Ajay Bhalla, Mastercard's president of cyber and intelligence, told the Financial Times. He said that Mastercard could act as the "enabler of the ecosystem," setting unified privacy and security standards for a technology that has raised the hackles of privacy and data protection campaigners. "It's important that we make sure that data is handled properly and the transaction is safe," said Bhalla. "Everything is done with consumer consent." The facial recognition software itself will come from companies including Japan's NEC, Brazil's Payface and California-based PopID. The first pilots are launching this week at five supermarkets run by the St Marche chain in Brazil. The ambition is to eventually allow consumers to use a single enrolment to pay across different stores, says Bhalla, with further pilots planned across regions including Asia, the Middle East and Europe.

An anonymous reader quotes a report from Engadget: Notorious facial recognition company Clearview AI has agreed to permanently halt sales of its massive biometric database to all private companies and individuals in the United States as part of a legal settlement with the American Civil Liberties Union, per court records. Monday's announcement marks the close of a two-year legal dispute brought by the ACLU and privacy advocate groups in May of 2020 against the company over allegations that it had violated BIPA, the 2008 Illinois Biometric Information Privacy Act. This act requires companies to obtain permission before harvesting a person's biometric information -- fingerprints, gait metrics, iris scans and faceprints for example -- and empowers users to sue the companies who do not.

In addition to the nationwide private party sales ban, Clearview will not offer any of its services to Illinois local and state law enforcement agencies (as well as all private parties) for the next five years. "This means that within Illinois, Clearview cannot take advantage of BIPA's exception for government contractors during that time," the ACLU points out, though Federal agencies, state and local law enforcement departments outside of Illinois will be unaffected. That's not all. Clearview must also end its free trial program for police officers, erect and maintain an opt-out page for Illinois residents, and spend $50,000 advertising it online. The settlement must still be approved by a federal judge before it takes effect. "Fourteen years ago, the ACLU of Illinois led the effort to enact BIPA -- a groundbreaking statute to deal with the growing use of sensitive biometric information without any notice and without meaningful consent," Rebecca Glenberg, staff attorney for the ACLU of Illinois, said in a statement. "BIPA was intended to curb exactly the kind of broad-based surveillance that Clearview's app enables. Today's agreement begins to ensure that Clearview complies with the law. This should be a strong signal to other state legislatures to adopt similar statutes."

Apple, Google, and Microsoft are launching a "joint effort" to kill the password. The major OS vendors want to "expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium." From a report: The standard is being called either a "multi-device FIDO credential" or just a "passkey." Instead of a long string of characters, this new scheme would have the app or website you're logging in to push a request to your phone for authentication. From there, you'd need to unlock the phone, authenticate with some kind of pin or biometric, and then you're on your way. This sounds like a familiar system for anyone with phone-based two-factor authentication set up, but this is a replacement for the password rather than an additional factor.

Some push 2FA systems work over the Internet, but this new FIDO scheme works over Bluetooth. As the whitepaper explains, "Bluetooth requires physical proximity, which means that we now have a phishing-resistant way to leverage the user's phone during authentication." Bluetooth has a terrible reputation for compatibility, and I'm not sure "security" has ever been a real concern, but the FIDO alliance notes that Bluetooth is just "to verify physical proximity" and that the actual sign-in process "does not depend on Bluetooth security properties." Of course, that means both devices will need Bluetooth on board, which is a given for most smartphones and laptops but could be a tough ask for older desktop PCs.

As a category, mental health apps have worse privacy protections for users than most other types of apps, according to a new analysis from researchers at Mozilla. Prayer apps also had poor privacy standards, the team found. From a report: "The vast majority of mental health and prayer apps are exceptionally creepy," Jen Caltrider, the Mozilla *Privacy Not Included guide lead, said in a statement. "They track, share, and capitalize on users' most intimate personal thoughts and feelings, like moods, mental state, and biometric data." In the latest iteration of the guide, the team analyzed 32 mental health and prayer apps. Of those apps, 29 were given a "privacy not included" warning label, indicating that the team had concerns about how the app managed user data. The apps are designed for sensitive issues like mental health conditions, yet collect large amounts of personal data under vague privacy policies, the team said in the statement. Most apps also had poor security practices, letting users create accounts with weak passwords despite containing deeply personal information.

