Home
Article
Products
Contact Us
Biometric Links

 

Biometrics: Your body is your password
Original article By David Braue

 

As the spectre of Y2K fades and corporate IT strategists resume the process of upgrading infrastructure and enabling e-business, the challenge of maintaining security in increasingly widely distributed environments has become important, and given that the increasing mobility of the workforce means you can't be sure who's really at the other end of the network link, it's clear that simple user ID and password logons are no longer sufficient. In addition, some high-speed internet connections such as broadband internet may not be a solution against online security breach.

In the past, the issue has often been resolved through the adoption of handheld hardware tokens that provide a one-off, time-limited code to the login procedure. However, these tokens are also one more thing users can lose. Sensing an opportunity to simplify access even further, biometrics vendors are pushing down prices and kicking off corporate trials intended to make their products the next major standard for user authentication in corporate IT environments.

US-based research firm International Biometric Group predicts that the world-wide biometric market will grow from $US58.4 million in 1999 to $US594 million by 2003. To achieve this growth, however, vendors will need to overcome a number of obstacles; most importantly, corporate awareness of the technology's advancement. Analyst firm Forrester Research recently reported a glum future for biometrics in a survey of 50 Global 2500 companies. At the time of the survey, none of the respondents were using biometrics, and a meagre 4% and 2% expected they would be using biometrics to authenticate users and business partners respectively, within two years.

Forrester predicts that the technology will ultimately bomb due to long-held beliefs that it is expensive and unwieldy. The lingering perception that biometrics is invasive technology which compromises privacy compounds the problem. These fears have been fuelled by privacy lobbyists fighting the technology's use in governmental identification schemes. Yet within relatively closed corporate environments, rapidly dropping costs and improved integration have made today's biometrics an extremely practical, inexpensive and transparent method of user authentication.

Put your finger on it

The modern science of using the body to verify a person's identity dates back to 1882, when Frenchman Alphonse Bertillion proposed a forensic system of identifying people based on the size of their bodies, heads and limbs. This system quickly lost favour, however, to an alternative method of fingerprint analysis (dactyloscopy) that was described in the late 1800s by English scientist Sir Francis Galton and adopted by Scotland Yard in 1901 after being formally developed by Sir Edward Henry.

Police across the world use fingerprints to identify individuals in crime scenes using techniques based on the "Henry system", which classifies each fingerprint in terms of its arches, loops, whorls, composite style prints, and the location of certain fixed points and ridges. The US FBI uses a similar system that recognises eight key fingerprint characteristics the radial loop, ulnar loop, double loop, central pocket loop, plain arch, tented arch, plain whorl and accidental. Nearly a century later, dactyloscopy's enduring power as an investigative technique has made it a favourite of biometric vendors seeking to use the unique characteristics of every fingerprint as a method for authenticating users.

Similar to the classification methods used in contemporary policing, fingerprint recognition systems analyse a scanned image of the fingerprint to pick out key features. The positioning of the features is fed into a vendor-specific algorithm that spits out a unique code, which is typically a full kilobyte long. This code is encrypted and stored on a secure user authentication server and may also be loaded onto a smartcard in card-based environments.

Early fingerprint scanners were compromised by reports that unscrupulous people were drugging users and making plaster or silicone moulds of their fingerprints, or even cutting the finger off, to trick the system. It's debatable whether or not this actually happened, but numerous tests proved it was possible and drove a new generation of devices which ensure the finger is attached to a living, breathing person. This is done either by checking that the finger has a pulse, or by using "capacitant" scanning technology, which measures the electrical voltage flowing through the body.

Automa Biometric Solutions did a sucessful installation of their main product U.are.U at Edith Cowan University which got some attention in the local computer press.

Automa are a company specialising in fingerscan biometrics for computer and network security, time and attendance applications and access control. They use state of the art products from world leading suppliers such as DigitalPersona and Count Me In to give you advanced yet robust biometric solutions. They supply off-the-shelf systems or help you create a customised system that is tailored to your needs.

Their three main product lines are our IT Security products, Time and Attendance and Access Control products. Some more of their suppliers include and Visionics and National Instruments. They also provide Technical Services such as programming and system design and installation. They are located in Sydney, Australia.

 

 
 

Better technology for less

Almost a decade old, the Australian-developed FingerScan access control system was among the first commercially viable biometric systems and has since grown into a sizeable business after parent company Fujitsu spun off the technology and sold it to US vendor Identix in 1996. However, these days the size of the original FingerScan (as big as a microwave oven) is testament to just how far the technology has come.

