With identity management climbing corporate priority lists in the wake of the September 11 attacks, biometric security solutions are getting another look from customers once sceptical of their sci-fi overtones.
High-profile biometric experiments, such as the installation of face recognition systems to scan for known criminals among the crowds in several US airports, have significantly increased the exposure of such technologies. But in equally grandiose fashion, equivocal results from these trials have demonstrated that modern biometric systems are still far from perfect: one 90-day test of face recognition at Boston's Logan Airport, for example, found it required far too much human intervention to be practical.
To be fair, face scanning is among the less mature forms of biometric technology - but that distinction is of little interest to an organisation potentially entrusting its very existence to these solutions. Vendors point out that they're continually improving the reliability and accuracy of biometric solutions by tweaking their algorithms - but this is hardly reassuring: the implication is that existing products aren't yet secure enough.
Apologies for biometric technology become even harder to stomach when considering the work of researchers such as Yokohama National University graduate student Tsutomu Matsumoto. In May, Matsumoto presented the results of research that showed he could create gelatine 'gummy fingers', from less than $10 worth of commonly available materials, that tricked eleven commercially available fingerprint scanners between 70 and 95 per cent of the time.
The technique increased success rates, to between 80 and 100 per cent, when Matsumoto used a simple technique for lifting latent fingerprints from glass. That such trickery is possible at all poses an ominous threat for security conscious organisations; that Matsumoto could do it so easily makes it absolutely clear that fingerprint scanning, like all biometrics, still has a way to go.
Bruce McCabe, managing director of analyst firm S2 Intelligence, believes biometrics vendors have become victims of their own hype. "Expectations are too high," he says. "If people run pilots and have one expectation, they're generally disappointed."
Vendors were quick to refute Matsumoto's findings by pointing out that today's systems have built-in safeguards, such as technology that looks for a pulse. But the biometrics industry has been struggling for mass-market acceptance for years, and with price commonly cited as an obstacle to corporate takeup, the pressure to push down prices has been immense.
Fingerprint scanners have now been built into mice, keyboards, LCD screens and several notebook models from companies like Acer, Micron, Toshiba, IBM, Fujitsu and others. But when considering fingerprint scanning on any large scale, economic models come into question and the technology comes under untenable pressure to perform. Given that most companies already have a workable - albeit basic - security infrastructure, there just isn't the imperative to spend several hundred dollars per workstation to add the incremental benefits of fingerprint scanning.
Commercial reality has forced makers to cut corners, concedes Peter Lee, General Manager of Brisbane security consultancy Comsec Enterprises. "Some manufacturers have had cost as an absolute priority and a lot of safeguards that were being built into [products] have fallen by the wayside," he explains. "In the interests of driving price down, the technology hasn't kept up with the hackers."
Finger on the pulse
That's not to say that biometric technology doesn't have its uses; its underlying principles are sound, and when properly deployed it can be a valuable component of an IT infrastructure.
Market estimates of the biometrics industry vary widely: market monitor IDC last year pegged the worldwide biometrics market at US$118.8 million in 2000, projecting a 50 per cent compound annual growth rate that would make the sector worth some US$902 million by 2005. US-based consulting firm International Biometric Group (IBG) was somewhat more optimistic, projecting the market would top US$1.9 billion by 2005.
Whatever the actual numbers, it's clear that biometrics are continuing to gain in popularity. Whereas they have always been closely tied to specific vendors' hardware, IDC believes customers will increasingly flock towards software-based solutions - authentication frameworks that support biometrics in the same way they support other authentication techniques. IBG believes biometric middleware and finger scanning will account for 40 per cent of the biometrics market by 2005.
While biometric technology has often been envisioned as a replacement for passwords, in reality it's more often being used as an adjunct to conventional user ID/password/hardware token authentication. Integration between biometric software and enterprise directories facilitates easy management of biometric signatures within broader policy contexts. This has allowed biometrics to be used for applications as diverse as digitally signing electronic records, granting access to doors into secure areas, proving the identity of remotely located business associates, and registering time and attendance among shift workers.
Lee takes pains to distinguish the two types of recognition that biometrics enable: identification, where biometrics are used to compare a person with a large population sample; and verification, where the technology is used as an adjunct to conventional identification mechanisms. In the latter environment, many organisations are looking at combining biometrics with smart cards, which identify the carrier and can also be used as repositories for the user's registered biometric signature.
Storing biometric data on a card - as is done in models such as Comsec's Match-On-Card approach - eliminates the need to centrally manage biometric signatures. This approach has gained traction within the US Department of Defense, which recently enlisted KPMG Consulting to head a consortium testing integration of Precise Biometrics devices with the department's uniform Common Access Card ID card. The card will eventually be the primary ID and access card for the 4 million-strong US military.
"Biometrics is one part of a very sophisticated system for security," says Lee.
In a similar vein, larger organisations are driving adoption of biometrics here in Australia. Melbourne's Crown Casino and the Australian Customs Service (a sponsor of the worldwide Face Recognition Vendor Test 2002, at www.frvt.org) are looking into face recognition to strengthen criminal spotting, while the NSW Police and Commonwealth Bank have tried iris recognition.
