With face recognition systems turning up in airports, palm geometry scanners installed at "secure" Exodus hosting facilities, and Panasonic selling the Authenticam iris recognition system for less than $US200, biometrics have finally moved from the laboratory to the marketplace. Indeed, the International Biometrics Group pegs the market at $US524 million in 2001, growing to $US729 million in 2002. But if you screen out the hype, you'll soon discover that few of those applications have progressed beyond technology demonstrations and early adopters. Having lived with a voice-print lock on my front door for seven years, I have a few words of advice to CSOs: Step slowly when deploying biometric systems within your organisation. Instead of using biometrics to let people log in to their computer systems, start by using them to control physical access to buildings and high-security areas. Finally, make sure that you have a backup for when the system fails — because eventually, it will.
As the name implies, biometrics involves measuring the human body. In theory, any aspect of the body that is different for each person and that can be consistently measured can serve as a unique identifier. In practice, the biometrics being deployed can be packaged into readers costing $US300 or less, which today means principally fingerprint-, iris- or voice-recognition systems.
Automatic fingerprint identification systems have been used with great success by law enforcement agencies since the 1980s. Fingerprints are by far the most widely used biometric today, and the most widely respected. Most people take it as a matter of faith that each person has his own unique fingerprint and that a computer can rapidly search out one person's fingerprint from a database of millions. Indeed, we have become so enamoured with the concept of fingerprints that the word is popping up all over: DNA-based identification systems are known as DNA fingerprinting; and the MD5 message digest code is commonly referred to as the fingerprint for a file.
But it's important to realise that the fingerprint systems that have been developed and refined for law enforcement are not the fingerprint readers that are making their way onto desktop computers. Law enforcement agencies use trained technicians to record fingerprints with ink and paper on 10-print cards; those cards are then digitised using an optical scanner and analysed using proprietary algorithms. Pen-and-ink systems obviously can't work in a corporate desktop environment, so a number of companies have tried to create so-called "live-scan" readers that will scan a fingerprint directly from a finger into the computer. The catch: Those readers don't work for everybody. "Many live-scan fingerprint readers have a hard time getting a good fingerprint on, for example, people who have dry skin," says Charles Wilson, a biometric expert at the National Institute of Standards and Technology. Those readers can also fail with thin skin or shallow ridges — traits common among the elderly. Depending on the reader, roughly one person in 1,000 may not scan successfully.
Iris identification is even more accurate than fingerprints, thanks to the tremendous detail and variation in each person's eyes. However, there is again a small percentage of people who cannot use those systems, because, for example, of an inability to stabilise their iris, says James L Wayman, director of Biometric Research at San Jose State University.
Biometrics can also be fooled by sudden changes in a person's body — cut your finger, and you might not be able to log in. For all of those reasons and many more, every biometric that's deployed in a real-life setting needs to have some kind of back door to let people in who can't, for whatever reason, properly authenticate.
Authentication Vs. Identification
Biometrics can be used in two different ways. The technology can be used to authenticate an individual by comparing a biometric reading from a person with a single stored template, the so-called "one-to-one" application. A biometric-enabled ATM might check to see if the iris of the person who is trying to withdraw money matches the iris for the account holder that's on file. Used in this manner, biometrics can be exceedingly accurate — especially if it is used in conjunction with a second factor, such as a smart card, PIN or password.
Alternatively, biometrics can be used to identify a person from a database of thousands or millions — the so-called "one-to-many" application. This is the way that biometric face ID systems from companies such as Viisage and Visionics (now called Identix) are being used at airports to scan for known terrorists. The computer has a database of known bad guys, and it consults the entire database as each potential traveler walks by. Those systems are inherently less accurate than one-to-one because the chances of a mismatch, or "false positive," are proportional to the size of the database.
On the surface, biometrics seem like the perfect tools for authenticating computer users. The fingerprint systems developed and refined for law enforcement are not the fingerprint readers that are making their way onto desktop computers. Unlike passwords, a biometric print can't be forgotten — no more passwords written on yellow sticky notes — and bioprints can't be shared, sold or stolen by social engineering. Indeed, that's one of the reasons that I bought an ECCO voice-print lock for my front door: I was renting out a spare room in the house, and with the biometric reader, I never had to change my house's locks.
But biometrics are not foolproof: A person's bioprint can be captured, copied and then fraudulently submitted for verification. For this reason, readers need to have some sort of built-in security to make sure that they are actually performing a live scan; encryption should be used to protect data as it travels from the reader to the database; and the verification software should reject attempts that are too close a fit. Meanwhile, experienced biometric scientists know that they should never use a fingerprint scanner that doesn't have a pulse detector or some other way to detect the culpable use of a severed digit.
Be very wary if you hear a company boasting about its system for "biometric encryption." Because a biometric print will never read exactly the same way twice, biometric encryption systems need some form of error correction so that encrypted data can actually be decrypted at a later point in time. This error correction makes it easier for an attacker to "guess" the correct encryption key, since a close guess will be corrected. An even bigger problem with those systems: If your key is compromised, there is no way to change your fingerprint.
Better for Doors Than Windows
That's why I'm a big fan of using biometrics for physical access control — such as the front door lock that I had for so many years. Besides preventing people from sharing or duplicating keys, the lock made it clear to visitors that I took security seriously.
Deploy a fingerprint-based time-card reader at a supermarket and you can be sure that clerks won't be punching each other's time cards. Likewise, a hand geometry reader installed at an airport will prevent an $US8/hour employee from giving the access code to a terrorist or selling a card for a few thousand dollars (and then reporting the card "lost" a few hours later). Even better, those systems are sold today as sealed, stand-alone units, which makes them both more reliable and more resistant to attack than bioprint readers on Internet-connected computers.
Within the coming months, expect to see live-scan fingerprint readers turning up in laptops and cell phones. Integration done by the manufacturer will reduce cost — ultimately to $US25 or less — and increase the chances that those systems will actually work as intended. If they do, and if they are accepted by end users, then biometrics might take off in the coming years. If not, biometrics will probably be sent back to the labs for another decade of R&D.
Simson Garfinkel, CISSP, is a technology writer based in the Boston area. He is also CTO of Sandstorm Enterprises, an information warfare software company.