Today, fingerprint scanners have been reduced to a simple combination of a microchip and sensor that is popping up all over the place. SecuGen's $350 EyeD Mouse II, for example, incorporates a fingerprint scanner on the side. Irish company Phoenix Peripheral Solutions offers its $460 Phoenix 5000 keyboard with a built-in Veridicom fingerprint scanner.

As biometric-enabled equipment closes the price gap with its conventional security technology, every PC-acquiring corporation should consider paying a little more for the tight security fingerprint scanning provides. Bulk pricing, in particular, can bring down costs to a few hundred dollars or less per seat, and this should continue to decline.

The low cost of today's technology was a crucial factor in investment bank ABN Amro's decision to begin pilot-testing fingerprint-based user authentication in its Australian offices.

"The main driver was as a password replacement for access to all of our desktop PCs," explains Geoff Wilson, head of information risk management at ABN Amro. "Fifteen per cent of our helpdesk calls are for password resets. This ties up helpdesk staff who could be looking at more important issues. It's expensive to have a dealer sitting around waiting for his password to be updated."

Six months later, the Veridicom scanners have impressed Wilson so much that he eventually wants to use them to replace most passwords for all 800 employees across Australia and New Zealand. The company recently began to trial the Phoenix 5000 keyboard, and Wilson sees the biometric technology paying for itself well within a year.

"There's been no downside," he says. "It's improved security a hundred-fold, and it's so easy to use that it just disappears into the background after a week of using it. It's a big step, but the technology is there now, and it's something that is not expensive or space-age. Cost is not an issue, since five minutes [of waiting] to the dealers is going to cost more than $100, and people here might have eight different passwords at eight different systems. If we can get rid of five of the main ones, I'd take that as a big win."

It's not just about fingerprints

It's no surprise that fingerprint scanning has attracted the most investment from biometric vendors. Indeed, the low price and non-intrusive nature of fingerprint recognition make it the best hope for biometrics to gain the corporate acceptance it needs.

However, fingerprints aren't the only body characteristic that can be used to control system access; there are many equally reliable technologies that measure other characteristics unique to a person. Miros Vision's TrueFace and Visionics' FaceIt, for example, establish identity based on characteristics of the face. This technology is appealing because it is mainly software-driven and, therefore, relatively cheap and can operate on any sort of live digital image. It's even being used by UK police to scan live surveillance feeds for wanted persons passing any of the 144 video cameras located around Newham, East London.

Another mature technology is retina and iris recognition, which provide what is generally accepted to be totally secure authentication by using a video sensor to measure the geometry of these features. While early eye scanners were quite bulky and slow, considerable R&D from IriScan (which develops and licenses iris scanning technology) and Eyedentify (which develops and licenses retina scanning) have made today's devices far easier to use and less expensive. Sensar's SecureCam, for one, provides iris recognition in a palm-size device that also acts as a videoconferencing camera.

Eye scanning technology is highly accurate and easy to use, which has won it particular favour as a method of authenticating customers in high-volume transactional environments such as ATMs, airline ticketing, mass transit admission, and as a replacement for tickets to sporting events. Users just position their eye a few centimetres in front of the device and a pulse of light does all the measuring instantly. However, these scanners still cost several thousand dollars each, making them impractical for use in large numbers. While many users are still uncomfortable with the idea of putting their eye so close to the sensor, the scanning process actually uses a soft flash of light that is far from invasive.

Another option for biometric authentication is voiceprint recognition from companies such as Configate, Motorola, T-NETIX, Veritel, VeriVoice and WonderNet, where the user says a particular phrase, which is recorded and compared to an archived pattern. The fact that voice recognition can be easily implemented in software has kept its price low.

Since the microphone it requires is a standard feature of every new PC, setting up and running voiceprint matching can be a good way of introducing biometric concepts into an enterprise environment. However, the technology's notorious fussiness it can have trouble recognising people whose voices change due to afflictions such as laryngitis or dryness will limit its long-term popularity, despite its low price.

Identifying users by the shape of their hands is also possible using scanners from companies such as Digi-2, MicroID and Recognition Systems. While these scanners need to be bulky and are, therefore, unwieldy for broad use, their non-intrusiveness has made them popular. According to IBG, hand geometry scanners accounted for 26% of worldwide biometrics revenues last year. Also in embryonic stage is vein scanning, which uses light to trace the unique pattern of veins in the user's hand.

Although these alternatives to fingerprint scanning are technically possible, most are still too expensive for widespread corporate use. Expect them to appear in limited deployment for applications such as the prototype intelligent door from US-based Advanced Biometrics, whose Live-Grip Access Technology incorporates an infrared sensor into the handle. When a person grabs the handle to open the door, the sensor instantly maps their vein pattern, compares it to a database of authorised users, and grants or denies access fast enough not to break the person's stride.

