Biometric security tools are easier to use, more accurate and cheaper than ever before. As a result they are being used to control network, laptop and remote access.

The problem of permitting remote access to systems is a perennial one for IT managers, made more troublesome by the need to identify partners or customers for e-business.

There are many systems that promise to identify particular groups or individuals, and security experts divide them into three types. These types are those that check for something that a valid user must possess, such as a key or a card; those that check for something that the user should know, such as a password or PIN; and those that check for something that the user is, by inspecting a biometric factor such as a fingerprint or voice sample.

Many security systems combine the first two methods ­ for example, a cash machine requires both a card and a PIN. On the Internet, cookies can be used as a substitute for a card but, in general, the difficulty of issuing secure tokens means that online authentication often rests on only one of the three classes ­ something that the use knows, typically a password.

Passwords and signatures

E-business software may implement highly secure encryption and digital signatures to prevent eavesdropping and guarantee integrity, but in a password-controlled situation, these are effective only as long as the password remains secret. The password is usually the weakest point in the system.

For this reason, it is not wise to blithely assume that a digital signature guarantees that a document has been signed by a particular person. The signature actually connects the document to a digital key. What matters is who can gain access to the key.

This chain of reasoning has led many organisations to consider biometric security. Biometrics allow security systems to use two of the three classes of authentication without the troublesome need to issue a physical token.

Alternatively, biometric authentication may be used with a smartcard capable of storing biometric data. This approach can protect the card itself from misuse or forgery. Clearly this type of system is only as secure as the information held on the smartcard, and so biometric data and other information stored on the card is normally encrypted to prevent copying or forgery. Similarly, copies of biometric data stored on the user's PC must be held in an encrypted form, to prevent snooping by unauthorised software.

Suppliers of biometric technology include Veridicom, which recently launched a fingerprint sensor that is compact enough for use with PC Cards and mobile phones ­ future versions of the product may be thin enough to be built into smartcards.

Keyware, another specialist in biometric technologies, has teamed up with Sony to incorporate its Biometric Screensaver into Sony's CMR-PC1 USB notebook camera kit. Biometric Screensaver is designed to be used as an alternative to PIN- or password-based security. The system unlocks the notebook after checking both the user's facial features and a spoken password. The firm has also developed a smartcard that stores the user's fingerprint, allowing verification through a fingerprint reader.

Face recognition

Within enterprise IT systems, the most common use of biometrics is to verify that an individual is who they claim to be. In contrast, law enforcement agencies use biometric systems to identify suspects from fingerprints, or perhaps to search for a particular face in a crowd.

Face recognition is currently used to spot known hooligans at football matches. However, the process is difficult, time-consuming and prone to error. Once the suspect's image has been captured, it is necessary to compare it with many stored images. Depending on how the search criteria have been set, this could result in hundreds or even thousands of possible matches, which then need to be filtered according to other factors. Identification ultimately depends on refining the possible matches until a reasonable number is reached ­ a process inherently filled with compromise.

Face-recognition specialist Neurodynamics says that its system is fast, accurate and allows for facial changes. But the statement itself identifies one of the biggest problems with biometrics ­ unlike passwords, biometrics are inherently vague. Faces can change with age, or through the appearance of blemishes and beards. Similarly, fingerprint identification can be complicated by the presence of grease, dirt or earlier prints on the scanning device.

In practice a biometric scan, sometimes called a live template, will rarely match the stored template exactly, and so a balance needs to be set between the level or false acceptances and the level of false rejections. A high level of false acceptance increases the risk of a security breach, while a high level of false rejections will increase support costs and annoy users.

The balance will vary depending on the application. Palm prints, like faces, change gradually over time. However, palm-print recognition is non-intrusive and relatively easy to perform. The US immigration service finds it acceptable to use hand scanning to allow rapid entry for frequent travellers at some airports.

By contrast, retinal scans are intrusive and will tend to meet substantial user resistance. Iris scanning is much less intrusive and generally gives very high rates of accuracy ­ iris patterns are thought to remain constant throughout life and are unique to each individual.

Many other biometric measures exist, ranging from voice recognition to written-signature verification. Signing by hand is a very familiar authenticating action, and where the process involves measuring speed, hesitations and pressures ­ rather than simply matching the visible pattern of the signature ­ results can be very good. Each type of biometric authentication system is well suited to particular applications.

Now that the cost of biometric hardware is falling, manufacturers of PCs and peripheral devices are increasingly integrating biometric scanners into mice, laptops and other hardware. For example, Acer and NEC both make laptops with built-in finger scanners.

Encryption technologies are vital to protect biometric information from fraudulent use. The most attractive products and systems for corporates are therefore likely to be those that combine biometric identification with encryption to protect biometric data.

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.