 |
||||
|
|
|
||
|
Contents 
Introduction
The world's easiest business case?
The big sticking point
Putting your finger on it
Sidebar: Getting a feel for biometrics |
|
||
|
|
||||
|
|
||||
For technology that works so well and makes so much business sense, it seems ironic that biometrics has had such a hard time establishing itself within corporate information strategies -- particularly given that analysts such as META Group have identified the movement away from password-based security as a strategic imperative.
The reasons for this reluctance are far from straightforward. It is clear, however, that one key issue is that of confidence in biometrics: despite overall strong performance, confidence has been rattled by sporadic research findings such as the infamous "gummy finger" method of beating fingerprint scanners, in which latent fingerprints are lifted from everyday objects and used to generate a faux finger for identification.
Biometrics vendors have guarded against such fraud by adding, for example, sensors that detect the flow of blood through a finger. Yet claims any security technology can be surmounted can be fundamentally damaging, particularly when the technology is being pitched at critical levels. Faced with the prospect of unknown risk from biometrics, versus the known but expensive cost of passwords, most companies have opted to bite the bullet and wear the cost of password systems.
Such delays can be partly attributed to established perception of biometric technology: years ago, analysts tied the success of biometrics to that of related technologies such as smartcards and PKI, which they believed would be used to secure the biometric signatures to which scanned images would be compared. With PKI and smartcards now little more than a footnote to the story of enterprise security, however, biometrics has suffered by association.
"There are a lot of organisations lining up to use biometrics, but at the moment they're very carefully analysing the cost effectiveness, functionality and pricing of the products," says Terry Aulich, a former state minister and privacy advocate who now acts project manager and strategic advisor with local biometrics centre of excellence the Biometrics Institute. "The industry is poised to take off as clients examine their needs, but I think it's generally following the same pattern as the rest of the industry: people are taking a more realistic view."
Another major setback, and a problem that has always plagued biometrics, is user perception. IT managers may appreciate the benefits of fingerprint scanning technology, but many users would still prefer to struggle with passwords for identification no matter how much easier it is to use their fingers.
Inherent mistrust of biometric technology has unclear roots, since debates about misuse of biometric identifiers are still speculative. "It's just a cultural thing," says Aulich. "To some extent, biometrics such as fingerprints have been associated with criminal control, and this sits there on people's minds."
Paired with intrinsic mistrust of any government initiative seen as trying to harvest too much personal information, biometrics may seem doomed. Discussions about potential use of biometric identifiers within passports -- a conclusion that now seems inevitable given the US Government's hard-line stance on biometric-laced passports -- have created a spectre of privacy concerns that has further shrouded any useful discussions about the technology.
Whether or not the use of biometrics leads to privacy breaches is irrelevant; users' negative perceptions of the technology could well lead to a rebellion in companies that tried to introduce it, even though it would theoretically be well within a company's right to mandate biometric systems access just as password-based access is now mandatory.
"There's an element of change management to it," says Ted Dunstone, CEO of biometrics integrator Biometix, who recommends companies take a slow-and-steady approach to biometrics that varies from biometrics-only authentication for general-use applications, to a layered approach for more sensitive applications.
"If you go in there and insist that people use the technology, there's a built-in resentment towards it. In introducing this into a workforce, you wouldn't want to make it compulsory; you would find there would be enough buzz generated by its use, just by making it easier for users than having to type in their passwords."
Companies may find that certain types of biometrics are more acceptable than others; generally, the less intrusive the technology, the more likely it will be acceptable to users. For this reason, speech recognition vendors are enjoying some success in adding voice pattern-based authentication to existing speech recognition applications, such as the call centre systems used for flight bookings and other phone interactions.
Since everyday use of the phone and the network for carrying a voice is already ubiquitous, voice verification technology may well be the least intrusive form of biometrics out there -- and it can be invaluable for organisations that need to verify the identity of remote workers or customers over the phone.
"The applications for voice biometrics actually become quite self-evident," says Clive Summerfield, a speech systems expert who founded and sold Syrinx Speech Systems to move into biometrics through his current venture 3sh.
"Having call centre operators ask callers for personal information is time-consuming, frustrating for consumers, and it's a big security hole because call centre agents have been known to use that information for personal gain," Summerfield says.
"With voice biometrics, you can implement a two-factor authentication system that uses both an aspect of something you know -- such as your name or address -- and your voice characteristic. You're not only doubling up the factors of the authentication credential, but you have the telephone network out there so it's readily accessible."
Introduction of other biometric technologies, however, is hard to accomplish without specific user assent. Recognising this fact, Biometrics Institute member organisations have been working on a formal code of practice for the collection and use of biometric information within various organisations.
Currently before the federal Privacy Commissioner for assessment against the requirements of the Commonwealth Privacy Act, the introduction of the code -- hoped to be in place by midyear -- will provide a more coherent policy target for companies interested in introducing biometrics, whether for identification of employees or customers.
A carefully managed logo program will allow organisations to certify their compliance with the code of practice, a move that Aulich hopes will encourage companies to consider biometric technologies in the long term. "A lot of organisations need to try harder to make sure they systematically assess the privacy implications of new technologies and procedures they bring in, and new services they offer," he says.
"Currently, there really isn't a benchmark for biometrics, and I think the code of practice will make companies, the general public, and government agencies more comfortable with biometrics. It will give them a benchmark to work against, and procedures that will help them systematically assess whether they have covered privacy adequately."
You *** head travis