Subscribe to the Free Print Edition!
Celebrating 25 Years

GCN Home > 08/27/07 issue

The basics of biometrics

RFP Essentials | Biometrics done right can improve security and make life easier for users

By Edmund X. DeJesus, Special to GCN

If you doubt your employees have strong opinions about their computers, just watch the number of complaints to your help desk spike when you add layers of security. It’s understandable: Passwords are a pain, especially if you have to change them often.

Biometrics, if properly implemented, offers a win-win solution. Biometric security — which uses measurements of human characteristics to confirm identity — can at once enhance security and free users from the plague of passwords.

And biometrics can be applied to more than just computers. It can be used to control access to buildings, rooms, networks and other resources. Proponents of the technology say simply using any kind of biometrics sends a powerful psychological message that your agency takes security seriously, which can produce an important mood of vigilance.

Finally, increased security may be the primary goal of biometrics, but don’t let it be the only one. “Agencies narrow themselves out of solutions,” said Vic Berger, a technologist at reseller CDW.

By deciding too quickly what you want, you may be missing more complete solutions that offer additional benefits. For example, placing video cameras in a corridor may give you all the security you need, but facial-recognition and tracking software can add significant information, including insights into traffic patterns, behavior and resource usage.

“Don’t jump into a request for proposals if a request for information is more appropriate,” Berger said.

Put your finger on biometrics
Once the province of James Bond-style movies with futuristic facilities, biometrics is becoming commonplace — even showing up as standard equipment on Dell laptop PCs. The list of available biometric modes is growing all the time:
  • Eye, including iris and retina.
  • Hand, including fingerprint, palmprint and hand shape.
  • Head, including face, earlobe and lips.
  • Biochemistry, including DNA and odor.
  • Behavior, including voice, signature, keystroke and gait.
Although hand readers and fingerprint readers are employed in about 80 percent of biometric access applications, any of those modes can verify your identity. They differ, however, in many characteristics, including:
  • Ease of enrolling individuals.
  • Accuracy in distinguishing individuals.
  • Speed of identification.
  • Size of reader.
  • Operation in various environments.
  • Cost.
Each mode — and, in some cases, each product — differs greatly in approach and installation, so direct comparison is difficult during a typical bid process. Moreover, each mode involves some trade-offs. For instance, iris identification is accurate but can be slow and requires more cooperation from users than some other types of biometrics.

There are a number of other major issues to consider in selecting the best biometric mode.
  • Ease of enrollment. You need to enroll new individuals quickly and simply, not just to save time but to maintain staff goodwill — and make no mistake, biometrics depends on goodwill just as any other type of security does.

    You are asking people to expose their eyes, allow themselves to be fingerprinted or permit other essentially intrusive procedures. Expect resistance for religious or political reasons but also simply because bodies are private, and people aren’t comfortable exposing body parts, even for excellent reasons.

  • Error rates. Error rates are not a big problem with small populations, but a high error rate with a large population is a recipe for disaster because user patience tends to decrease as error rates increase.

  • Recognition speed. Speed of identification can play a similar role. For example, fingerprint identification is relatively slow and most suitable for low-volume applications, not for hundreds of workers waiting impatiently to check into the facility each morning.

  • Device size. Size of the sensor device is most important in small areas, such as next to doors.

  • Environment. The environment can affect the choice of modes in subtle ways. For example, if you’re protecting a lab where the staff wears gloves, fingerprint readers probably aren’t a good choice. “Voice recognition — or a combination of modes — might make more sense,” said Gregory Zekster, an associate at consultant Booz Allen Hamilton.

  • Cost. Especially for low-volume operations, cost is a key consideration. Biometrics saves the burden and expense of a card-based system, not to mention eliminating the headache of lost or stolen cards. People don’t often forget their hands.

