Has biometrics hit the tipping point?

Mark Cohn of Unisys says recent research indicates 'Yes'

He points to TWIC – the TSA’s Transportation Worker Identification Credential program which plans to use smart cards and biometric checks for port access --as a standalone system, and notes that it is very expensive, with card costs near $100 per card, not accounting for other administrative and background check costs. The other model would be something like what is happening in Malaysia, where a national biometric identification card supports other authentication. That model spreads the costs for the biometric system among a number of organizations – the consumers, the banks, the government, etc. In the first model, he references an Asian bank which was doing fingerprint verification for transaction protection. The vendor filed for chapter 11 bankruptcy, and the end result was that the bank had to shut down the system for lack of support. By creating interoperable systems, Cohn thinks governments and organizations can avoid that kind of failure.

“With respect to adoption of biometrics and such technologies, what we believe is going on right now is a trend toward interoperability,” Cohn said. “And that has changed a lot in the last few years. Now there is a common form for facial recognition. We now have interoperable fingerprint templates. At Unisys, we’re doing interoperability studies for other biometrics like iris recognition.”

Beyond interoperability, though, Cohn said that consumers have to trust the biometric authenticator. In the U.S., the survey found strong trust of the U.S. Postal Service for such issuance. In other countries, consumers were more trusting of their financial institutions. Some countries, he said, don’t trust the government at all for their ID issuance and biometric usage.

Even with an interoperable platform, Cohn warns that other factors have to be considered. He warns of so-called “man in the middle” attacks, which could mean interception or spoofing of biometric authentication between the biometric sensor/reader and the system. It’s not a problem for most physical access control systems, which have the readers hard-wired, for instance, to door access control panels, but for networked sensors for online systems, this would be a concern which system designers would have to address with technology like public key infrastructure (PKI).

He notes that organizations also have to think closely about things like “rightful use notification” and closely protecting a citizen’s biometric data. One model for that protection Unisys has seen is a “match on card” model such that the biometric template is on the card, and a reader verifies that the fingerprint presented matches the data on a smart card that the person presents. Such a model means that the individual retains full control over their biometric data.

Additionally, organizations have to look at the procedures for collecting biometric information and make sure they have strict security for that process. Finally, he notes, that organizations face the challenge of verifying that the biometric enrollee is who they say they are.

“Your protection level is only as good as the system we are protecting,” concluded Cohn.

The survey also looked at perception of different biometric forms, from fingerprint to iris to voice verification to blood vessel patterns and others. In looking at the research from a previous survey, they had found that facial recognition and voice verification had been the preferred biometric methods. Now, said Cohn,

“What we found this year was that voice verification is not rated as the top one or two,” said Cohn. “There seems to be recognition that fingerprint identification is now more acceptable. We’re also seeing an acceptance of iris recognition. People used to confuse iris with retina recognition. But now, iris scan is something people are much more comfortable with. Part of this can be attributed to widespread use of iris recognition in the UK for border control; the UK had the most acceptance of iris recognition. People also understand that it [iris recognition] is not an invasive procedure.”

Blood vessel authentication, which he noted that Unisys had deployed for worker access control at the Port of Halifax, still remains one of the least accepted form factors, and he attributes that largely to education about the method. It is, he noted, an accurate measurement, and can work in environments where fingerprint scanning faces difficulties. Cohn also noted that blood vessel pattern recognition also has a great deal of promise because of its levels of accuracy and the fact that it includes a “liveness” test – a test to see whether the subject is living or not. Despite those benefits, the research found that Americans still aren’t comfortable with this biometric in comparison to other methods. Only 43 percent of Americans favored this authentication method – which he noted is a fairly common biometric check in Japan for financial transactions.