BIOMETRICS IMPROVES SECURITY AT THE EXPENSE OF PRIVACY

Biometrics involves the use of physical characteristics such as fingerprints or iris patterns to identify authorized personnel. Such techniques are gaining popularity with those responsible for security. Like it or not, the days of simply using your pet's name to gain access to a secure system are coming to an end.

Passwords present unacceptable trade-offs. Short, simple passwords are easily remembered and easy for thieves to crack using special software. Long, complex passwords are hard to crack and hard to remember causing frustration for users and their support staffs.

Passwords are a single-factor, authentication mechanism. To improve security, businesses are turning to multi-factor authentication often including biometrics.

There are four possible authentication factors: something you know (password or PIN), something you have (smart card or token), something you are (biometrics), and something you recognize (picture). These factors may be combined in any order to enhance security.

Biometrics is the most complex and least accepted but may offer the best security.

Biometrics has been used to identify people for years. The use of fingerprints to identify criminals is widely practiced and accepted.

Fingerprinting is not the only form of biometric identification. Other common types are hand geometry, facial structure, iris pattern, and voiceprint. Each has benefits and drawbacks. The ideal system would be fast, cheap, reliable, non-contact and secure, a combination not achieved by any available solution.

Yet an increasing number of vendors are entering the field and new devices are entering the marketplace. Maybe they can help your business.

Fingerprint readers are the most common biometric devices. They are relatively inexpensive and reliable. Most operate by finding and saving several unique features of a fingerprint, called a template, not the entire image. This saves time and storage space. In addition, not saving the fingerprint image means improved security because the image cannot be re-created from the template.

Unfortunately, fingerprints carry the stigma of being tied to criminals. We envision being at a police station, dipping our fingers in ink and being printed. Not a good image for a company trying to sell fingerprint readers.

Various biometric systems operate on similar principles. The device is trained by reading a person's biometric information, often several times. The information is aggregated, distilled to a small dataset, and saved for future reference.

The absence of industry standards for biometric algorithms and data means that each vendor offers a proprietary solution. Interoperability is non-existent. This keeps costs high and increases the risk of obsolescence.

So where are biometric systems being used?

Orlando International Airport is conducting a trial of fingerprint readers to expedite frequent travelers through airport security. Many other airports have expressed interest in the technology though customer acceptance has been slow.

Many countries, including the United States, are looking at passports or national ID cards that include biometric information. This is more easily implemented in countries where the right to privacy is not of paramount concern.

A number of retailers have conducted trials for making electronic payments using biometrics. These include grocery, drug and convenience stores. While results have been mixed, improvements in the technologies and the constant drive to reduce transaction costs create new opportunities.

Situations where biometrics can be used in a typical office environment abound. Consider building entry, restricted area control, computer login and network access. Many vendors offer devices for these purposes including major players like IBM and Microsoft.

Should you use biometric identification to improve security in your business?

There is no simple answer. Start by defining the problem to be solved. Do you want to tighten security, reduce costs, improve throughput, or increase convenience?

Systems range greatly in functionality and performance. The ideal solution simply requires you to touch, look at, or speak into a device and automatically identifies you. This requires a central database containing all authorized users.

Many solutions require that you have a smart card or other identification tool with you. The tool contains your biometric data that is compared with the data coming from the biometric reader. If they match, you are authorized.

Locate a few possible solutions and test them heavily. Every system has drawbacks. Fingerprint readers have trouble with the elderly (thin skin) and construction workers (worn fingerprints). Voiceprint systems have trouble with background noise.

You must test in real world situations with real people not in conference rooms with invited guests.

Ask vendors the following questions to assess risk factors:

How easy is the system to train and use on a regular basis?
What is the system's error rate and how is it affected by environmental factors?
What is the false-acceptance rate?
What is the false rejection rate?
What is the vendor's experience with user acceptance?
How stable is the system over the long term?

Always install a fallback mechanism such as a keypad or smart card with a password. If someone sustains an injury or develops an illness that affects their ability to use the system, they'll need an alternate means of identification.

Like it or not, biometric identification is here to stay and its use is growing.

Vin D'Amico is Founder and President of DAMICON, your ADJUNCT CIO™. He is an expert in IT Business Continuity Planning, Network Security Policies, and Freelance Writing focused on white papers, case studies, and handbooks. DAMICON services firms worldwide.

This article appeared in Vin's monthly Virtual Business column for the IndUS Business Journal in August 2006.

To learn more about how DAMICON can help your business, please take a look at our service programs.