  • Multiple-factor authentication. What if other constraints push you to biometric solutions that are comparatively less secure? “Multimodal solutions using two or more different biometrics are becoming more common,” Zekster said. Multimodality can also be more flexible, with certain kinds of access requiring only one mode and others requiring more.
Hurdles to clear
First and foremost, don’t let a biometric solution lull you into a false sense of security. Don’t abandon your firewalls, encryption, passwords and other security precautions just because you have biometrics. The measurements for comparison reside in a database, which must be encrypted and subject to security. “Always save the raw data of each measurement,” said Chris Crooks, an associate at Booz Allen Hamilton. As capacity for detail improves, you’ll find uses for it, and keeping that data in a standard format makes data sharing across agencies possible.

You may want to avoid large, centralized databases of biometric information. Self-contained, individual fingerprint readers, for example, can verify identity and keep the biometric data out of the centralized database. Users also feel more comfortable knowing that their fingerprints aren’t in some massive repository. But losing a reader can be expensive and annoying.

And bear in mind that biometric technologies have limitations. Some portion of the population will always be physiologically unable to use certain modes. It’s not just that one-armed man, either: Approximately 4 percent of people can’t use fingerprint technology because of dry skin.

Psychological and political issues are no less important. “Most Europeans — and many Americans — are unwilling to entrust their fingerprints,” Crooks said. Others are squeamish about exposing their eyes to scanners, no matter how harmless they are. Even the chance of infection from a fingerprint scanner is objectionable to some people.

Biometric systems can also be costly and complicated to deploy. That makes it all the more important to work carefully with vendors. “Focus on the overall solution, not just the product or even the specific technology,” Berger said. “Stretch your goals. Ask for a lot from vendors: ideas and possibilities, not just products.”

Don’t forget about scalability. Depending on the intent of the biometric implementation, the number of people using it will probably grow, sometimes rapidly. For example, biometric-controlled access may be mandatory first for one group working on a network, then for another and another until all users must be enrolled. Your biometric solution should be scalable to handle increases in users and locations.

Finally, although standards for biometrics are just emerging, you should ensure that your solutions are based on existing standards and not dependent on a vendor’s proprietary technology. For one thing, using standards-based components permits a wider range of possible solutions and vendors for each component.

Furthermore, standards-based technology lets you upgrade more easily when newer, better, faster widgets come along — and they will. The field of biometrics is far from mature, and new modes and implementations come along each year. “Fingerprints are already being replaced by other modes,” Zekster said. Try to select a vendor with a reputation for keeping up with evolving standards.

Weighing the options
When comparing solutions, you’ll likely need to do some probing to get the information you need.

Suppose you want to know how fast a prospective biometric solution can handle people waiting for access. The vendor may quote the verification time for the reader, which is the elapsed time from the user presenting themselves at the device until identity verification. This is certainly part of the total time you’re looking for, but it’s not the whole story. What you need is the total time it takes for a person to use the device.

Depending on environmental conditions at your location, you may also need to look closely at each solution’s durability. Does your environment include abrasive sand, electrostatic shock, high or low temperatures, direct sun or radiation, chemicals, rain or snow, wind-driven grit, or other difficult circumstances? If so, make sure the mode and its implementation match the need.

Biometric solutions must also integrate with existing systems. Products that are interoperable will have a longer useful life and greater flexibility. Choose solutions that are independent of operating system and hardware. The ability to acquire hardware from one vendor and software from another can be crucial for creating best-of-breed solutions.

If you need to do special application development, a software development kit can simplify things. You may also require remote enrollment or management capabilities for facilities in multiple locations.

Finally, be aware that the biometrics business is pretty wild these days. Companies merge or acquire one another and sometimes go out of business entirely. This has its advantages: One company may offer many technologies. But there are also potential downsides. For example, long-term product support may be unpredictable and unstable. Working collaboratively with knowledgeable and imaginative systems integrators is vital in a technology that is so complex. Biometrics is one technology where government agencies have the advantage over businesses.

The government is by far the biggest customer for biometric security, so government agencies get to see the newest and best ideas first. “Government agencies have a moral responsibility to pioneer and shape biometric solutions,” Berger said. Use this advantage to create a biometric solution that’s perfect for your agency.

1 2 3 4 >> Next

More news on related topics: Communications / Networks, IT Security, Authentication / Identity Management, Enterprise Architecture, Software Applications



GCN Popup