Biometrics: A Future Identity Solution?
September 2003Biometrics - it's a word you will hear more and more in the future. It is the technology that is available today to identify a person by a fingerprint, eye scan, face or handprint, or voice pattern. The increased emphasis on security in the wake of terrorist attacks, identity thefts, and computer hackers should be fueling huge growth in the sales of biometric technology.
That may explain why the use of biometrics isn't growing as fast as expected. In a survey of business-technology executives conducted by Information Week earlier this year, only 9% of the 300 executives say biometric deployment is a key business priority, down from 12% in 2002.
Why aren't businesses embracing biometrics?
On the surface, biometrics has always offered advantages over most authentication services. It can be associated, very specifically, with one person. It tends to be highly resilient to theft, cloning or compromise. “It is unique to the individual, not something that somebody else decides will be your password, shared secret or token,' says Ant Allan, research director at the Gartner Group. “Passwords can be learned by various means and tokens can be stolen, but biometrics cannot.” Newer generations of fingerprint scanners, for instance, not only include methods of detecting body heat and blood flow, but can scan characteristics of the finger deeper than the surface layer. This renders attacks via gelatin imprint, pork sausage or grisly dismemberment less likely to succeed.
Still, there are challenges. While biometrics are supposed to be unique, they are not necessarily stable over time. Face and voiceprints change constantly, and the latter is vulnerable to variations due to factors as simple as a sore throat. Voiceprint technology is a leading choice for existing communication channels, such as telephone. But, while voice recognition is a winning technology for customer service departments, voice validation is a much newer field.
Interest probably won't start growing until biometric systems overcome certain problems. Last year, researchers in Japan demonstrated they could fool fingerprint scanners with fake fingers made from readily available materials. Cost is still an issue, with fingerprint scanners at the low end and more sophisticated hand-geometry or eyeball scanners at the very high end. Putting one on every door leading into a building or attached to every PC on a network can be expensive for a business.
One big biometrics fan is George Kings. The VP for information services at the Los Angeles Firemen's Credit Union says critics are wrong when they call biometrics too expensive and unwieldy. Last summer, the credit union spent $40,000 on a fingerprint-scanning system. As a result, its 90 employees no longer have to remember up to 10 passwords to access networks and applications. "We made it really simple," he says. "Each of the employees just touches the [finger reader] pad at each station and they're in." One main problem: Fingerprint scanners sometimes can't scan if a finger is too dry. Other than that, Kings says the system is reliable and easy. “It's a lot more secure than passwords." It also has eliminated a lot of calls to the help desk for password resets, he says, which can cost from $50 to $100 a call.
Who is showing the most interest in biometrics?
Despite the benefits, a survey by Forrester Research finds that 58% of companies have no plans to try biometrics. Only 1% has implemented biometric systems, 3% have a rollout in progress, and 15% are merely testing biometrics. "Most of the activity has occurred at government agencies and defense firms," says analyst Laura Koetzle. "In the private sector, we're seeing some usage in pharmaceuticals, financial services, and, to some level, health care.”
�Private companies, healthcare and financial services firms, in particular, are showing the most interest in biometrics as they react to stiff regulations requiring tougher security and audit trails for workers accessing computer files and data. Others, with substantial assets to protect, such as the pharmaceuticals industry, are also deploying biometrics. "They've invested heavily in research and development, and they're willing to invest in security to protect that investment," Koetzle says.
Fingerprint scanners are the most widely used biometric technology. Some companies use iris scanners and handprint readers to control physical access to restricted areas. Airports have tested facial-recognition software with mixed results. Bernard Bailey, president and CEO of facial-recognition technology vendor Viisage Technology in Massachusetts, says the technology works well in places where people remain still for a period of time, such as playing cards at a casino. "To say it can automatically spot a criminal in a crowd is over-hyping its capability.”
How is the Federal government using biometrics?
�Earlier this year, the U.S. Social Security Administration (SSA) began testing a voiceprint system to control access to its Business Services website, where employers report earnings and withholding information. The goal is to reduce the cost of mailing passwords to site users. “The SSA processed 250 million W-2 forms last year, and 100 million of those were filed electronically,” says Chuck Liptz, the project manager for the voiceprint initiative. When companies want to access the website for the first time, they apply for access. The SSA sends them a personal ID number via snail mail or E-mail, as well as a letter to the employer to verify that the user seeking access to the site has a legitimate reason for doing so. The supervisor is called by a system made by Authentify Inc. in Chicago, and his or her voice is compared with a previously recorded voiceprint. The supervisor orally approves giving the employee access to the site. The Authentify system connects the Web site and the phone system to provide real-time authentication, using the phone system as confirmation. Because voiceprint biometrics can sometimes produce false positives or negatives when cell phones or different phones are used, the SSA also is using voice-authentication software from Nuance Communications in Menlo Park, California, to reduce those problems and provide an extra layer of security. "We're hoping that this speeds the process and makes it easier for people to work with us," Liptz says. He likes the biometric approach because it doesn't require additional hardware such as scanners or readers. Because it works off the phone system, it integrates easily with the Web site.
