Biometrics is an effective authentication technology loaded with potential, but it must clear significant hurdles before gaining widespread adoption, a prominent security consultant said on Monday at the InfoSec World 2007 conference in Orlando.Ben Rothke, a senior security consultant with BT INS, said biometrics can provide a much more secure identification alternative to the traditional username and password. Through finger or iris scans or voice recognition, biometrics authenticates users based on unique characteristics — making it highly unlikely any two people can share a similar trait, he said.
The odds of two people sharing the same iris pattern are one in 10 to the 78th power, according to Rothke. The current world population is only 10 to the 10th power.
Still, there are obvious reasons why the technology has not seen massive adoption within the global enterprise space and why there has yet to be a roll-out for more than 2,500 users. The biggest drawbacks include cost, privacy concerns and the complexity of making a company’s legacy systems integrate and interoperate with a large roll-out. Adopters also must deal with a lack of standards and the possible unreliability of the technology, according to Rothke.
"In 2007, I would have expected to see a lot more biometrics in the corporate sector," he said. "But it’s not plug-and-play. It takes a lot of work."
And it is not hacker-proof, Rothke said.
"The vendors make claims that may be that way in a test lab," he said. "But biometrics, like any technology, can be spoofed. It can be hacked into."
Rothke urged companies considering biometrics to test the product in a "real-world environment" before a roll-out.
Organisations, most of all, should not underestimate the importance of user acceptance, Rothke said.
"This can destroy a lot of roll-outs," he said. "You really need to understand who your user base is."
Rothke cited southeastern grocery chain Piggly Wiggly, which canned its fingerprint-scan payment system after a customer threw a Bible at a clerk, claiming the technology was similar to the biblical "mark of the beast."
The incident drew widespread media coverage, and the company decided to drop its test roll-out, even though it was largely successful.
For companies considering biometrics, they should start small and deploy the technology with "an effective methodology," trying to gain user trust in the program, Rothke said. Organisations must weight the risk-versus-reward scenario, as large-scale deployments are not cheap, according to Rothke.
"Technology for technology’s sake is not worth it," he said. "Management doesn’t care about technology. They care about bottom lines."
Prabhakar Chandrasekaran, information security officer at Spartanburg (S.C.) Regional Healthcare System, made up of four hospitals, said he came to Rothke’s presentation because he is considering biometrics and another form of authentication to steer doctors away from only using passwords.
"I always want to look at new technologies," he said. "We know that [passwords are] not the end solution."