Biometrics coming over the horizon

With the e-business world desperate for a better means of authenticating users, and the price of biometric devices rapidly falling, Graham Titterington is sure that the time for biometrics has come at last.

It is happening now
Biometrics has been a niche technology used by shadowy figures in a handful of very secure establishments - mainly to control access to sensitive locations. Biometric devices have been too expensive for normal business use, and there have always been doubts about their accuracy, not least because most bodily readings vary significantly over time. User resistance is easy to understand: no one likes having their bodies measured, having the personal data stored by third parties and, in some cases, having an unpleasant measurement experience.

However, the need for better identification and authentication of users of IT applications and systems won't go away, and this is particularly acute in e-business. The e-payments industry is spearheading the drive for better methods. There is a wide range of possible biometric technologies, and some are much less objectionable to the potential user base than others. Indeed, techniques such as fingerprint recognition are actually preferred to password-based approaches by most users in trial implementations.

The growing interest in biometric devices is triggering a dramatic fall in prices. There are now more than 150 companies supplying the market. While many are small niche providers, large companies (such as Sony and NCR) are manufacturing devices. Leading software companies (such as Microsoft and Oracle) are providing interfaces between biometric devices and their core products, enabling biometrics

"Biometric readers can be made to detect the use of dismembered limbs, or a live human acting under duress" Source: Ovum

to be used as an alternative method to login using a user ID and password. The International Biometrics Group (IBG) estimates that the biometrics industry will generate $1bn in revenues this year. For many of us, we are about to get our first experience of using a biometric device to gain access to an IT application.

Why does it matter?
Raising efficiency - Efficiency savings come at various levels. Some biometric identification methods, such as taking a fingerprint, are quicker than typing in identification information.

A substantial proportion of the help desk workload of many organisations is directly linked to users forgetting their passwords. Larger organisations can make real savings if it is possible to eliminate this category of calls.

It is not certain that biometric methods will give more reliable identification, as the outcome depends on what and how it is implemented and what is replaced.

However, efficiency savings will automatically accrue if it is possible to achieve better user authentication. For example, every fraudulent transaction requires large amounts of effort to investigate and unravel. Every mistaken identity causes the user frustration and wasted effort.

Reducing fraud - The reliability of biometric identification methods varies considerably, both between technologies and implementations of the same biometric technology. Most of the cheaper solutions, aimed at the mass IT system market, give results that improve on what is normally achieved by password-based or PIN-based systems. They are not as secure as digital certificates held on smart cards or as devices such as RSA Security's key fob (which generates a different PIN for a user every minute), if we ignore the risk of theft of these devices. However, most IT systems that control access by passwords or PINs could benefit by moving to biometrics.

Although passwords and PINs theoretically have a large range of values, and consequently a small chance of being guessed, most users have difficulty remembering them. They either choose something obvious (such as the name of a close relative, or a phone number), or write them down close to the device that they are supposed to protect.

"Good" system management practice, such as insisting that passwords are of a certain length and include both letters and numbers, only tend to make it harder to remember the passwords and cause them to be written down more often - totally defeating their purpose.

The way a help desk reacts to a call from a user claiming to have lost their password is also a potential vulnerability. Many organisations, keen to minimise the disruption to business processes, will simply react to the request by taking password protection off the user's account while the user logs in and sets a new password. This is often done over the phone without getting face-to-face verification of the user's identity, and is wide open to abuse. Thus the general level of security provided by passwords and PINs is much lower than their theoretical value.

Digital certificates held on the hard disk of a PC are vulnerable to hackers, and are only as secure as the mechanism protecting the PC from unauthorised use - which is often a password!

Leading technologies
Fingerprint recognition leads the field for adoption in mainstream business applications. Most products store a few metrics relating to fingerprints, rather than full images needing only 100 bytes to store a fingerprint - so it's very easy to store on a smart card or SIM card. This still gives a high uniqueness value, but is not good enough for very high-security applications, where full images are needed.

Fingerprints are constant for life, but readings can be affected by dirt or cuts.

Chips for reading fingerprints are small and cheap (as low as $30), and they can be built into almost any equipment: phones, keyboards, smart card readers, or standalone PC plug-ins.

Iris scanning is a very promising technology for applications where fingerprint recognition is not adequate. The iris is more complex and therefore more unique than a fingerprint. It is constant throughout life, from the age of one onwards. Each eye is different - so you could have a really secure system if you checked both eyes.

Voice authentication works by recognising characteristics of the human voice. It is promising as a low-to-medium-level identification technique that is particularly attractive for use with mobile phones, where the necessary hardware is already in place.

However, there are doubts about whether a standard telephone microphone is of an adequate quality to support voice recognition, and the reliability of the technique in noisy environments is not proven.

Hand geometry is a promising technology. The main drawbacks are that the equipment is relatively large, and there are potential problems for people with arthritis, or who have lost a lot of weight since their data was recorded.

