The Other Side of Privacy: Protecting Information with Biometrics

For the most part, owners and manufacturers of biometric hardware have quelled the public’s fears about the perceived threats biometrics pose to personal privacy. Despite periodic spikes of resistance from civil liberties groups, most people who use biometrics to clock in at work, log onto computers or unlock doors now know their fingerprint information cannot be easily duplicated for misuse, and the government is not secretly collecting biometric data from every workplace access point into a mammoth Orwellian database.

In response to the increasing use of biometrics in private business, the International Biometrics Industry Association has developed privacy principles that call for safeguards on biometric data, strict user control over biometrics in private-sector applications, and laws that compartmentalize and carefully regulate the use of biometrics in the private sector. In addition, several states have passed their own legislation concerning the gathering and distribution of biometric data.

In fact, instead of a threat to privacy, biometric technology has become privacy’s greatest defender.

The Rise of Information Security
Biometric technology was first used in physical access control, and although its use in that sector is growing, it is limited compared to what’s going on in the information technology field. Almost daily reports appear about the theft of laptop computers, credit card numbers, medical records, and financial data.

Legislation like the Health Insurance Portability and Accountability Act (HIPAA) has led to federally mandated security for personal information. In the case of HIPAA, healthcare providers are obliged to prevent abuse and fraud and provide administrative simplification and medical liability reform. In the legislation’s wake, providers have worked diligently protect patient records. However, despite their best efforts, computers and media containing patient data have been stolen or simply misplaced. The use of biometrics provides a means by which healthcare records can be kept confidential, even when storage media are lost or stolen. Biometrics offers similar benefits for compliance with other privacy legislation as well.

Why Biometrics?
Secure access is granted based on one or more of these factors: who you are, what you have, and what you know. Data security has often relied only on what you know—your username and password—to grant access to information. IT managers have devised clever and complex password systems requiring frequent changes, rules for alphanumeric and symbolic characters, and prohibitions against repetition of character strings. Password management and allocation often becomes so complex that a user resorts to typing the password into a text file and leaving it on his or her electronic desktop, or worse, writing it on a Post-it note and sticking it to the monitor.

When IT managers also require a “what you have” factor—such as an access card that transmits the password to the terminal—it may end up in a desk drawer or hanging on a cord suspended from a push-pin, readily accessible to others.

Biometric technology provides a “who you are” solution to these issues, ensuring the person gaining access to data is, in fact, the person authorized. As with any credential-based access system, the biometric technology employed must be reliable, user friendly and, most of all, manageable, and technology developers have rushed to meet those requirements.

One Touch
Fingerprint readers have dominated computer access applications due to the minimal real estate they occupy in already crowded workstations. DigitalPersona Inc. of Redwood City, CA, makes a broad line of optical fingerprint readers for strong authentication, ID verification and computer access. The company’s new DigitalPersona® Pro 3.2 features enhanced One-Touch Sign-On® that allows users to log onto Windows networks with a single touch of the fingerprint reader, which then forwards the necessary password to enter.

Administrators can require fingerprint authentication in addition to Windows credentials, including smart cards or passwords for their Windows logon policy. If smart cards are required for access, the fingerprint authentication can release the smart card PIN. The device’s software also supports logons to mainframe applications, VPNs and Citrix clients.

Vance Bjorn, vice president and chief technical officer at DigitalPersona, said, “The key to success in using biometric sign-on must be convenience. It cannot be an obstacle to legitimate access, yet it must be secure.”

Bill Spence, director of marketing at Recognition Systems Inc., agreed. “If it doesn’t work, people will find a way around it or stop using it.”

Case in Point
DigitalPersona’s optical ID fingerprint reader found an ideal application in Mexico’s massive Banco Azteca, a subsidiary of Grupo Elektra, Latin America’s leading specialty retailer, consumer finance and banking services company. Banco Azteca offers people with limited incomes in poor and rural communities an opportunity to establish a relationship with a financial institution.

Many people in these communities do not have driver’s licenses or any other secure form of identification. Those who are able to retain some of their earnings often keep their savings in cash either in their homes or in their wallets. This leaves them vulnerable to loss or theft of their life savings. Banco Azteca’s biometric authentication system allows undocumented workers to keep savings secure and earning interest. Workers simply verify identity with the DigitalPersona reader to make deposits or withdraw cash without time-consuming traditional ID verification.

Biometria Aplicada, a major Mexico City reseller, provided a solution using the DigitalPersona fingerprint reader that would work for the broad range of customers including farmers and construction workers, whose fingers are damaged or worn. Currently, Banco Azteca has more than 4 million customers biometrically registered and expects huge increases within the next year. The biometric authentication system makes it possible for 75 percent of its customers in 850 branches to establish savings and credit accounts for the first time.

Secure and Manageable
A fingerprint by itself is not a credential; it is only a gateway. A fingerprint reader records details of a finger to be used for access and converts them through an algorithm to digital data that is used for comparison and verification. This data template must be stored and kept available for comparison and authentication. Template management can be cumbersome, especially when the user must gain access to several machines in different locations.

The smart card offers an alternative to online template management. The typical biometric is 400 bytes or less in size, making it easily stored in smart card memory. When authenticating at a biometric terminal, the cardholder presents his or her smart credential, which transmits the cardholder’s biometric template to the reader for ID verification.

Silex Technology has combined smart card technology and biometrics in a unique product called the COMBO-mini. It combines a fingerprint platen with a UIM smart card reader. UIMs are small smart cards similar to the SIM cards typically used in GSM wireless phones. The portable USB device can be plugged into a computer, printer or other peripheral to ensure authorized access. The smart card is easily replaceable, so the unit can be used by more than one person.

However, should a card holder lose his credential or loan it to others, it is invalid. The user must have both the fingerprint authentication device and the smart card to gain access. Likewise, the peripheral device can be quickly reprogrammed should it be necessary to deny access to a card holder.

Silex’s SecurePrint authentication device allows a computer user to send a document to a printer but will not print the job until the user places his or her pre-enrolled finger on the fingerprint reader at the printer. Printer authentication can be an important tool in complying with HIPAA or Sarbanes-Oxley. It goes beyond preventing the unauthorized sharing of electronic media. Information leaks too often occur by intent or simple oversight at a network printer.

A Boom on the Way
At ISC West in April, the majority of access control and information technology protection exhibitors displayed biometric access and authentication hardware in their product offerings. Technology for reading practically every biometric—fingerprint, vein, iris, hand geometry, face, voice and signature—was on display. Clearly the industry is recovering from initial biometrics privacy scares and saying loud and clear that biometric technology does not endanger personal information; it protects it.

Dick Zunkel is a technical editor and frequent contributing writer to ST&D. He has been involved with biometrics since 1992 and has written many articles on the subject.