Dr. Hossein Eslambolchi
March 2012
Biometrics will play a major role in different industries, from medicine, science, robotics, engineering, manufacturing and all areas of vertical enterprise businesses.
Smartphones, in particular, help enable these services. Imagine an eye exam conducted by scanning your iris with your iPhone. Or an android app that can measure the effectiveness of a pill through a biometric chipset that dissolves when digested.
I once predicted that by 2015, the cost of biometric devices would be so cheap that the number of devices would explode – the same way wireless broadband blew up over the past decade.
Biometrics offers excellent value to various industries, but also challenges to individual privacy that we all need to be aware of.
KEY POINTS
• Despite technical problems and privacy concerns, use of biometrics is increasing for enterprise as well as mass-market applications, albeit at a rather slow rate. In fact, the rate is slower in the enterprise area for critical security identification, although the use of convenience applications, such as voice response systems, seems to be on the rise.
• There are numerous barriers to widespread adoption of biometrics – from privacy-related issues to the cost and complexity of implementation. Additionally, technical issues affect performance.
• The continued lack of industry standards for biometric devices keeps large-scale deployment from happening. Despite progress in standards (see bioapi.org), wide acceptance is still elusive.
• While the devices themselves have improved, the applications to provision and manage the devices have lagged behind.
• The different forms of biometrics pose problems as well. Voice recognition does not work on all voice types; fingerprint recognition does not work on all fingers. Some systems now use multiple biometric factors – facial recognition combined with voice and lip movement recognition for example. Testing multiple biometric factors can overcome some shortcomings, but often at a great cost to performance.
• Balancing security needs against concerns about privacy and intrusiveness remains a significant challenge for mass market and inter-societal applications, such as airport security.
• Some biometric applications are still plagued by high error rates in real-world situations.
THE TECHNOLOGY
Biometrics is automated methods of recognizing an individual based on a particular personal characteristic, such as voice pattern, fingerprint, hand shape or gait.
Various biometrics technologies have been used in private industry and government markets since the 1970s. Today, national and local government bodies throughout the world are using or exploring the biometric technology for use in national identity cards, passport and visa control, health cards and fraud-reduction applications.
Employers use biometric technologies to record time and attendance, monitor physical access to high security locations, and control network access by mobile employees. The most mature uses of the biometrics are surveillance and screening applications, access control and citizen identification. The number of customer care applications is also increasing.
According to the consulting company International Biometric Group, the most widely deployed type of biometric is fingerprint scanning. Facial-scanning systems, hand scanning, iris scanning and voice recognition are ranked next in use, with isignature and key stroke scanning bringing up the rear.
There are many examples of biometrics technology deployments. Finger scanning is used in Malaysia’s national identity cards. The Australian government is experimenting with facial recognition technology for passport control. Travelers in Amsterdam’s Schiphol airport can have their iris scanned as part of a fast-track boarding program. Hawaiian Airlines employees use hand geometry technology to check into work.
The use of biometrics technologies in the United States for mass access control received new impetus with the passage of the 2001 Patriot Act. The act calls for technology standards for visa application identity verification and for biometric use at U.S. customs and other ports of entry. Identity theft and fraud have also fueled government interest in biometrics. Various states already require fingerprinting to obtain drivers licenses or work permits.
The biometrics industry in the United States and many other societies faces numerous challenges regarding privacy. Concerns include the physical invasiveness of the technology itself, possible violations of civil liberties and the breach of private user information in vast databases. The balance of security needs with privacy concerns continues to be difficult in many parts of the world.
The perception that biometric approaches to security are invasive is common to many societies. It is interesting to note that the technologies which are viewed as intrusive varies by country and culture; accordingly, acceptance rates have varied from country to country. If the public perceives a given approach as intrusive, that approach is resisted.
In the United States, the use of biometrics by business has focused on authentication and identification, PC and network access, physical access, time and attendance applications and password resets. Various biometrics technologies are increasingly used in conjunction with other security technologies, such as authentication tokens and smart cards. Various vertical markets, such as utilities, transportation, finance and health care, have becomes early adopters of biometrics.
In general, biometrics technologies have not gained widespread acceptance in the United States. The main causes include disappointing performance, a dearth of industry standards, the lack of applications that provision and manage biometric devices, and the significant costs of real-world implementations.
Some of the technologies – such as voice verification – have been shown to bring acceptable results for the cost. Other approaches are still struggling with issues regarding costs and complexity, as well as unacceptable error rates. The results of trials with face scanning technology at Boston’s Logan airport, for example, were very disappointing with a 39 percent failure rate.