Yet stepping away from high-profile trials, the ranks of the biometric faithful thin out quickly. Instead of becoming a mass-market technology, biometrics are creeping into businesses through vertical integrators such as Melbourne company, PharmaSea. PharmaSea develops software and equipment for automatically tracking patients and administering doses of potent medications such as methadone, buprenorphine, paracetamol and other daily dosed medications.
PharmaSea recently worked with biometrics provider Iris Australia to integrate iris recognition so that doctors, pharmacists and nurses administering the drugs can definitively identify patients whose appearance might have changed dramatically since their photo ID - also required - was issued.
"The principle is to give the right dose to the right patient at the right time," says Rob Richards, CEO of PharmaSea and a pharmacist by trade. "You get women with their hair up and then down, men with their beards shaved; there's always the problem of making sure you've selected the right patient and have them on screen. It's a way of reducing stress because you're eliminating more reasons for errors to occur. I think it has even signalled the end of the plastic [Medicare and credit] card."
The eyes have it
As Richards found, iris recognition has proved to be another strong contender in the race for the biometrics crown. Although it initially suffered from concerns about user comfort, technology advances mean iris recognition is now a painless affair. Simply hold your eye in front of the CCD camera and it snaps an image of your iris, which is completely unique from person to person and even varies between eyes in the same person. This approach also eliminates concerns about cleanliness that may prevent people from putting their fingers on a public fingerprint reader.
Although the $5000 price tag of today's iris recognition systems has kept them out of mass deployment, their accuracy has made them a particular favourite within high-security applications, or those where large numbers of people are regularly passing through a single point.
Iris Australia, for one, has been working with the Singapore government on a system that will use its IrisAccess recognition software to speed the steady flood of travellers between Singapore and Malaysia. NCR's Financial Solutions Group has built and sent iris-enabled ATMs to South America, where a simple glance into the camera is helping banks sign up millions of consumers that have never before had a bank account.
Such scattered deployments continue to typify the spread of biometrics. "There isn't really a global application [for biometrics] at the moment; it needs to be a proven business case," explains Claire Shufflebotham, Global Market Development Manager with NCR's Scotland-based Financial Solutions Group. "No matter how good biometrics technology gets, it's always a probability - not a certainty. If there's no payback that biometrics is going to solve, employers aren't going to go through the nightmare of doing it. That's why we are seeing and supporting local activities."
Fingerprint and iris recognition systems may be the most popular, but other perfectly viable methods of biometric identification are also available. Voice pattern recognition is less commonly found, but may eventually dominate phone-based or mobile computing applications since it doesn't require special hardware. Other systems measure the geometry of the ear, while still others measure the shape of employees' hands by having people place their hands within a series of small metal posts.
Hand scanning is used to control access to sensitive areas of the $6 million Melbourne data centre maintained by VeriSign Australia, which uses Recognition Systems' Handkey II hand scanners to control access to a number of locations throughout the facility. That centre issues digital certificates for corporate and government customers, and as such it's essential to have tight access control and audit trails showing who's gone where. "VeriSign's American corporate parent used to use fingerprint scanning for access control, but, we found the hand geometry was more reliable," says managing director Gregg Rowley. "People cut fingers, have Band-Aids and so on, and [fingerprint recognition] tended to be more prone to not letting people in."
Piqued by the need to tighten security at its borders, the United States US Customs Service has introduced hand scanning as part of a new system streamlining customs clearance for tens of thousands of regular international travellers into that country. Aware of widespread privacy concerns, however, governments have shied away from imposing biometric identification; rather, it's sold as a benefit to users who opt in.
Although early applications for biometric technologies may sound exotic, demonstrating the viability of such systems reinforces their potential role within smaller corporate environments. IBG figures suggest that broadening of biometrics' appeal will see large-scale public sector usage drop from 70 per cent of biometrics installations now to just 30 per cent of installations by 2005.
Making this happen will require winning the hearts and minds of private sector companies, but that's becoming easier to do, says Iris Australia sales manager Phil Schouten: "We're moving towards integrating biometrics from the door to the desktop," he explains. "We get [sceptics] but we have very good answers to all of their questions."
Yet if one thing has plagued biometrics, it has been those questions: questions about convenience, deployment costs, ROI, levels of risk and even privacy - a particularly big perception problem since Western democracies equate fingerprint checking with criminal activity.
Here, as always, due diligence is key. Decide what you're protecting and what it will cost if it's lost. Figure out how many people need to be enrolled in the biometric system, and how you're going to get them all past the scanner. Address privacy concerns by educating users about how the systems do and do not work, and reassuring them that their biometric signatures won't be used for anything else.
"There are already mechanisms in place for protecting identities," says Tony Ralston, solutions director for positive identification, public sector with Unisys Australia. "[Choosing biometrics] begins with an acute understanding of the nature of the transaction, relationship and challenge being presented. You're buying a level of customer acceptance and confidence in the transaction."
