There can be few less likely places to find the application of seriously cutting-edge technology than the boardroom of a staid oil giant. But one such organisation has kitted out its independent directors with the latest in biometrics – technologies that analyse physical characteristics for identity and authentication purposes. When this venerable collection of ex-politicians, lawyers and business leaders gather for board meetings, they bring with them custom-made handheld computers that can only be accessed by placing a fingerprint over a scanner built into the device.
For this ageing group of men, the selling point appears to be that they no longer have to remember PINs and passwords. For the company, the upside comes from faster decision-making, assured security and lower support costs.
The same benefits are being seen elsewhere. Intensive care doctors and nurses at the Royal National Orthopaedic Hospital (RNOH) in London are using a combination of smartcards and fingerprint readers on keyboards to access patient records at the bedside. The hospital’s head of IT and networks, Steve Pickup, says there have been some teething problems – the readers may not function properly if fingertips are too dry or too greasy – but generally the project has been a success: records are more secure, and they can be accessed quicker, saving valuable time. “It’s our ambition to put a fingerprint access terminal on every bedside in the hospital,” he says.
There are further flavours of biometrics. Rather than roll out fingerprint-based systems, the EHS Brann advertising agency chose to install iris readers on every door when it moved into new premises in London’s fashionable Clerkenwell area. “We wanted to make it a groovy, high-tech office,” says Kathy Gruzas, the agency’s IT manager. But there was a more serious consideration – the vulnerability of non-biometric security. “In our last office we had swipecards, which caused endless hassle – people kept losing or sharing them, and it was expensive to administer. The biometrics system works very well.”
Early adopters they may be, but the positive experiences of these organisations are likely to persuade others to take a closer look. Indeed, according to some observers, biometrics is finally about to make the long-talked-of crossover from expensive, futuristic toy to fundamental enterprise security technology.
One big difference is that increasing numbers of people are about to become a lot more familiar with biometrics. Defying privacy campaigners, David Blunkett, the UK’s home secretary, wants to put biometric identifiers on national ID cards, while the European Commission is exploring the possibility of making fingerprints mandatory on all European passports.
Biometric methods
Three biometric approaches are leading the way for the use of technology within a business or government in terms of cost, security and ease of use.
Iris
Iris readers have replaced retina readers as the best way of using the eyes as a biometric security measurement since the iris has more distinguishing features. Advocates say this is the best method, with an almost infinitesimal chance of falsely accepting unauthorised users. But it is relatively expensive.
Fingerprint
The most common format is ‘capacitive’, which measures ridges on the fingertip and registers recognisable details such as endpoints, bifurcations, whorls or islets. Another method is the use of thermal sensitive readers, which measure the temperature differences between the ‘hills’ and ‘valleys’ of a fingertip. This is thought to be more accurate than other methods, partly because it is less prone to pick up residues of grease from previous users.
Facial recognition
Facial recognition systems are still in their infancy but a move from flat to three-dimensional pictures, taken from several different angles, is improving reliability. This method is simple to use and relatively unobtrusive, but is also easier to circumvent: during trials of the technology, people discovered that they could fool 2-D versions by holding a photo of an authorised user up to the camera.
Other new biometric methods include:
Voice recognition
This method leads the chasing pack of newer technologies. Work still has to be done to make it more reliable, however.
Signature recognition
A new take on one of the oldest forms of biometrics. It is popular on PDAs as no additional equipment is required. Pressure and speed as well as form are measured but although users like it, corporations do not, fearing lazy employees might use abbreviated signatures that would be too easy to forge.
Hearing recognition
This could be used unobtrusively in telephone banking or on mobile phones.
Others
So-called hand geometry has been used to speed up checking in at Tel Aviv’s Ben Gurian Airport. More experimental methods include vein and bone scans. Techniques to identify people from the DNA in their breath are also in development but are thought to remain many years from maturity. European Union passports: Already visa holders entering the US are being electronically fingerprinted as they enter the country and that data matched against their machine-readable passport information.
“We’re starting to see government organisations using biometrics,” says Carl Gohringer, head of new business development at NEC Security Systems, which is providing biometric systems to an ongoing UK passport trial. “They are the first to take it up for their internal employee management too.”
New post-Enron corporate regulations, such as the Sarbanes-Oxley Act, have also fuelled demand. Biometric systems are helping to fulfil the need laid down by such new rules for a full audit trail of users’ document access and transaction execution.
Traders at Dutch bank ABN Amro, for example, are using fingerprint authentication on every desktop terminal to speed up the authorise transactions – a critical business advantage over passwords when price fluctuations can determine the difference between a profit or loss on the deal. The system also plays another key role: it identifies exactly who authorised the deal.
As well as improving security, biometric systems are sold on the basis that once installed, they save money. There are few major costs after installation, say suppliers, and IT staff are largely freed from time-consuming administration that results from lost or forgotten passwords. In the first year, the costs of implementation are usually equivalent to the annual costs of administering a password-based system, say analysts; payback is generally obtained after about 18 months.
Companies with high staff turnover can particularly benefit. NEC Security Systems says that a major UK retailer, prior to adopting one of its biometric systems, found the job of managing passwords for its large and constantly-changing workforce so big that it felt compelled to employ six IT staff to do nothing else.
