Better
technology for less Almost
a decade old, the Australian-developed FingerScan access control system was among
the first commercially viable biometric systems and has since grown into a sizeable
business after parent company Fujitsu spun off the technology and sold it to US
vendor Identix in 1996. However, these days the size of the original FingerScan
(as big as a microwave oven) is testament to just how far the technology has come.
Today, fingerprint
scanners have been reduced to a simple combination of a microchip and sensor that
is popping up all over the place. SecuGen's $350 EyeD Mouse II, for example, incorporates
a fingerprint scanner on the side. Irish company Phoenix Peripheral Solutions
offers its $460 Phoenix 5000 keyboard with a built-in Veridicom fingerprint scanner.
As biometric-enabled
equipment closes the price gap with its conventional security technology, every
PC-acquiring corporation should consider paying a little more for the tight security
fingerprint scanning provides. Bulk pricing, in particular, can bring down costs
to a few hundred dollars or less per seat, and this should continue to decline.
The low
cost of today's technology was a crucial factor in investment bank ABN Amro's
decision to begin pilot-testing fingerprint-based user authentication in its Australian
offices. "The
main driver was as a password replacement for access to all of our desktop PCs,"
explains Geoff Wilson, head of information risk management at ABN Amro. "Fifteen
per cent of our helpdesk calls are for password resets. This ties up helpdesk
staff who could be looking at more important issues. It's expensive to have a
dealer sitting around waiting for his password to be updated." Six
months later, the Veridicom scanners have impressed Wilson so much that he eventually
wants to use them to replace most passwords for all 800 employees across Australia
and New Zealand. The company recently began to trial the Phoenix 5000 keyboard,
and Wilson sees the biometric technology paying for itself well within a year.
"There's
been no downside," he says. "It's improved security a hundred-fold, and it's so
easy to use that it just disappears into the background after a week of using
it. It's a big step, but the technology is there now, and it's something that
is not expensive or space-age. Cost is not an issue, since five minutes [of waiting]
to the dealers is going to cost more than $100, and people here might have eight
different passwords at eight different systems. If we can get rid of five of the
main ones, I'd take that as a big win." It's
not just about fingerprints It's
no surprise that fingerprint scanning has attracted the most investment from biometric
vendors. Indeed, the low price and non-intrusive nature of fingerprint recognition
make it the best hope for biometrics to gain the corporate acceptance it needs.
However,
fingerprints aren't the only body characteristic that can be used to control system
access; there are many equally reliable technologies that measure other characteristics
unique to a person. Miros Vision's TrueFace and Visionics' FaceIt, for example,
establish identity based on characteristics of the face. This technology is appealing
because it is mainly software-driven and, therefore, relatively cheap and can
operate on any sort of live digital image. It's even being used by UK police to
scan live surveillance feeds for wanted persons passing any of the 144 video cameras
located around Newham, East London. Another
mature technology is retina and iris recognition, which provide what is generally
accepted to be totally secure authentication by using a video sensor to measure
the geometry of these features. While early eye scanners were quite bulky and
slow, considerable R&D from IriScan (which develops and licenses iris scanning
technology) and Eyedentify (which develops and licenses retina scanning) have
made today's devices far easier to use and less expensive. Sensar's SecureCam,
for one, provides iris recognition in a palm-size device that also acts as a videoconferencing
camera. Eye
scanning technology is highly accurate and easy to use, which has won it particular
favour as a method of authenticating customers in high-volume transactional environments
such as ATMs, airline ticketing, mass transit admission, and as a replacement
for tickets to sporting events. Users just position their eye a few centimetres
in front of the device and a pulse of light does all the measuring instantly.
However, these scanners still cost several thousand dollars each, making them
impractical for use in large numbers. While many users are still uncomfortable
with the idea of putting their eye so close to the sensor, the scanning process
actually uses a soft flash of light that is far from invasive. Another
option for biometric authentication is voiceprint recognition from companies such
as Configate, Motorola, T-NETIX, Veritel, VeriVoice and WonderNet, where the user
says a particular phrase, which is recorded and compared to an archived pattern.
The fact that voice recognition can be easily implemented in software has kept
its price low. Since
the microphone it requires is a standard feature of every new PC, setting up and
running voiceprint matching can be a good way of introducing biometric concepts
into an enterprise environment. However, the technology's notorious fussiness
it can have trouble recognising people whose voices change due to afflictions
such as laryngitis or dryness will limit its long-term popularity, despite its
low price. Identifying
users by the shape of their hands is also possible using scanners from companies
such as Digi-2, MicroID and Recognition Systems. While these scanners need to
be bulky and are, therefore, unwieldy for broad use, their non-intrusiveness has
made them popular. According to IBG, hand geometry scanners accounted for 26%
of worldwide biometrics revenues last year. Also in embryonic stage is vein scanning,
which uses light to trace the unique pattern of veins in the user's hand. Although
these alternatives to fingerprint scanning are technically possible, most are
still too expensive for widespread corporate use. Expect them to appear in limited
deployment for applications such as the prototype intelligent door from US-based
Advanced Biometrics, whose Live-Grip Access Technology incorporates an infrared
sensor into the handle. When a person grabs the handle to open the door, the sensor
instantly maps their vein pattern, compares it to a database of authorised users,
and grants or denies access fast enough not to break the person's stride. In
the area of face recognition, a group of US government agencies, including the
department of defence Counterdrug Technology Development Program Office and the
National Institute of Justice, is sponsoring a trial of off-the-shelf face recognition
products. The products will be tested under two categories: recognition performance
tests and product usability tests. The sponsors anticipate that the results will
be released in June. Five vendors will take part including Miros, Visionics, C-VIS
Computer Vision and Automation, LAU Technologies and Banquetec. For information
see http://www.dodcounterdrug.com/FacialRecognition.