In the area of face recognition, a group of US government agencies, including the department of defence Counterdrug Technology Development Program Office and the National Institute of Justice, is sponsoring a trial of off-the-shelf face recognition products. The products will be tested under two categories: recognition performance tests and product usability tests. The sponsors anticipate that the results will be released in June. Five vendors will take part including Miros, Visionics, C-VIS Computer Vision and Automation, LAU Technologies and Banquetec. For information see http://www.dodcounterdrug.com/FacialRecognition.

Keeping remote users under the thumb

Given that the technology you're most likely to consider will be fingerprint scanning, the biggest challenge to implementation is developing a clear business case for the technology and deciding where it's best applied. The ease with which fingerprint scanners can be used means they can generally be used as a replacement for user ID and password access control for both local and remote users and they can be introduced in a far more granular way that allows locks to be placed on specific files, database records and network resources.

Virtually any corporate document or application, and even individual web pages or areas of web sites, can be secured so that only authorised personnel can access sensitive files. Biometrics can also be used to create and maintain an ongoing log file showing which employees have accessed a particular company resource, data file or physical location, and when.

Dr Raymond Li, senior lecturer at Monash University's School of Business Systems, believes fingerprint scanning will solve the long-running problems that every university has faced when conducting distance education classes administering exams in faraway places, making sure that remote students are taking the exams and doing it by themselves.

Li envisions a Precise Biometrics 100 fingerprint scanner at a library near the test-taker. The smartcard-based unit will require students to enter a student ID smartcard, which will also contain the code generated when they scanned their finger at enrolment. This card will have to be inserted during the test, but the testing software will also ask the student to put their finger on the scanner at random intervals.

"Just-in-time, flexible, lifelong learning is a big thing, and a lot of universities are turning into virtual universities," he says. "We can have flexible course delivery and just-in-time delivery, but we cannot evaluate the learning outcome. But hopefully by the end of the year this will be happening, and because we're using a smartcard it could also be used for charging people [for courses and tests]. The technology is there, everything is there; we just have to put them together."

Getting yourself biometric

Integrating biometric scanners into corporate environments has become far less difficult than it used to be. Every vendor now supplies a development kit which documents the APIs that are necessary to interact with their device, while third-party software such as SAFlink Corporation's SAF2000 Multi-Biometric Enterprise Security Software Suite provides prefabricated shells that add biometric functionality to the standard user ID and password interfaces of Windows NT, NetWare, Microsoft Internet Information Server and CA's Unicenter TNG environments. SAF2000 also includes custom application interfaces that can be added to in-house application.

Because biometric authentication shells don't typically eliminate the password prompt in NT Workstation and other platforms, it's possible to install the shells as part of a standard operating environment and add biometric technology in waves. Using SAF2000, which is the closest industry standard biometric interface, a sensible approach might be to implement voice authentication for everyone first and then add fingerprint scanners either standalone or embedded in mouses or keyboards as time and budgets allow.

As the technology becomes pervasive, users will quickly become used to it and will most likely appreciate its benefits one of which is that they no longer need to remember various passwords. As formerly space age biometric technology is demystified through everyday contact, enterprises will find their users rapidly moving beyond the hesitancy that Forrester predicted would hinder the adoption of biometrics.

"The issue in the past has been one where people think 'I'm putting my finger on something and I'm losing my privacy'," says Dr Hadrian Fraval, managing director of Melbourne-based Rofin Australia, which signed an agreement in January with the Victorian Police department to develop new markets for its biometric and optical-based forensic technology.

"Actually, it's enhanced their privacy," Fraval continues. "We're talking about people walking around with their PIN on their finger, and all the software does is use your unique fingerprint, iris shape or voice to create a number. The fingerprint is not recorded or stored, but it enables them to keep their privacy. It's the only way that you can actually trace [access to individual files], since everything's logged and you can trace entries in a log file."

Local smartcard and biometric firm Banquetec is currently working on a system that stores the fingerprint template on a smartcard rather than a corporate database. Keith Jebb, software director at Banquetec, says users particularly Australians are much happier with this method. "It takes away some of the 'Big Brother' connotations," Jebb said.

As secure, biometric-enabled data storage and access tracking become the rule of the day, companies will be able to expand coverage of the technology to their business partners, a move that will help facilitate e-business by removing any questions about the identities of transaction originators in collaborative extranet environments. Meanwhile, as the real story about biometrics quickly spreads, today's early adopters will have earned a leg up on their competitors by having resolved their security problems once and for all.

 

If you are interested in receiving updates on the Australian Biometrics industry, or information on seminars, please enter your details below:

 

Full Name
E-mail

Press once to submit form

We respect your privacy, and will only use your e-mail address for giving you information on the Biometrics industry.