Biometric Analysis: Make Biometrics Tools Business Enabling

Dec. 19, 2005
Expanding biometrics' focus from enterprise applications to personal technology

One might justifiably suggest that biometrics, in a nutshell, is the technological equivalent of James Bond. Slick, sexy and always capable of drawing money. However, like Britain's greatest secret agent, biometrics has a history of flattering to deceive - and especially in that all important box office department.

Not that it hasn't had good reviews. The idea of using the unique aspects of a person's physiology - fingerprints, eyes, DNA - as ID verification mechanisms, is a popular one, and has seen biometrics widely vaunted as the next great leap in ID and authentication. It has also been heralded in some pretty influential quarters, with governments, corporate users, and the public alike - driven in the main by the apparently growing terrorist threat - all extolling its virtues.

However, it has also had its problems. An assortment of price versus performance, interoperability, data protection, privacy, and even civil rights issues have come to the fore. And progress has been further hampered by certain quarters of the industry questioning the value of biometrics over more traditional security methodologies.

Reliability has been queried too. Fingerprint and iris scanning technologies are still perceived as having relatively high error rates, while facial recognition is still evolving and remains dependent upon particular lighting conditions and certain facial positions and expressions.

Perhaps understandably in the circumstances described, recent market research figures hardly paint a picture of a technology that's setting the world on fire - although there have been some differences in analyst opinion concerning market size. While IDC recently forecast the market at $887m for 2005, Frost & Sullivan's prediction was rather more upbeat, suggesting growth to just over $2bn by 2006. Predictably, the International Biometrics Group ventured that the sector will reach around $4bn by the end of 2007.

In any event, biometrics clearly has some work to do before claiming its full double-O rating.

Some commentators, such as Steve Adair, ThinkPad brand manager at Lenovo UK, believe that existing biometric technologies still have an important part to play. Referencing the Gartner report "Passwords Are Near the Breaking Point", which claims that by 2007, 80 per cent of organisations will need to strengthen user authentication with alternative security methods, he cites fingerprint authentication for example as a compelling tool.

Others however, predict that the emergence of more strategic biometric technologies into the mainstream will be vital.

Mike Nelson, vice-president EMEA at Fujitsu Europe, said: "For low security, personal access, fingerprint sensors have their place, but they're generally not suitable for multiple person access; they're not very secure and consumer acceptance can be low - not least because they require physical contact, leading to hygiene concerns and system reliability problems."

Mindful of this, Nelson still believes that the use of biometric technology in mainstream applications is inevitable. "The technology is now coming of age and is no longer gimmicky or cumbersome to use. It's already used in some large niche markets - in particular airport security and banking applications and it is only a matter of time before biometrics provides an extra layer of security for everyday activities such as building access, systems log-in, travel, and banking services."

Colin Robbins, head of identities at Siemens Communications, agreed, but argued that for this to happen, biometrics must be viewed as more than just security.

"Today, biometrics tends to be thought of as a security protection mechanism, protecting access to buildings, computers and networks," he said. "This becomes hard to cost justify, in isolation. Successful deployments will consider biometrics as not just protection, but business enabling."

In other words, biometrics needs to not just protect, but in some way enable businesses to do things that they can't do currently.

"This may occur when biometrics is viewed as part of an overall identity management system - perhaps in conjunction with smart cards - that then enables the business to make secure online payments, or implement secure electronic processes; for example, processes that need strong audit capabilities to meet business compliance regulations."

The point is, said Gary Duke, director of networking management consultancy, LAN 2 LAN, that for all the growing numbers of biometrics products becoming available, corporates want more. "They are looking for manageable end-to-end solutions, not point products."

Such offerings could potentially emerge from several areas.

Existing technologies for instance - including those that have failed to hit the mainstream thanks to sundry teething and integration issues - are forecast to enjoy a renaissance as they iron out their problems and become more sophisticated.

Bori Toth, head of biometric projects at Deloitte & Touche, said iris recognition technology was one such area. She claimed that, in terms of accuracy, speed, resistance to spoofing, and interface, its benefits are now compelling, with any scepticism coming about largely because of the technology's relative youth. Scientific concerns, she said, are also without foundation.

"As the technology is fairly new, not many know how it works. Some have concerns about the light range (near infrared - the same as in remote controls), others about potential health data contained in iris images, as iridologists believe. Neither of these have scientific credibility but they need to be addressed more so that public concerns disappear."

Other pending technologies include voice-based ID verification solutions such as those being developed by 192.com Business Services. The company's IT director, Paul Broome claimed that, despite still being at the developmental stage, voiceprint identification is the ideal biometric for applications such as online authentication - where ID verification will usually be quite different, and where heightened security is now being called for by both consumers and online traders.

There is little doubt that before these or any other areas of biometrics can ripen into genuinely fruitful mainstream opportunities, certain hurdles must be negotiated and overcome.

Fraser Thomas, chief executive of Swivel Secure, noted that price, deployment problems and "never-ending" civil liberty issues remain fundamental barriers and that "the more complex the technology, the more likely it is to encounter problems". (see box, page 27)

Cultural change is another key area, according to Robbins. "For deployments to be successful, they need to be seen by end-users as making their lives easier - for example by enabling a single point of authentication to the applications they need to do their jobs as opposed to them having to remember several door access keypad numbers, and many different IT passwords."

