Biometrics Benefits, Challenges Aired

NEW YORK - In a conference room overlooking the site of the World Trade Center, early adopters of biometrics technology last week stressed the importance of determining someone's true identity.

Attendees of the Fall 2004 Biometrics Summit heard about the challenges and benefits seen by those who would implement biometrics both before and after the Sept. 11 attacks that put a greater focus on security. They also heard about why some companies still aren't ready for biometrics, technology that uses personal characteristics of users to identify them.

Acknowledging that most of the Sept. 11 attackers used drivers' licenses to board the airplanes they used as weapons, one presenter said biometrics should be a key tool in conjunction with better verification of identity-proving documents, in the process of obtaining drivers' licenses.

Illinois was the first to use facial recognition technology in its Department of Motor Vehicles, four years before Sept. 11, and the state is preparing an upgrade to its systems, said Beth Langen, administrator of the policy and programs division of the Driver Services Department in the Illinois Office of the Secretary of State. The measures have helped combat fraud, catching those who try to get multiple licenses for different identities.

"One guy came in a couple of times a day, to different facilities, to get licenses," Langen said. Another woman had 13 identities and used them for theft. She was caught and imprisoned. In all, 1,700 cases of fraud have been discovered using the facial recognition software, with 173 people claiming three or more identities.

Originally, the department had considered using fingerprint readers, but went with facial recognition for several reasons. It's passive and non-intrusive. "When you come to a DMV, you expect to get your picture taken," Langen said. By contrast, people associate fingerprinting with having been arrested, she said.

Huge volumes of pictures have been added to the department's database. It now contains 16 million pictures, and it is growing by 8,000 to 12,000 every day. At night, the system goes through all the new pictures to see if any faces match those already on record. If there are some that look similar, they are sent to a fraud unit in the morning, which compares demographic data and signatures to determine if the similar-looking people are one and the same.

Another biometrics pioneer represented at the conference was the New York City Law Department, which implemented a hand-geometry system for entering its offices and recording time and attendance.

The department had used a sign-up sheet before that, but employees who didn't want anyone to know they came in late started ripping out pages, said Malachy Higgins, chief of administration. The office tried using card readers, but found that administering the cards was a big headache, and if they were going to be late, employees could give cards to others who went in earlier to make it appear that they were on time.

In 1994, the department brought in the hand readers, and there were several hurdles. One was the union, which was concerned that the readers emitted some sort of radiation that would harm employees, until Higgins and his team explained that the process was more like taking a picture. Another hurdle was that the readers required users to fit their hands around pegs, something that took some getting used to.

"The first day or two, everybody thinks it's going to be a disaster. You sort of have to ride that wave a bit," Higgins said. It didn't take long for employees to adjust.

Getting employees acclimated to using biometrics equipment was a challenge discussed by those at the conference.

Clarendon Insurance Group in New York installed fingerprint readers both for entry to the building and for logging on to computers. The insurance company was helped by identity management software vendor Daon, which made sure users were prepped for the shift to biometrics.

Working with Clarendon's human resources department, Daon put together "welcome packs" for users, said Leo Ring, vice president of business development at Daon. The pack contained little stuffed koala bears - because they are the only animal with fingerprints - and wipes for keeping the fingerprint readers clean.

Before getting buy-in from users, buy-in from top executives is paramount. Scott Sykes, group manager of strategic technology at Capital One in McLean, Va., encountered a lot of resistance to his ideas for bringing biometrics technology into the financial services firm.

The fundamental point of resistance was whether the reduced risk, cost savings and increased efficiency outweigh the expense, Sykes said. A lot of the potential benefit is hard to quantify. But the cost is easy to measure: $5 million over the first two years, tapering off to $400,000 per year for maintenance and operation.

While one could argue that biometrics provides security benefits over a password system, are the benefits that much greater?

"Getting security folks to release the use of a password is very difficult," Sykes said.

Single sign-on can be difficult to integrate with biometrics systems. Biometrics readers aren't built into laptop or desktop computers, making the readers a hassle to add into a network. Privacy concerns are also an issue. Until these hurdles are overcome, biometrics will have a hard time getting a foothold in most enterprise companies, Sykes said.

"There's really no pull. There's really no push. It's kind of in 'levitation' right now," he said.