An anonymous reader shares a report: C onstance Chioma calls her son every morning to check that he is safe while studying in northeast Nigeria, a region plagued by deadly attacks by Islamist insurgents and armed kidnappings. Earlier this month, she could not get through. She later realised her SIM card was one of about 73 million - more than a third of the 198 million in Nigeria - which have been barred from making outgoing calls because they have not been registered in the national digital identity database.

[...] Nigeria is among dozens of African countries including Ghana, Egypt and Kenya with SIM registration laws that authorities say are necessary for security purposes, but digital rights experts here say increase surveillance and hurts privacy. Nigeria has been rolling out 11-digit electronic national identity cards for almost a decade, which record an individual's personal and biometric data, including fingerprints and photo. The National Identity Number (NIN) is required to open a bank account, apply for a driver's license, vote, get health insurance, and file tax returns. In 2020, Nigeria's telecommunications regulator said every active mobile phone number must be linked to the user's NIN. It repeatedly extended the deadline until March 31 this year. The government said outgoing calls were being barred from April 4 here from any mobile phone numbers that had not complied.

CNBC explores the dream of "a future where nobody has to constantly update and change online passwords to stay ahead of hackers and keep data secure." Here's the good news: Some of the biggest names in tech are already saying that the dream of a password-less internet is close to becoming a reality. Apple, Google and Microsoft are among those trying to pave the way... In theory, removing passwords from your cybersecurity equation nixes what former Secretary of Homeland Security Michael Chertoff has called "by far the weakest link in cybersecurity." More than 80% of data breaches are a result of weak or compromised passwords, according to Verizon....

Doing away with passwords altogether is not without risks. First, verification codes sent via email or text message can be intercepted by hackers. Even scarier: Hackers have shown the ability to trick fingerprint and facial recognition systems, sometimes by stealing your biometric data. As annoying as changing your password might be, it's much harder to change your face or fingerprints. Second, some of today's password-less options still ask you to create a PIN or security questions to back up your account. That's not much different from having a password.... Plus, tech companies still need to make online accounts accessible across multiple platforms, not just on smartphones — and also to the people who don't own smartphones at all, roughly 15% of the U.S.
Some data points from the article:

• "Microsoft says 'nearly 100%' of the company's employees use password-less options to log into their corporate accounts."

• "In September, Microsoft announced that its users could go fully password-less to access services like Windows, Xbox, and Microsoft 365."

• "Similarly, Google sells physical security keys, and its Smart Lock app allows you to tap a button on your Android or iOS device to log into your Google account on the web."

• Apple's devices have used Touch ID and Face ID features for several years."

The startup promises a fairly-distributed, cryptocurrency-based universal basic income. So far all it's done is build a biometric database from the bodies of the poor. MIT Technology Review reports: On a sunny morning last December, Iyus Ruswandi, a 35-year-old furniture maker in the village of Gunungguruh, Indonesia, was woken up early by his mother. A technology company was holding some kind of "social assistance giveaway" at the local Islamic elementary school, she said, and she urged him to go. Ruswandi joined a long line of residents, mostly women, some of whom had been waiting since 6 a.m. In the pandemic-battered economy, any kind of assistance was welcome. At the front of the line, representatives of Worldcoin Indonesia were collecting emails and phone numbers, or aiming a futuristic metal orb at villagers' faces to scan their irises and other biometric data. Village officials were also on site, passing out numbered tickets to the waiting residents to help keep order. Ruswandi asked a Worldcoin representative what charity this was but learned nothing new: as his mother said, they were giving away money.

Gunungguruh was not alone in receiving a visit from Worldcoin. In villages across West Java, Indonesia -- as well as college campuses, metro stops, markets, and urban centers in two dozen countries, most of them in the developing world -- Worldcoin representatives were showing up for a day or two and collecting biometric data. In return they were known to offer everything from free cash (often local currency as well as Worldcoin tokens) to Airpods to promises of future wealth. In some cases they also made payments to local government officials. What they were not providing was much information on their real intentions. This left many, including Ruswandi, perplexed: What was Worldcoin doing with all these iris scans?