Here, he suggested, companies and their suppliers must think beyond individual biometrics technologies and look at processes.

"Typically, discussion and research into biometrics focuses on the technology itself - how well does it work? How fast does it match? What are the failure rates? But the technology is only part of the issue when considering a large biometric deployment. Few companies are looking at the business processes that are needed to issue biometric securely."

For instance, he said, there is little point in a biometric recognition system if the biometric has been recorded in error or fraudulently. Similarly, are appropriate processes in place to remove the biometrics of people no longer entitled to access the systems supposedly being protected? If management processes allow for erroneous or fraudulent registration then the security system is likely to fail.

In this way an inappropriately managed biometric system may be worse than no system at all.

Views and strategies as regards biometrics also differ from country to country. Jackie Groves, managing director of security specialists, Utimaco Safeware, said that European businesses are far more advanced in establishing large-scale biometric deployments than their counterparts in the UK.

"They tend to look at the security possibilities from a broader perspective. The major obstacle in the UK appears to be a restricted viewpoint."

Groves stressed the importance of UK businesses not constraining themselves to thinking about biometrics within certain parameters.

"When examining biometrics and how to justify it to the business, don't restrict the imagination to applications like 'strong authentication to the network' or 'reduction in password reset costs'. Granted these will bring significant benefits, but they are almost trivial in comparison to those possible by using biometrics as part of an overall e-business programme. E-invoicing, e-forms and e-procurement are just three examples of where major cost savings can be made by going online, and where biometrics can help secure and promote these steps."

Price versus performance has been another sticking point. Taken in isolation at least, biometric deployment can be difficult justify in cost thanks in the most part to comparatively high costs and the lack of an obvious return on investment path.

According to Duke, this is beginning to ease. "Price has been one of the main hurdles, but the price point now makes biometrics a very viable option for a multi-layered security model and it is becoming increasingly affordable. We are seeing a number of companies opting for Biometrics now, or budgeting for a deployment in the next three to six months."

Toth concurred, noting that iris-scanning device prices in particular have plummeted in recent years and that large-scale adoptions (through deployments at airports) will drive costs down even more. She also suggested that pricing will be squeezed still further, and device performance elevated, thanks to competition among the leading manufacturers.

When though, if ever, will biometrics genuinely form a first line of corporate defence?

Nelson believes that, with growing scrutiny on good corporate governance, data and physical access control, there is a need to combine biometrics with traditional forms of identification such as swipe cards or PINs.

Robbins meanwhile, said other issues such as exceptions management still need careful consideration before biometrics can be mandated - particularly if difficulties in areas such as equal opportunities are to be avoided.

"How will a business manage the situation where a person is disabled and physically unable to supply a biometric of the specified type?" he asked. "Similarly, some people, by nature of their hobbies, are unable to supply fingerprints consistently. Rock climbers for example."

The underlying need looks to be an assured one however. Usernames and passwords are commonly shared, and are easily forgotten, stolen and cracked. So too are magnetic cards, while traditional forms of ID, such as national ID cards and passports can also be easy to forge. Toth claimed it is merely a matter of time; two to five years to be specific.

"Biometrics is not a panacea, but it is a big step up. Biometrics can genuinely bind a specific person to a set of data. No traditional method can deliver that. The increasing use of biometrics is the next evolutionary step on the technology ladder."

She conceded however, that widespread take-up is unlikely to be instantaneous. "Not everyone will want biometric options at the beginning. Biometrically enabled devices will be an addition to existing portfolios rather than a replacement, for a few years to come at least."

According to Robbins, this gradual drip-feed could open the door to reseller and integrator-led solutions.

"Today, biometric technology is not a simple technology roll out," he explained. "It requires a wide range of business and security skills to design and implement the required secure processes. Resellers will need strong professional services capabilities right across the security spectrum, incorporating risk assessment, compliance and deployment skills."

Fujitsu's Nelson sees an immediate opportunity, but asserted that resellers looking to take advantage need to think carefully about their integrator relationships.

"Resellers should watch for new developments and stay close to the integrators developing solutions. Understanding the real user demand and building the relationship with the user is the key to success. Ultimately this is a channel business. Of course there are large scale opportunities for the services companies, but the channel has a big part to play in the roll out of these solutions."

Groves meanwhile, said resellers have to play to their strengths: "Resellers considering selling biometric technology should choose products that sit within their expertise areas. So if they are networking specialists, maybe network security would be a profitable angle. If web solutions are their niche offering, transaction security would fit. The main consideration is to present the business benefits to the customer, not just technological benefits."

FRYING PANS AND FIRES

Social engineering is a little understood and underestimated consideration where biometrics is concerned according to Fraser Thomas, chief executive of Swivel Secure.

"Identity thieves target the most vulnerable point in a complex system. Organised cloning groups have devised effective ways of identifying mail containing PIN details, however well these are disguised. If the art of PIN interception is so finely tuned, it doesn't take too much imagination to see just how a similar process can be applied to biometrics information."

"The biometrics system may perform well, but the social engineering required to have individual users registered would be huge."

(Computer Reseller News -- 12/19/05)