Biometrics: Brave new world?
Can advances in technology and the growing fear of identity theft push biometric identification into the mainstream? Rob Buckley investigates.
As a security measure, there's a touch of James Bond to biometrics. Until recently, hand geometry, iris, face and voice recognition seemed like a great idea, but one that may be more the realm of fiction when it came to implementation. The idea that they could be used as part of an organisation's security infrastructure seemed equally far-fetched. Enterprises that tried biometrics found these suspicions confirmed.
But as the technology has improved, biometrics have steadily been creeping into everyday life. The Government is already issuing passports containing biometric information and is planning a national ID card scheme along similar lines. Manufacturers of laptops have started to offer fingerprint authentication as an alternative to passwords. Various organisations, from schools to data centres and banks, are using biometrics for staff authentication, payment and to speed up queues for priority customers.
"The promise is starting to be realised. It's something we've been anticipating for a long time," says Tim Best, director for global identity solutions at LogicaCMG. "The technology coming along is more useable. It's faster, better, cheaper and it works very well."
There is a multitude of biometrics in use. Deciding which to choose is as much about the context in which it will be used as about the biometric itself.
At heart, biometrics are probabilistic. The readings taken by the system indicate whether the person providing the data is probably the person they claim to be. Depending on the thresholds used, it's possible for the system to let in people who shouldn't be authorised or to refuse admission to those who have the correct credentials, even if the hardware and software are working correctly.
Indeed, the accuracy of the reading is closely linked to the choice of biometric. Iris recognition, for instance, is one of the most accurate options. However, recording an iris is time-consuming and requires expensive hardware as well as exact positioning of the subject's head relative to the camera. Some users also find the process invasive, and it's very hard to equip a laptop or BlackBerry with iris recognition equipment.
Fingerprint recognition, one of the most mature biometric technologies, is often used instead. The equipment is cheaper, it's easy to swipe a finger over a reader, and the hardware is readily incorporated into laptops or other systems. However, it is more prone to mistakes in environmental extremes, such as high humidity or heat, and often fails when the user has been doing manual work or has dry skin. In some countries, such as Japan, people prefer biometrics that involve no contact with a reader that has been touched by other people.
No perfect method
Other biometrics have similar balances of pros and cons: facial recognition is simple to perform and non-invasive, but is vulnerable to contrast problems and requires more computing power than fingerprinting. Hand geometry, which measures the hand for simple distances, is easy to use but is less accurate at differentiating large groups of people. Voice identification can be performed remotely but has problems when dealing with freeform speech and large datasets; and so on. Some methodologies are more applicable to certain environments than others. And vendors will fight over which is best.
"Iris recognition is very expensive," says David McIntosh, CEO of OmniPerception, a company that sells face recognition technology. "For really good hardware, you have to pay £15,000. It's very accurate, but you have to hold terribly still. When the UK Passport Service tried it, 39 per cent couldn't enrol." Face recognition, he says, is non-invasive and more like the kind of biometric used in the real world.
"You're not going to get perfect results with facial recognition," argues Carl Gohringer, head of security at NEC UK. "I wouldn't advocate its use in access control, but it's fine in immigration, for example, where you just want the top-ten faces in a database of a million." He claims fingerprinting is far more accurate.
Mike Nelson, UK MD of Fujitsu, which makes the PalmSecure palm-vein biometric systems, disputes this. "Fingerprinting only works for one-to-one," he says. "Ten per cent of people can't use fingerprint devices. And iris scanning has acceptability issues." He insists that palm-vein scanning is more accurate and acceptable to users, as they don't have to touch anything.
In all cases, the hardware and environment used during authentication and "enrolment" - the procedure used to obtain the initial biometric against which all others are compared - can affect accuracy.
A major factor when choosing biometrics is how you're going to use it - as a unique identifier in its own right or as a reinforcement to another method of identification. Often when accessing a location or system, another token, such as a smartcard or PIN, will first identify the person trying to obtain access. The system will then compare a stored biometric to one taken at the point of entry to ensure the person using the token is the person authorised to do so.
As a result, instead of a one-to-many comparison between the measured biometric and those stored in the access database, a simple one-to-one comparison is all the system will require. This reduces the seek time and the chance of false matches. It also means that a less accurate but cheaper and more convenient biometric can be used.
Calling for back-up
It's this combined approach that's making inroads in the real world, both inside enterprises and when dealing with customers. Financial services companies that use biometrics usually deploy them in combination with smartcards. Technology company NCR has deployed fingerprint matching systems in several countries in South America for use in ATMs. "In Columbia and Chile, there's a considerable 'unbanked' market (of people who) are illiterate," explains Charlie Harrow, product manager for biometrics solutions at NCR's financial solutions division. Using fingerprint biometrics, banks have been able to enrol many of the unbanked as customers. They are able to enter their social security number into an ATM and use its built-in fingerprint scanner to confirm they are who they claim to be.
