Has biometrics hit the tipping point?

Unisys today announced the release of data from its biannual Unisys Security Index. One niche part of this year’s research was on the topic of consumer perception and comfort with biometrics for authentication and identification. The chief finding, according to Mark Cohn, vice president of enterprise security at Unisys, is that consumers are more comfortable than ever with using biometric technologies to protect their identity and aid them in actions like authentication and access.

“One trend that is quite striking is about biometric acceptance,” said Cohn. “A couple of years ago, when we did a comparable survey, we found that people indicated that facial and voice recognition were the technologies they preferred for identity protection. What we found this year was that voice verification is not rated as the top 1 or 2. There seems to be recognition that fingerprint identification is now more acceptable.”

In fact, the Unisys research indicates that fingerprint recognition is almost as accepted as PIN and password authentication, two methods that have greater than 70 percent preference as the primary method of authentication. And in general, biometrics are more accepted than ever, with greater than 70 percent of survey respondents indicating that they would trust banks and government requests for using biometrics to verify identity.

“Fingerprint technology is well respected,” explained Cohn, “Not just for one-to-many [as in a criminal identification system], but also one-to-one matching [such as for bank login]. They know that if it’s been able to be used for law enforcement successfully, then it must be good.”

What the survey also found is that age of the consumer is not a barrier to adoption. The research found that 76 percent of people age 35-49 and 76 percent of people ages 50-64 were comfortable with the use of fingerprint recognition for bank identity authentication. Those groups, noted Cohn, were the highest in terms of acceptance. The research also found that person with higher income levels were more comfortable with fingerprint biometric authentication. Of persons earning $50,000 or more a year, 79 percent were OK with fingerprint authentication.

“Higher age groups and higher income had more comfort with fingerprint scanning, and that was a bit of a surprise,” Cohn said. “It could be argued they have more to lose financially. The other thing is that they could have had their identity stolen in the past.”

Asked whether it looks like biometrics has reached a turning point that would allow for mass adoption, Cohn says the numbers from the research speak for themselves and indicate that many areas of the world have reached that point.

“We see a turning point where biometrics is no longer being viewed as a negative thing, but would be consider a positive thing to protect their identity,” Cohn said.

Cohn’s thoughts match closely with recent research from ABI Research, which also found growing adoption for biometrics. In November ABI Research announced that it expected, “The combined growth in both government, law enforcement and private sectors for biometrics will drive spending on biometrics systems over the next five years up to $7.3 billion by 2013, up from around $3 billion in 2008.”

But if the world is becoming so comfortable with biometrics, why is adoption lagging behind?

Cohn thinks there is one reason that adoption has been slow and he says it has to do with system architectures and costs. There are two models, he explained of biometric systems. The first model is that you create individual systems for particular purposes, and you have to deal with the costs individually. The other option, says Cohn, is that you create a multi-purpose system where costs can be shared.

He points to TWIC – the TSA’s Transportation Worker Identification Credential program which plans to use smart cards and biometric checks for port access --as a standalone system, and notes that it is very expensive, with card costs near $100 per card, not accounting for other administrative and background check costs. The other model would be something like what is happening in Malaysia, where a national biometric identification card supports other authentication. That model spreads the costs for the biometric system among a number of organizations – the consumers, the banks, the government, etc. In the first model, he references an Asian bank which was doing fingerprint verification for transaction protection. The vendor filed for chapter 11 bankruptcy, and the end result was that the bank had to shut down the system for lack of support. By creating interoperable systems, Cohn thinks governments and organizations can avoid that kind of failure.

“With respect to adoption of biometrics and such technologies, what we believe is going on right now is a trend toward interoperability,” Cohn said. “And that has changed a lot in the last few years. Now there is a common form for facial recognition. We now have interoperable fingerprint templates. At Unisys, we’re doing interoperability studies for other biometrics like iris recognition.”

Beyond interoperability, though, Cohn said that consumers have to trust the biometric authenticator. In the U.S., the survey found strong trust of the U.S. Postal Service for such issuance. In other countries, consumers were more trusting of their financial institutions. Some countries, he said, don’t trust the government at all for their ID issuance and biometric usage.

Even with an interoperable platform, Cohn warns that other factors have to be considered. He warns of so-called “man in the middle” attacks, which could mean interception or spoofing of biometric authentication between the biometric sensor/reader and the system. It’s not a problem for most physical access control systems, which have the readers hard-wired, for instance, to door access control panels, but for networked sensors for online systems, this would be a concern which system designers would have to address with technology like public key infrastructure (PKI).

He notes that organizations also have to think closely about things like “rightful use notification” and closely protecting a citizen’s biometric data. One model for that protection Unisys has seen is a “match on card” model such that the biometric template is on the card, and a reader verifies that the fingerprint presented matches the data on a smart card that the person presents. Such a model means that the individual retains full control over their biometric data.

Additionally, organizations have to look at the procedures for collecting biometric information and make sure they have strict security for that process. Finally, he notes, that organizations face the challenge of verifying that the biometric enrollee is who they say they are.

“Your protection level is only as good as the system we are protecting,” concluded Cohn.

The survey also looked at perception of different biometric forms, from fingerprint to iris to voice verification to blood vessel patterns and others. In looking at the research from a previous survey, they had found that facial recognition and voice verification had been the preferred biometric methods. Now, said Cohn,

“What we found this year was that voice verification is not rated as the top one or two,” said Cohn. “There seems to be recognition that fingerprint identification is now more acceptable. We’re also seeing an acceptance of iris recognition. People used to confuse iris with retina recognition. But now, iris scan is something people are much more comfortable with. Part of this can be attributed to widespread use of iris recognition in the UK for border control; the UK had the most acceptance of iris recognition. People also understand that it [iris recognition] is not an invasive procedure.”

Blood vessel authentication, which he noted that Unisys had deployed for worker access control at the Port of Halifax, still remains one of the least accepted form factors, and he attributes that largely to education about the method. It is, he noted, an accurate measurement, and can work in environments where fingerprint scanning faces difficulties. Cohn also noted that blood vessel pattern recognition also has a great deal of promise because of its levels of accuracy and the fact that it includes a “liveness” test – a test to see whether the subject is living or not. Despite those benefits, the research found that Americans still aren’t comfortable with this biometric in comparison to other methods. Only 43 percent of Americans favored this authentication method – which he noted is a fairly common biometric check in Japan for financial transactions.

But even that could be changing. The research says that men tend to be more rapidly accepting of newer biometric technologies, so the next time Unisys surveys the world, technologies that consumers are hesitant about now, could be old hat for tomorrow’s consumers.

More information from the Unisys Security Index is available online at www.unisyssecurityindex.com.