Biometric Authentication in a Digital World

The age of anonymous gadgets may be over. Whether for security reasons or for digital rights management, many embedded system builders are considering ways to identify or authenticate the users of their equipment-a task that's increasingly complex. Passwords are proving both inconvenient and easily cracked. For real authentication, embedded designers are turning to sterner stuff like biometric identification.

Biometric authentication technology typically works by identifying a user's fingerprints or eyes. The processing power required to authenticate fingerprints or generate iris scans is significant. All the OEM biometric units therefore come bundled with their own embedded processors and software. All the customer sees is a familiar USB or serial port, and a documented set of software interfaces. Even so, the software work is not trivial.

To lighten the load, one industry group is developing de facto standards for biometric sensors and integration. The BioAPI Consortium lists more than a dozen BioAPI-compliant products on the market from various vendors. The group's goal is to encourage an API that is independent of the operating system or type of biometric device.

Clearly, most current design activity in the biometric space is focused on fingerprint-identification units available from a number of vendors, including Authentec. The company sees cell phones, for one, as ripe for fingerprint-identification applications for "asset protection, password replacement and data protection," said Scott Moody, president and CEO of Authentec, Melbourne, Fla. "2005 will be a bang-up year for us."

Cell phones are so price-sensitive, however, that not everyone sees the need for them to be biometrically secure at this juncture. Derrick Robinson, senior analyst at IMS Research, Wellingborough, United Kingdom, said, "You don't have a market unless there is a lot of valuable data stored in mobile phones."

On the other hand, one area where biometrics is already coming into play involves solutions for access control at places like hotels. Most rooms already use plastic ID cards as keys; they're inexpensive and easily replaced and reprogrammed. Adding biometric fingerprint identification to the card key or to the door provides another level of security that travelers may value, an application that STM, a French-Italian firm, is pursuing with its TouchChip module.

STM's technology is already being used on notebook computers, including the ThinkPad series from IBM, some models of which include biometrics alongside the touchpad mouse. Cell phones notwithstanding, mobile devices obviously store a lot of sensitive information, so this is where many biometric vendors see the biggest opening in the short term.

"All of a sudden this becomes viable. When you get down below $10, a lot of companies get interested," said Stacy Cannady, security product manager for IBM's PC division, Somers, N.Y.

When it comes to design, laptops have a distinct size advantage over cell phones, which are notoriously space-constrained. Although the fingerprint sensor itself is small and flat-about 1mm thick-the electronics that control it require more room than many handset manufacturers are willing to give up.

Hotels, laptops and cell phones are all relatively benign environments for biometrics. What's an integrator to do when the going gets tougher, such as for an outdoor kiosk? Currently, none of the biometric sensors are weatherproof. In fact, they're fairly delicate and need to be protected from sharp shocks, scratches and moisture. To be used in an embedded solution for locking outdoor gates or securing buildings, the biometric unit would have to be protected from the elements.

There are also challenges associated with the more James Bond-esque biometric options, such as eye scanners. These detect and measure tiny differences in each person's eye coloring and design. Unlike in the movies, however, current eye scanners don't scan the retina at the back of the eye. Instead, they scan the iris, the colored ring around the central pupil. Unfortunately, the iris expands and contracts with ambient light, so getting two identical scans of a person's iris is tricky. Lighting conditions, distance from the sensor, temperature-even alcohol consumption-can all affect the size and color of someone's iris. For all these reasons, biometric eye scanners are limited to clean, well-lighted places such as office lobbies.

There's no question that biometric control options are taking off in embedded solutions, but they're not appropriate for every application.

Matt Wagner, product marketing manager for security and wireless at Palo Alto, Calif.-based Hewlett-Packard, said, "Based on our past experience, the uptake [for fingerprint sensors] was slow, but looking forward, better authentication is seen as critical. We think embedded encryption chips and smart cards are the best near-term opportunity."

Smart cards have the advantage of high-volume, low-cost production; still, they're not much more secure than passwords.

Kelan Silvester, a platform security architect for Intel, Santa Clara, Calif., is more optimistic. "We think the time has come for fingerprint sensors," Silvester said. "Passwords are running out of gas and don't solve the problem by themselves. A lot of the work at this point is just marketing and encouraging people to use the technology."