However, if the aim of using biometrics is to reduce costs, a system that involves supplying a smartcard or magnetic swipe card - which costs money and can be lost or stolen - is clearly not going to be the answer.
Multi-modal biometric authentication gets around the problem of relying on cards for initial identification. Rather than rely on one biometric, multiple measurements reduce the chances of false results. While this does increase costs as well as enrolment and authentication times, it can prove effective if backed by sufficient processing power. The US border authorities, for example, use both fingerprint and face recognition to screen immigrants against watch lists and their own databases, which contain more than 50 million records.
The business case
Despite the growing interest in biometrics, many remain sceptical. Colin Robbins, head of technology consulting at Insight Consulting says the business case for corporate-wide adoption of biometrics is often difficult to make. "It's hard enough to justify the costs for smartcards. It seems like fantastic technology, but the real business benefit isn't there yet."
Ken Munro, MD of SecureTest, agrees: "If you have an ID and password system that's done properly, there's no need for biometrics." He advises that biometrics would be best used on mobile devices. "If someone's using a BlackBerry on your train, they'll have entered their PIN so many times that by the end of the journey, you'll know it too," he says. But, he adds, IT departments often deploy biometrics because "spending money on kit is easier, even though educating the workforce in how to use IDs and passwords is a better use of that money."
There is also the possibility of resistance by staff or consumers. Although most systems only store a biometric "template" rather than the actual fingerprint, iris scan or other data, there are still understandable concerns about privacy.
And companies using biometrics need to consider their legal obligations. "The Data Protection Act doesn't have a specific technical stipulation," says Rosemary Jay, partner and head of information law team at Pinsent Masons. "But there is the requirement that the controller of the information has taken appropriate security measures to ensure the integrity and validity of the data."
Organisations also have to be specific about what they will use biometrics for. Some biometrics could be considered invasive and may be regarded as a breach of privacy under article eight of the European Convention on Human Rights, as the Landini Spa and SNCF court cases in Italy and France have demonstrated.
So although increasing in popularity, accuracy and utility, biometrics are only finding niche applications for their use. So far, few organisations have been able to justify the necessary investment, but if the technologies continue to develop and costs come down, a brave, new biometric world may be upon us.
CASE STUDY: DEG
Irish company Data Electronics Group (DEG) provides IT and telecommunication services to customers such as Bloomberg, Expedia and Mitsubishi. Until December 2004, the group's data centre had a variety of access-control mechanisms for staff and customers alike: a photo ID swipe card integrated into a 3G system that monitors the centre's doors, manholes and burglar alarms.
However, Daniel Tinkiel, chief operating officer at DEG, decided that the system wasn't secure enough. "The main issue regarding badges is the possibility of granting access to somebody without checking their real identity," he said. "Even though we do check photo IDs, there is always a possibility of error. A badge could be lost or shared with somebody who should not be given access."
Based on his experience in other countries, he decided to implement hand-geometry authentication using hardware from Ingersoll Rand Recognition Systems. In 2005, DEG began to implement the hand-geometry system. It took four months to deploy, including connection, supply, set-up, integration and training, and cost £170,000.
"The process starts by authorising access through our portal," Tinkiel explained. "Then authorised people are enrolled and hand recognition profiles recorded in our database server. After that, any attempt is checked against the database profile and logged in the system." All data is eventually stored with the images provided by the company's IP cameras in a common repository on a storage area network, where events are correlated based on time stamping. After 30 days, the images are put onto tape for archiving.
For people who might not be physically able to use the system, there's an exceptions option that has to be authorised by a supervisor, with the security operator performing the enrolment having to provide a password.
According to Tirkiel, the system works well. "Customers adapted easily and staff reactions were very positive," he claimed. "Our role enforcing the security of the building is quite a responsibility, and everybody felt that this is helping them. They are about having such a system in place."
THE NEXT BIG THING
Biometrics have come a long way in the past few years, but what's next? David McIntosh, CEO of OmniPerception and chairman of the International Association for Biometrics (pictured), predicts a growth in facial recognition as a means of remote verification of identity over the Internet. His company already has technology for analysing webcam images, which he says is able to test for "liveness" to ensure a photo or movie of the correct user is not being substituted.
McIntosh also sees possible advances in alternative biometrics, such as gait analysis and facial thermography, which uses the heat sources of the face to test for identity; increasing use of finger vein analysis; and developments in acoustic resonance, which measures how the human ear responds to sounds.
Cyrille Bataller of Accenture's technology labs says that improvements in one-to-many matching using biometrics should be forthcoming: "One-to-one is the easy part. One-to-n is where the industry is putting in a lot of effort, and it's where the value is." He also suggests that biometrics will become popular in consumer applications. For example, a biometric reader in a car could determine the identity of the driver and change the position of the seat and mirrors according to predetermined settings. "There's going to be a strong focus on biometrics for facilitation, convenience and adding value."