Steve Barnett, chairman of ISL Biometrics, the software specialist behind the Royal National Orthopaedic Hospital project, outlines the cost savings his fingerprint authentication systems brought for a customer that had outsourced its IT department. The customer’s IT services supplier charged $70 each time it had to reset a password, which tended to generate big fees: the customer had about 4,000 employees, each using around six passwords. According to ISL figures, password management generally costs about $120 a year per employee, while a fingerprint access system has one-off costs of around $100 per user plus ongoing software support.
The eyes have it
Different biometric methods have their proponents. Some say that fingerprint-based systems are the most cost-effective solution. Others, such as Professor John Daugman of Cambridge University, who holds the patents for all iris scanning processes currently used, sees iris scanning technology as more foolproof. “The great strength of iris recognition is that it never makes false matches,” points out Daugman.
But when choosing between different biometric methods, businesses should not base their decision only on the upfront cost, says Anthony Allan, an analyst at IT market consultancy Gartner. “With biometrics, you get what you pay for,” he says. “Security for under $100 per user is very attractive but the characteristics are not good enough for enterprise use.” Companies should budget for at least $200 per user, he suggests.
One problem that cheaper iris scanning systems encounter, for example, is that they can be fooled if a photograph of an authenticated user is held up to the reader. Daugman says this risk is eliminated by more sophisticated systems that check for signs of movement in the pupil or eyelid. Equally, the Japanese mathematician who managed to fool an older biometrics system by building moulds of fingerprints from the type of gelatin typically used to make confectionary might not have been successful if he had been testing costlier silicon sensors. Still, the Japanese test has alarmed experts. “If he could do this, then any semi-professional can almost certainly do much, much more,” says security guru Bruce Schneier.
Professor Brian Collins of Cranfield University, a former director of technology at the government’s signals intelligence agency, GCHQ, notes that there are other ways of abusing biometrics. By knocking out the database that holds biometrics information, ‘denial of service’ hacker attacks could be just as harmful on a large scale as the compromising of the data itself.
He warns that organisations must take seriously the process of enrolling new users. “Screening someone on the basis of only one credential [such as a birth certificate] is a very dangerous thing to do,” he says. “Proof of originality, as opposed to identity, starts to become the main problem.” Birth certificates really need DNA-based biometrics verifying them, he says.
There are other security issues. Samir Kapuria, director of strategic solutions at digital security services company @stake, says most of his corporate customers see biometrics as “an art form, not a science”. Just because the technology works well in trials, it does not necessarily mean it will scale well or prove resilient to as-yet-undiscovered threats, he says. As that underscores, the technology is still maturing. Errors from some fingerprint and iris scanning systems tend to be as high as around one in every 100 people tested, say experts. Cases in which unauthorised users gain entry to a system are extremely rare, but when they occur they pose a bigger risk than when, say, a single password is hacked.
These are not insurmountable problems, but even some suppliers accept that they must be resolved before biometrics will appeal to the mainstream corporate market. “Interest is still outstripping implementation by quite a long way,” admits Jackie Groves, UK managing director of Utimaco, which develops biometrics hardware and software products as well as other security products.
More of a lead bullet
As an example of a business that has so far failed to convert interest in biometrics into a widespread implementation, the case of Nationwide Building Society is instructive. In recent years, it has tested just about every available biometrics system imaginable, from iris recognition to speech verification. Although the trials were deemed successful – in that users were not unduly fazed and the installations went smoothly – executives remain reluctant to roll out biometrics. “We continue to take an active interest,” says David Followell, the head of Nationwide’s business futures and usability unit, “but we will only progress with it once we are convinced of the customer and business benefits of doing so.” Amid the hype, it is easy to forget that biometrics is only another arm of IT security. General security principles apply; given the degree of faith that users tend to place in biometrics, it is important to follow them.
David Porter, head of operational risk at specialist IT consultancy Detica, accepts that biometrics is not the security sector’s ‘silver bullet’. “I don’t think any technology will ever be 100% reliable, because you will always have people and sloppy processes involved. A seemingly foolproof biometric system can still be scuppered by employees using it in the wrong way.”
Given that, biometrics should form only one part of a wider ID management system, he says. “I’m afraid you’d be crazy to use biometrics on its own. This nirvana of ‘the end of password’ is not true.” He advises combining biometrics with another system – ‘second factor authentication’ in the jargon – such as smart cards. John Madeline, director of corporate and business development at RSA Security, agrees. “We are just beginning to see second factor authentication moving mainstream. Most people are still only taking the initial steps towards understanding that just a password is not good enough and a second factor is going to be key,” he says.
Indeed, it may be several years, at least, before the corporate use of biometrics becomes commonplace. One day, all PCs and wireless devices may come with some form of biometric reader; already, one of the world’s biggest computer makers, Hewlett-Packard, is issuing staff with PDAs that are activated through built-in fingerprint readers. The hope is that such identity systems will be a key part of a single sign-on system that will automatically grant pre-defined privileges to the user, perhaps removing the need to tap in PINs and passwords to access different systems.
Even then, however, biometrics are still likely to form only one part of a much wider identity and authentication system. But when the technology matures, its use could go from the niche to the universal. Fingerprint readers or voice authentication could be indispensable to the use of wireless commerce through mobile phones, while fingerprint-activated smart cards could soon replace credit cards and loyalty cards.
Biometrics may not necessarily spell the end of the humble password, but it ought to herald a new wave of security applications. It should also one day remove many of the costs and the vulnerabilities of the current generation of security systems.