Even fingerprint-based systems, one of the most widely used biometrics technologies can experience performance problems when an individual has dirt or oil on their hands. On the other hand, biometrics applications in closed environments – such as secured areas – have been fairly successful. However, vendors have yet to overcome resistance in the consumer market and skepticism in the enterprise market.
Biometrics experts acknowledge that the error rates of biometrics technologies remain rather high and that none of the technologies are fool-proof. However, the technologies should be judged according to particular use in particular situations. For example, customers using finger-scan technology for a physical security application might find higher accuracy rates with an optical technology than with a solution using silicon.
Other barriers have been the size, speed and completeness of any given system. Systems operate too slowly for mass deployments. Also, most of the systems are too bulky for easy installation on desktops or in handheld devices. The provisioning process for biometric system users is often difficult and non-intuitive. Another barrier to wider deployment has been a lack of interoperability between systems. Biometric authentication systems in particular have tended to be deployed as separate applications without any integration to backend systems, VPN solutions or directories.
There are changes afoot. New software can integrate biometric capabilities into single sign-on systems. However, single sign-on has proven to be elusive due to the complexities of legacy systems. The trend has been to transition to fewer sign-ons. Additionally, solutions can be integrated to provide an all-in-one approach to physical building access, as well as personal computer, network and application needs.
Despite technical problems and privacy concerns, companies are introducing biometric applications into their customer interactions. Disney World uses finger geometry to scan its annual and multi-day pass holders at the entrance gate. And Charles Schwab is using voice scanning for access to account information through its telephone system. In each of these cases the biometric is used in addition to a traditional login/password as a secondary verification, not as the primary gateway. Whether adoption will increase in the future is an open question.
The high incidence of false negatives with biometric techniques essentially mandates an alternate access method for critical data protection. This alternate access, such as a backdoor login/password becomes the weak link. And multi-factor biometric methods to offset false negatives raise costs and complexity.
Mobile systems are demonstrating solid growth. Some Pocket PCs and PDAs are including local fingerprint or voice recognition schemes to reduce liabilities if the device is lost. In this application, where a known user is being compared to a single, on-board sample, system performance is quite good and the additional security can be warranted – these devices are easily lost.
THE PLAYERS
• A handful of competitors dominate signature and keystroke technologies, including onClick, Softpro and Trio Security (acquired by Symbol Technologies).
• The dominant players in the facial recognition/face scanning arena are Identix and HumanScan.
• Nuance is the leading player in the voice recognition segment also.
POTENTIAL IMPACTS
Trials of these technologies were conducted within research labs for use in physical and logical security. A team with representatives from ANS, SITS, SMD, solutions and research labs reviewed and tested products for a centralized biometric solution. The team was charged with recommending a solution to provide an additional layer of security for accessing network elements and the intranet. The team examined the use of biometrics as a component of an overall authentication solution, which was to include other key security technologies such as smart cards and digital certificates.
The data reported that while a combination of security technologies can be used to add additional layers of security and improve the strength of existing authentication measures, particularly for critical OSS’s, the available technology would have required too great an investment in infrastructure modifications to warrant the further funding of the pilot at this time.
The data in addition had already examined standalone biometric solutions and had selected a fingerprint system from Identix. The team’s objective was to select a biometric security product and architecture for increased security when accessing network elements from virtual office environments.
Corporate Information Technology Services is using a voice verification system for Secure ID token resets. Effective May 2002, the only method to restore, reset, or re-sync tokens became the Automated Token Administrator. This system was created for domestic service providers associates who use Secure ID Tokens (for UGN access). It provides a secure and automated method for Token Administration using voice verification technology and the telephone. The Automated Token Administrator empowers users to perform automated routine and emergency administration of their tokens without technical intervention. Specifically the user is able to reset their pin, resynchronize and enable their token.
Global service providers are relying more heavily on the Common Security Platform (CSP) as a means of identification. This is the familiar web based Human Resources Identification – PIN system that can be used to protect web access and web applications. This system has been augmented to include Secure ID token identification and in many cases it is used as the means to reset other expired or forgotten passwords. Forgotten or expired password resets make up a very high percentage of help desk calls and therefore a large portion of support expense.
Biometric collection, beyond voice recognition, requires additional hardware at each access point which adds both capital and maintenance costs that may not sufficiently offset the benefits.