To answer that question, and better understand Worldcoin's registration and distribution process, MIT Technology Review interviewed over 35 individuals in six countries -- Indonesia, Kenya, Sudan, Ghana, Chile, and Norway -- who either worked for or on behalf of Worldcoin, had been scanned, or were unsuccessfully recruited to participate. We observed scans at a registration event in Indonesia, read conversations on social media and in mobile chat groups, and consulted reviews of Worldcoin's wallet in the Google Play and Apple stores. We interviewed Worldcoin CEO Alex Blania, and submitted to the company a detailed list of reporting findings and questions for comment. Our investigation revealed wide gaps between Worldcoin's public messaging, which focused on protecting privacy, and what users experienced. We found that the company's representatives used deceptive marketing practices, collected more personal data than it acknowledged, and failed to obtain meaningful informed consent. These practices may violate the European Union's General Data Protection Regulations (GDPR) -- a likelihood that the company's own data consent policy acknowledged and asked users to accept -- as well as local laws.

The board members of the FIDO alliance include Amazon, Google, PayPal, RSA, and Apple and Microsoft (as well as Intel and Arm). It describes its mission as reducing the world's "over-reliance on passwords."

Today Wired reports that the group thinks "it has finally identified the missing piece of the puzzle" for finally achieving large-scale adoption of a password-supplanting technology: On Thursday, the organization published a white paper that lays out FIDO's vision for solving the usability issues that have dogged passwordless features and, seemingly, kept them from achieving broad adoption....

The paper is conceptual, not technical, but after years of investment to integrate what are known as the FIDO2 and WebAuthn passwordless standards into Windows, Android, iOS, and more, everything is now riding on the success of this next step.... FIDO is looking to get to the heart of what still makes passwordless schemes tough to navigate. And the group has concluded that it all comes down to the procedure for switching or adding devices. If the process for setting up a new phone, say, is too complicated, and there's no simple way to log in to all of your apps and accounts — or if you have to fall back to passwords to reestablish your ownership of those accounts — then most users will conclude that it's too much of a hassle to change the status quo.

The passwordless FIDO standard already relies on a device's biometric scanners (or a master PIN you select) to authenticate you locally without any of your data traveling over the Internet to a web server for validation. The main concept that FIDO believes will ultimately solve the new device issue is for operating systems to implement a "FIDO credential" manager, which is somewhat similar to a built-in password manager. Instead of literally storing passwords, this mechanism will store cryptographic keys that can sync between devices and are guarded by your device's biometric or passcode lock. At Apple's Worldwide Developer Conference last summer, the company announced its own version of what FIDO is describing, an iCloud feature known as "Passkeys in iCloud Keychain," which Apple says is its "contribution to a post-password world...."

FIDO's white paper also includes another component, a proposed addition to its specification that would allow one of your existing devices, like your laptop, to act as a hardware token itself, similar to stand-alone Bluetooth authentication dongles, and provide physical authentication over Bluetooth. The idea is that this would still be virtually phish-proof since Bluetooth is a proximity-based protocol and can be a useful tool as needed in developing different versions of truly passwordless schemes that don't have to retain a backup password. Christiaan Brand, a product manager at Google who focuses on identity and security and collaborates on FIDO projects, says that the passkey-style plan follows logically from the smartphone or multi-device image of a passwordless future. "This grand vision of 'Let's move beyond the password,' we've always had this end state in mind to be honest, it just took until everyone had mobile phones in their pockets," Brand says....

To FIDO, the biggest priority is a paradigm shift in account security that will make phishing a thing of the past.... When asked if this is really it, if the death knell for passwords is truly, finally tolling, Google's Brand turns serious, but he doesn't hesitate to answer: "I feel like everything is coalescing," he says. "This should be durable."
Such a change won't happen overnight, the article points out. "With any other tech migration (ahem, Windows XP), the road will inevitably prove arduous."

An anonymous reader quotes a report from TechCrunch: Another European privacy watchdog has sanctioned the controversial facial recognition firm, Clearview AI, which scrapes selfies off the Internet to amass a databased of some 10 billion of faces to power an identity-matching service it sells to law enforcement. Italy's data protection agency today announced a [roughly $22 million] penalty for breaches of EU law -- as well as ordering the controversial company to delete any data on Italians it holds and banning it from any further processing of citizens' facial biometrics. Its investigation was instigated following "complaints and reports," it said, noting that as well as breaches of privacy law it found the company had been tracking Italian citizens and people located in Italy.