Biometrics also interests the U.S. Department of Defense. It is testing iris-scanning technology for access control at the Pentagon Athletic Club. The project is voluntary and involves capturing information from a club member's identification card and iris, says Maj. Steve Ferrell, executive officer at the Biometrics Fusion Center, the testing and evaluation center for the office. The process to put a club member into the biometric authentication system takes about two minutes, and the goal is to eventually eliminate ID cards.
How are healthcare organizations using biometrics?
While military personnel may be accustomed to tough security checkpoints, others find biometrics more of an adjustment. St. Vincent Hospitals and Health Care Center has rolled out a fingerprint reader system in its facilities of up to 3,000 staff and physicians. The deployment has been largely successful according to information security manager Bruce Peck. In the past, each application required its own user name and password to gain access. Now, employees use a fingerprint reader from AuthenTec in Florida and software from SAFlink near Seattle to log on to computers for access to everything from E-mail to medical records. Peck says the system has made it easier for busy doctors. It also has increased security and helped St. Vincent comply with new security regulations governing medical records. "It started as a single-sign-on initiative, and it's definitely raised the security to access applications.”
Not everybody is a fan, though. "The nursing staff is tough. They don't like change," Peck says. On a typical hospital floor, nurses use PCs placed on mobile carts, which are connected to a wireless network. The computers, which nurses roll from room to room, are used to access patient records. Peck says most nurses still use passwords to log on and off. "They believe it's faster for them to use user names and passwords than the fingerprint scanner, but it's not. That's just their perception." The fingerprint scanners are effective about 80% of the time, and problems are mostly the result of dry hands. "We have a real dry-hand problem here because doctors and nurses are scrubbing and disinfecting their hands constantly throughout the day.
How are financial service organizations using biometrics?
The Los Angeles County Employees Retirement Association also turned to fingerprint scanners to increase security and reduce the cost of managing passwords. The association manages retirement, disability, and death benefits for tens of thousands of county employees. "It's a fact that hackers have plenty of tools to easily crack passwords," says director of technology services James Pu. Moreover, employees had to store multiple passwords, and the employees, like workers at many large companies, started storing their passwords by writing them down. "That's not the best way to secure systems," Pu says.
The organization turned to the Nsure system created by Novell in Provo, Utah, to provide centralized ID management via a single log on for all its critical applications, such as member services. Employees gain access to data via a fingerprint scan instead of passwords. Pu says the cost of managing passwords has gone down, while security has gone up. “That's especially important because the association handles people's retirement money, and security is a top priority.” The Nsure implementation went smoothly, he says, except for a handful of employees whose fingerprints are very faint.
What's the future of biometrics?
Companies that successfully deploy biometrics may discover there are other uses for the technology, and the systems can become an integral part of the business process. The L.A. Firemen's Credit Union is exploring whether it can use its biometric system to develop a way for employees to electronically sign documents and improve workflow. The first pilot will be employee time sheets, says George Kings.
One of the most promising arenas for biometrics is in thwarting identity theft, which far outstrips other fraud complaints, according to the Federal Trade Commission. "My company very much believes that biometric technology can virtually eliminate ID fraud and assure you that someone representing himself as a certain person is who he says he is," says Tom Larson, vice president-strategic development of the fingerprint technology company SAGEM Morpho in Tacoma, Washington.
Biometric IDs will also give a huge boost to online financial transactions, helping to shore up consumer trust in e-commerce. By ensuring that an online buyer is legitimate, biometrics will reduce the risks and costs to sellers. You can expect credit card issuers and e-tailers to encourage the use of biometric identifiers by rewarding purchasers who present biometric ID data online with discounted prices and interest rates.
That same verification capability is leading two states to adopt biometric systems to rein in driver's license fraud. Georgia has encoded fingerprint data into bar codes on 8 million driver's licenses. Odds are good that Oklahoma's legislature will require fingerprint data on licenses later this year. Arkansas, California, Texas, Hawaii and Colorado already collect fingerprints from applicants even though they don't yet embed the data on licenses. “A biometric scan can't confirm the identity of a person it is initially registering into a system, but it can prevent multipleregistrations of the same person under different names,” says Dennis Carlton, a director for the consulting firm International Biometric Group in Washington, D.C.
As the availability of biometric databases grows, biometric scans will increasingly be used by employers to check the credentials of prospective employees. At first, it's likely that prospective employers will use biometrics to determine if a job candidate is on a law enforcement list. Eventually, however, driver's license databases and voluntary databases assembled by credit reporting agencies, employers and independent ID verification services, will let companies quickly determine whether a candidate is the “real McCoy.”
Of course, several technical and policy hurdles remain to be overcome. Worries about a Big Brother-like database and the lack of technical standards will complicate the compilation and broad use of biometric databases. But mandates included last year in the Patriot Act are beginning to impose standards on the industry. The Commerce Department's National Institute of Standards and Technology recently recommended the use of fingerprint and facial pattern data for the biometric passports and visas that will be required of all foreign travelers to the U.S. beginning in October 2004. That same combination of biometrics is likely to be adopted for other government and security-related uses, including military IDs and transportation worker IDs that will speed travelers with established risk-free profiles through security checkpoints.
Still, Bruce Peck of St. Vincent's thinks it will take time before biometrics is widely used, even though he's happy with his deployment. "The costs are just too high for general acceptance," he says. In the meantime, Peck has a plan for those change-resistant nurses. "We're going to eliminate those user names and passwords," he says. "They'll have no choice." 