Handwriting recognition uses a cheap pressure pad and electronic pen (costing about $20) that can double as an alternative to the mouse on a desktop PC. It compares the way in which the signature is written (speed, pressure, order and so on) as well as the topology of the finished signature. Because it monitors the process as well as the result of writing a signature, it is considerably more reliable (from both the 'false negative' and 'false positive' perspective) than manual signature verification, which has been the basis of business for centuries.

Other contenders
Retina scanning is losing favour, as it is intrusive (it involves shining a white light into the eye), and the retina varies quite a lot through the day, with tiredness and state of health.

Keystroke dynamics is cheap as no special hardware is required. However, little data about its reliability is currently available.

Facial recognition is mainly used for identifying suspects on surveillance camera film, such as football hooligans or shoplifters in stores. It clearly raises potential civil liberties issues, particularly when false positives are identified. It can be used to verify an individual's identity, but is not particularly reliable at this level, and is too big and expensive to be a serious contender for this role.

Facial thermograms work with infra-red emissions in the dark. They typically use 19,000 data points. They are claimed to be constant against age, but identification will fail if the subject is wearing glasses!

What about errors?
Biometric measurement is prone to errors in both directions:

• False positives that allow a wrong person access
• False negatives that deny a valid user access

In most cases, you can improve the error rate on one of these criteria by adjusting the sensitivity of the measurements, and at the price of accepting a worse error rate on the other criteria. The security of the system determines which way you should lean in setting the sensitivity of the devices. For example, most commercial organisations will select a low level of sensitivity to ensure that business is not obstructed and customers are not turned away. In return, they are prepared to accept a managed and predictable level of misuse and factor this cost into their business calculations. When comparing biometric products and technologies, it is normal to use the 'cross-over error rate', which is the error rate when you set the sensitivity to make both types of error equally probable.

Dual factor authentication
Access to systems with higher-than-average security requirements should be controlled by asking users for two things, selected from:

• Something they know (for example, a secret or password)
• Something they have (for example, a smart card)
• Something they are (a biometric).

It is more cost-effective to adopt two medium-strength measures than one super-strong measure, to give a similar overall level of security.

Loss of identification data
If a hacker can intercept the 'biometric signature' of a user on your chosen identification device, they can simulate the communications from the biometric device while making a genuine access attempt. Since the user's data comes from their body, they cannot simply change it - unlike a password. The user cannot be given a new identity, so has to be barred from future use of the system. Systems can be built to alleviate this problem, but this will substantially increase the cost of an off-the-shelf solution. The best defence is to encrypt the raw biometric measurement as soon as possible, and to transmit, use and store the encrypted value. Encryption keys can be changed relatively easily.

User resistance
Users can be reluctant to have their bodies measured, or to have these measurements stored outside their control. They may require reassurance about the use of this personal data. There might even be a conflict with data protection legislation, particularly if the data is not itself protected with the highest level of security.

Additionally, users may not be happy to have lights regularly shone into their eyes, or to have some other measurements taken. A successful biometrics implementation must recognise and satisfy user's personal concerns.

Unsuitable environments
Most biometrics can only be used in 'friendly' environments. Voice recognition doesn't work well where there is a high level of background noise. Fingerprint recognition doesn't work with dirty or wet hands, and can be confused by cuts.

Hand geometry requires a relatively large piece of equipment, and so is not suitable for mobile applications, and all biometric technologies have difficulties coping with individuals who lack the body part that they measure!

Don't read this while you are eating!
Opponents of biometrics are keen to highlight the equivalent of the theft of an identification device! The thought of desperate villains resorting to dismemberment of their victim or to coercing the victim to act under duress is horrific. However, these arguments show how successful biometrics is becoming.

Firstly, a method that can only be broken by such desperate means is clearly very secure! Secondly, biometric readers can be made to detect the use of dismembered limbs, or a live human acting under duress. The most common method of verification is the addition of a temperature sensor to the reader. The use of dual factor authentication also removes most of risk of this kind of crime.

What should you do?
Watch developments- Biometrics is an emerging technology that has the potential to revolutionise many aspects of e-business. It is not yet certain that it will, but you need to be alerted to business benefits that it might offer you.

Start a pilot project - A pilot project is the safest way of gaining expertise and of avoiding disruption to your business, resulting from the adoption of an inappropriate technology. It can also provide feedback on how comfortable your users feel, be they employees or customers - and how their reaction changes as they become more familiar with using the devices. Biometrics technology is now at the stage at which a pilot project is both practical and desirable.

Prepare your users gradually - People need time to adapt to new methods, particularly when they involve strange-looking equipment and novel forms of interaction. During the early stages of a pilot project, it may be worthwhile to provide parallel identification methods, so that users can migrate to the biometric one at their own pace. If the biometric method is perceived as offering user benefit, many users will switch voluntarily when they see their peers' satisfaction levels.