"The findings revealed that the personal data held by the company, including biometric and geolocation data, are processed illegally, without an adequate legal basis, which certainly cannot be the legitimate interest of the American company," the Garante said in a press release. Other General Data Protection Regulation (GDPR) breaches it identified included transparency obligations (on account of Clearview not having adequately informed users of what it was doing with their selfies); violations of purpose limitation and having used user data for purposes other than those for which they were published online; and also breaches of data retention rules with no limit on storage. "Clearview AI's activity therefore violates the freedoms of the data subjects, including the protection of confidentiality and the right not to be discriminated against," the authority also said. CEO Hoan Ton-That said in a statement: "Clearview AI does not have a place of business in Italy or the EU, it does not have any customers in Italy or the EU, and does not undertake any activities that would otherwise mean it is subject to the GDPR."

Ton-That added: "We only collect public data from the open internet and comply with all standards of privacy and law. I am heartbroken by the misinterpretation by some in Italy, where we do no business, of Clearview AI's technology to society. My intentions and those of my company have always been to help communities and their people to live better, safer lives."

An anonymous reader quotes a report from FedScoop: The Internal Revenue Service has committed to Login.gov as a user authentication tool after earlier this month agreeing to abandon the use of a commercial tool that featured third-party facial recognition technology. In a statement on Monday, the Treasury Department said it is working with the General Services Administration to achieve the "security standards and scale" required to adopt the platform.

It comes after IRS earlier this month announced a plan to move away from using a third-party service for facial recognition to authenticate taxpayers creating new online accounts. It was forced to reject the technology following revelations that contractor ID.me uses powerful one-to-many facial recognition technology. "While this short-term solution is in place for this year's filing season, the IRS will work closely with partners across government to roll out login.gov as an authentication tool," IRS said.

While Login.gov is not expected to be ready in time for use by taxpayers during the current tax season, users are now able to sign up for IRS online accounts without the use of any biometric data. Any previously collected biometric data will also be deleted over the next few weeks, according to IRS. Despite the move to Login.gov, taxpayers will still have the option to verify their identity automatically through ID.me's tool if they choose. New requirements are in place to ensure images provided are deleted for the account being created. The IRS said in a statement: "Taxpayers will have the option of verifying their identity during a live, virtual interview with agents; no biometric data -- including facial recognition -- will be required if taxpayers choose to authenticate their identity through a virtual interview."

The Texas attorney general filed a suit against Facebook parent Meta Platforms on Monday, charging that the social-media giant's longstanding and now discontinued use of facial-recognition technology violated that state's privacy protections for personal biometric data. From a report: The lawsuit, filed in state district court in Marshall by Texas Attorney General Ken Paxton, seeks civil penalties in the hundreds of billions of dollars, according to a person familiar with the matter. In a statement, Mr. Paxton said the company's capture of facial geometry in photographs that users uploaded from 2010 to late last year resulted in "tens of millions of violations" of Texas law.

"Facebook has been secretly harvesting Texans' most personal information -- photos and videos -- for its own corporate profit," Mr. Paxton said. "Texas law has prohibited such harvesting without informed consent for over 20 years. While ordinary Texans have been using Facebook to innocently share photos of loved ones with friends and family, we now know that Facebook has been brazenly ignoring Texas law for the last decade."

America's Internal Revenue service abandoned plans to make face-scanning mandatory for access to your tax records.

Unfortunately, before this change of heart the IRS had already directed 7 million Americans to facial recognition vendor ID.me, reports the Washington Post. Now the chair of the House Oversight Committee is urging IRS Commissioner Charles Rettig to instruct ID.me to destroy the biometric data and ensure the data isn't used for "unapproved or unauthorized purposes." "Those Americans' highly personal information may continue to be held by a third party outside of the IRS's direct control — increasing the potential for exposure due to bad actors and other cybersecurity incidents," [head of the committee] . Maloney wrote.... ID.me said on Wednesday that it would drop the facial recognition requirement in its software, which is used by 30 states and 10 federal agencies. The company also told The Washington Post that effective March 1, anyone would be able to delete their selfie or photo data....

The letter follows years of controversy over the government's expanding use of facial recognition software, despite warnings from the General Services Administration that the face-scanning technology has too many problems to justify its use.... There is no federal law regulating how facial recognition can be used or how it should be secured....