Keeping
remote users under the thumb Given
that the technology you're most likely to consider will be fingerprint scanning,
the biggest challenge to implementation is developing a clear business case for
the technology and deciding where it's best applied. The ease with which fingerprint
scanners can be used means they can generally be used as a replacement for user
ID and password access control for both local and remote users and they can
be introduced in a far more granular way that allows locks to be placed on specific
files, database records and network resources. Virtually
any corporate document or application, and even individual web pages or areas
of web sites, can be secured so that only authorised personnel can access sensitive
files. Biometrics can also be used to create and maintain an ongoing log file
showing which employees have accessed a particular company resource, data file
or physical location, and when. Dr
Raymond Li, senior lecturer at Monash University's School of Business Systems,
believes fingerprint scanning will solve the long-running problems that every
university has faced when conducting distance education classes administering
exams in faraway places, making sure that remote students are taking the exams
and doing it by themselves. Li
envisions a Precise Biometrics 100 fingerprint scanner at a library near the test-taker.
The smartcard-based unit will require students to enter a student ID smartcard,
which will also contain the code generated when they scanned their finger at enrolment.
This card will have to be inserted during the test, but the testing software will
also ask the student to put their finger on the scanner at random intervals. "Just-in-time,
flexible, lifelong learning is a big thing, and a lot of universities are turning
into virtual universities," he says. "We can have flexible course delivery and
just-in-time delivery, but we cannot evaluate the learning outcome. But hopefully
by the end of the year this will be happening, and because we're using a smartcard
it could also be used for charging people [for courses and tests]. The technology
is there, everything is there; we just have to put them together." Getting
yourself biometric Integrating
biometric scanners into corporate environments has become far less difficult than
it used to be. Every vendor now supplies a development kit which documents the
APIs that are necessary to interact with their device, while third-party software
such as SAFlink Corporation's SAF2000 Multi-Biometric Enterprise Security Software
Suite provides prefabricated shells that add biometric functionality to the standard
user ID and password interfaces of Windows NT, NetWare, Microsoft Internet Information
Server and CA's Unicenter TNG environments. SAF2000 also includes custom application
interfaces that can be added to in-house application. Because
biometric authentication shells don't typically eliminate the password prompt
in NT Workstation and other platforms, it's possible to install the shells as
part of a standard operating environment and add biometric technology in waves.
Using SAF2000, which is the closest industry standard biometric interface, a sensible
approach might be to implement voice authentication for everyone first and then
add fingerprint scanners either standalone or embedded in mouses or keyboards
as time and budgets allow. As
the technology becomes pervasive, users will quickly become used to it and will
most likely appreciate its benefits one of which is that they no longer need
to remember various passwords. As formerly space age biometric technology is demystified
through everyday contact, enterprises will find their users rapidly moving beyond
the hesitancy that Forrester predicted would hinder the adoption of biometrics.
"The issue
in the past has been one where people think 'I'm putting my finger on something
and I'm losing my privacy'," says Dr Hadrian Fraval, managing director of Melbourne-based
Rofin Australia, which signed an agreement in January with the Victorian Police
department to develop new markets for its biometric and optical-based forensic
technology. "Actually,
it's enhanced their privacy," Fraval continues. "We're talking about people walking
around with their PIN on their finger, and all the software does is use your unique
fingerprint, iris shape or voice to create a number. The fingerprint is not recorded
or stored, but it enables them to keep their privacy. It's the only way that you
can actually trace [access to individual files], since everything's logged and
you can trace entries in a log file." Local
smartcard and biometric firm Banquetec is currently working on a system that stores
the fingerprint template on a smartcard rather than a corporate database. Keith
Jebb, software director at Banquetec, says users particularly Australians
are much happier with this method. "It takes away some of the 'Big Brother' connotations,"
Jebb said. As
secure, biometric-enabled data storage and access tracking become the rule of
the day, companies will be able to expand coverage of the technology to their
business partners, a move that will help facilitate e-business by removing any
questions about the identities of transaction originators in collaborative extranet
environments. Meanwhile, as the real story about biometrics quickly spreads, today's
early adopters will have earned a leg up on their competitors by having resolved
their security problems once and for all. |