Maloney also writes that 13 percent of ID.me users since June had struggled to use the software and were referred to customer service, where representatives would attempt to verify their identities over video chat. The letter says this underscores the "widespread issues related to the use of the nascent facial recognition technology."
In fact, the Verge reports that "Internal documents and former ID.me employees say the company was beset by disorganization and staffing shortages throughout 2021, as shortcomings in the automated systems created tensions among the company's workforce, particularly the human verification workers who have to step in when the algorithms fail." Current and former employees who spoke to The Verge paint a picture of a company described as being in "permanent crisis mode," changing policies rapidly to keep up with fluctuating demand for its services and fight a slew of negative press. In particular, they say a lack of human review capacity has been a chokepoint for the company, leading to stress, pressure, and a failure to meet quality standards. It's an unexpected challenge for a biometrics system that's usually seen as automatic, pointing to the often-ignored workers needed to support automated systems at scale.

When the automated systems fail — ID.me says roughly 10 percent of users will need video chat assistance — it's workers and subjects who are left to manage the consequences.... To keep up with demand, the company added 1,300 new employees between January and September 2021, including 500 to be based in a new office in Tampa, Florida, dedicated to customer support. But as adoption increased, so did complaints. A Vice report found dozens of complaints from applicants who said they had been locked out of unemployment benefits when ID.me's verification service had failed to identify them. When the automated system failed, applicants often faced long wait times to reach human reviewers, according to the report — wait times that became even more burdensome and difficult to navigate for people without access to reliable internet connections....

Many staff were unhappy about the end of work-from-home policies, which were being phased out at the company at the same time as first the delta and then omicron variants hit the US. As in-office staffing levels rose, more ID.me employees began to contract COVID at work, sources said, in some cases taking whole teams offline at once.
One Id.me employee complained to the Verge that "In terms of worker treatment, it's like the Amazon of identity protection."

The article also notes that an ID.me video chat agent was terminated after engaging in "inappropriate conduct," and while the company added new procedures to prevent this, "sources said that these quality checks have begun to fall by the wayside under the pressure of clearing through the backlog of video verification requests."

America's Internal Revenue Service created an uproar with early plans to require live-video-feed selfies to verify identities for online tax services (via an outside company called ID.me).

But Wired points out that more than 20 U.S. federal agencies are already using a digital identification system (named Login.gov and built on services from LexisNexis) that "can use selfies for account verification."

It's run by America's General Services Administration, or GSA.... The GSA's director of technology transformation services Dave Zvenyach says facial recognition is being tested for fairness and accessibility and not yet used when people access government services through Login.gov. The GSA's administrator said last year that 30 million citizens have Login.gov accounts and that it expects the number to grow significantly as more agencies adopt the system.

"ID.me is supplying something many governments ask for and require companies to do," says Elizabeth Goodman, who previously worked on Login.gov and is now senior director of design at federal contractor A1M Solutions. Countries including the UK, New Zealand, and Denmark use similar processes to ID.me's to establish digital identities used to access government services. Many international security standards are broadly in line with those of the U.S., written by the National Institute of Standards and Technology (NIST).

Goodman says that such programs need to provide offline options such as visiting a post office for people unable or unwilling to use phone apps or internet services....
In fact, Wired argues that in many cases, a selfie or biometric data is virtually required by U.S. federal security guidelines from 2017: NIST's 2017 standard says that access to systems that can leak sensitive data or harm public programs should require verifying a person's identity by comparing them to a photo — either remotely or in person — or using biometrics such as a fingerprint scanner. It says that a remote check can be done either by video with a trained agent, or using software that checks for an ID's authenticity and the "liveness" of a person's photo or video.... California's Employment Development Department said that ID.me blocked more than 350,000 fraudulent claims in the last three months of 2020. But the state auditor said an estimated 20 percent of legitimate claimants were unable to verify their identities with ID.me.

Caitlin Seeley George, director of campaigns and operations with nonprofit Fight for the Future, says ID.me uses the specter of fraud to sell technology that locks out vulnerable people and creates a stockpile of highly sensitive data that itself will be targeted by criminals. ...

Identity verification company ID.me uses a type of powerful facial recognition that searches for individuals within mass databases of photos, CEO Blake Hall explained in a LinkedIn post on Wednesday. From a report: The post follows a news release from the company last week stating directly that: "Our 1:1 face match is comparable to taking a selfie to unlock a smartphone. ID.me does not use 1:many facial recognition, which is more complex and problematic." Hall's post on Wednesday confirms that ID.me does indeed use 1:many technology. Privacy advocates say that both versions of facial recognition pose a threat to consumers. In addition to numerous studies demonstrating the technology is less effective on non-White skin tones, amassing biometric data can prove a huge security risk.

"Governments and companies are amassing these databases of your personal biometric information, which unlike databases, of credit cards, cannot be replaced," explained Caitlin Seeley-George, campaign director at nonprofit Fight for the Future. "And these are databases that are highly targeted by hackers and information that can absolutely be used in ways that are harmful to people." In the Wednesday LinkedIn post Hall said that 1:many verification is used "once during enrollment" and "is not tied to identity verification. It does not block legitimate users from verifying their identity, nor is it used for any other purpose other than to prevent identity theft," he writes.

Clear Secure, an identification services company known for its expedited screening product for air travelers, is bringing its biometric sign-up scanners to locations beyond airports. The Wall Street Journal reports: The company has temporarily installed the biometrics machines this month inside a Showfields Inc. interactive mall and at a Rimowa Distribution Inc. luggage store in New York City as well as a Rimowa in San Francisco. Clear's main product, Clear Plus, checks travelers' identities at airport security using biometrics such as iris scans, and lets them skip the wait for agents to check their photo IDs. Enrollment typically begins online but customers usually must go to a Clear airport location to scan their biometrics. Annual memberships cost $179.

Clear created the temporary installations to showcase its technology more widely and to expose consumers to its products beyond travel, said Caryn Seidman Becker, chief executive of the company. Other products include Clear Stadium Access, a product that lets people skip long lines at sports and entertainment venues. The pop-ups are also offering Clear gift cards, a first for the company. The company also wanted to address pent-up demand from consumers who traveled less during the pandemic, Ms. Seidman Becker said.

Tech-driven changes are coming fast and furiously to airports, including advancements in biometrics that verify identity and shorten security procedures for those passengers who opt into the programs. From a report: If it's been a year or more since you traveled, particularly internationally, you may notice something different at airports in the United States: More steps -- from checking a bag to clearing customs -- are being automated using biometrics. Biometrics are unique individual traits, such as fingerprints, that can be used to automate and verify identity. They promise both more security and efficiency in moving travelers through an airport where, at steps from check-in to boarding, passengers are normally required to show government-issued photo identification. In the travel hiatus caused by the pandemic, many airports, airlines, tech companies and government agencies like the Transportation Security Administration and United States Customs and Border Protection continued to invest in biometric advancements. The need for social distancing and contactless interactions only added to the urgency.

"The technologies have gotten much more sophisticated and the accuracy rate much higher," said Robert Tappan, the managing director for the trade group International Biometrics + Identity Association, who called the impetus to ease crowds and reduce contact through these instruments "COVID-accelerated." Many of the latest biometric developments use facial recognition, which the National Institute of Standards and Technology recently found is at least 99.5 percent accurate, rather than iris-scanning or fingerprints. "Iris-scanning has been touted as the most foolproof," said Sherry Stein, the head of technology in the Americas for SITA, a Switzerland-based biometrics tech company. "For biometrics to work, you have to be able to match to a known trusted source of data because you're trying to compare it to a record on file. The face is the easiest because all the documents we use that prove your identity -- driver's licenses, passports etc. -- rely on face." Shortly after 9/11, Congress mandated an entry and exit system using biometric technology to secure U.S. borders. Some travelers have expressed concerns about privacy, and while companies and agencies using the technology say they do not retain the images, the systems largely rely on willing travelers who agree to their use.

An anonymous reader quotes a report from BleepingComputer: Eurostar is testing a new biometric facial recognition technology on passengers traveling from London's St Pancras International station to continental Europe. The passengers will be given the opportunity to complete their pre-departure ticket and passport checks via the new biometric system, called the "SmartCheck" lane. Those who take this option will be allowed to board the train without going through the typically tedious ID verification procedures. The system will involve two facial scans, one at the ticket gate to verify the ticket check and one at the UK Exit Checkpoint, to confirm that the passport information is valid.

The goal, according to Eurostar, is to eliminate queues and expedite the boarding process, not only improving customer satisfaction but also minimizing the chances for viral transmission. The system will be trialed with a limited number of invited passengers and won't involve the UK's or Schengen entry controls. Eurostar announced its intention to introduce a facial recognition system to replace physical tickets and passport checks last year, and facial recognition company iProov helped them build it. iProov is a proponent of what they call "passive authentication", which is facial recognition without the user having to do anything. The user consents to the platform by visiting an online portal to register with their information and takes an image of their face with the smartphone or webcam. When they reach a physical checkpoint, they simply look at the camera, and the system authenticates them effortlessly.