Forgotten your password again? Read on to find out how you’ll be logging on, checking in, and signing off in the very near future.

The technologies have been available for some time, and the ideas even longer, but interest in biometrics has picked up a great deal during the last six months.

According to Andrew Lysikatos, VP of operations and marketing at managed security services provider Zento, the greatest interest in Australia comes from Government and the 50 largest companies. They are past the initial scepticism and accept biometrics as something that should be considered. There are “some excellent people in government and defence who know this stuff really well,” he says. Although there have been some small deployments of biometrics in Australia, they have not been publicly visible or publicised, Lysikatos says. Instead, they have involved access to specific buildings or systems, and are mainly about seeing how biometrics fits in with other technologies.

The technologies

Biometric identification requires stable body measurements that are—in combination—essentially unique for each individual. Another requirement is that the measurements can be made quickly and as non-intrusively as possible. It is also important that these measurements or patterns can be reduced to a small amount of data—a template—to allow either storage in simple devices such as smart cards or rapid transmission where the measurements are matched with a remotely stored template that was created at the time of enrolment.

Regardless of the sensing technology used, a key part of the process is the conversion of the raw data into a template in a way that maintains the person’s uniqueness (to prevent false matching) yet which is not sensitive to minor changes such as a cut on a fingertip, a new hairstyle or spectacles, or a sore throat.

Biometrics can be used in two ways: identification and verification. Identification involves a database search to find the individual among all those who have been enrolled; verification checks the template against the one created at enrolment. In the latter case, the template can be embedded in a physical credential (eg, a smart card) carried by the person, reducing privacy concerns.

Four main technologies are in use: iris, fingerprint/handprint, face, and voice.

1. Iris
   Current interest in biometrics around the world appears to mainly centre on the use of iris recognition, according to Zaid Alsaji, associate director at CMG (Canberra), one of only three companies licensed by the Commonwealth Government perform security evaluations of products and technologies as part of the Australasian Information Security Evaluation Program. (Alsaji is also business manager of CMG’s Australasian Information Security Evaluation Facility, which provides security evaluation services to companies wishing to sell their products to Government).

   Based on test results from the UK, iris has the lowest rate of false match and false non-match errors, he claims.

   Retina scanning, though beloved by moviemakers, has fallen out of favour in the local marketplace. This seems to result from iris recognition’s good performance, use of commodity hardware and end-user acceptance. That latter point is important, as anecdotal reports suggest it is important to explain to users the difference between iris recognition—which is based on a digital photograph of the eye’s surface—and retina scanning, which uses laser light to obtain an image of the blood vessels at the back of the eye.

   Traditionally, retina recognition has involved putting the eye up against a scanner. A relatively new entrant called Retinal Technologies has developed an inexpensive device that can do the job from around 30cm away. When this goes into production it may draw renewed attention to the technology, especially as retina templates can be one-tenth the size of those for the iris.

   According to scientists at the former British Telecom Laboratories (now BTexact Technologies), “The textural variation, coloured tissue, and complex pattern of striations, freckles and fibrous structure which make up the iris, is unique to each individual and remains constant throughout life, and makes it perfect for recognition purposes.” This structure can be reduced to a numeric representation with the equivalent of approximately 260 independent variables, “much greater than had ever been claimed for other biometrics, such as fingerprint systems or facial or speech recognition systems.”

   Iris recognition has a good reputation for avoiding false recognitions: Iridian Technologies’ system has generated no false acceptances in over two billion attempts, according to Greg McAweeney, ebusiness services management consultant at Siemens Business Services.

   Off-the-shelf digital cameras now offer sufficiently high resolution to get a good capture of iris patterns, according to Tim Cranny, senior consulting engineer with managed security services provider 90East, and iris recognition can piggyback on such advances.

   CMG’s Alsaji pointed to the Privium system installed at Amsterdam’s Schiphol Airport as a flagship example of iris recognition. The system was originally conceived as part of a loyalty program to ease the use of facilities by frequent flyers while retaining the ability to track that usage. Now the Dutch border police use it to provide faster and more reliable identification of those frequent flyers. “It’s difficult to forge someone’s iris pattern,” says Alsaji.

   Much of the work on Privium was performed by GMG’s Dutch operation, Alsaji says.

   Privacy is a critical consideration in Holland, he adds. According to Dutch law, only the individual concerned is allowed to hold biometric data, so the templates are stored on smart cards.

   The operator of Schiphol Airport is now offering the system to other airports and airlines.

   Iris recognition is inherently non-contact, which gives it an advantage in some markets where there is a cultural objection to touching a device that has already been touched by many people. It is also suitable for use in operating theatres and clean manufacturing environments (eg, semiconductor fabrication, satellite assembly).

2. Fingerprint/handprint
   Despite the high level of current interest in iris recognition, a report by the International Biometric Group estimated that finger scanning accounted for almost half the revenue of the biometrics sector in 2001, with hand scanning adding another 10 percent.

   Scandinavian airline SAS is testing a fingerprint biometric system for passenger identification. As in Schiphol Airport, the airline is using smart cards to store the template. “Using this ‘local’ matching of the customer’s fingerprint and a smart card, the process becomes simpler, safer and quicker for the traveller,” says Peter Söderlund, who is responsible for product development on ground at SAS. “We don’t think our customers want to leave their fingerprints, so the information is not saved after matching is completed.”

   Various relatively inexpensive fingerprint readers are available, typically packaged in a PC Card or as a USB peripheral (or even built into a mouse or trackball). While they provide some defence against casual inspection of data stored on a notebook computer, “if we’re talking about targeted industrial espionage . . . these things just don’t cut the mustard,” says 90East’s Cranny.

   Marek Rejman-Green, a biometrics advisor to the European Commission, has warned that research has shown plastic dummy fingers with stamped fingerprint patterns can be enrolled on many commercial units. Tsutomu Matsumoto, a graduate student of environment and information science at Yokohama National University has developed a technique for lifting latent fingerprints and creating a gelatine replica that fooled 11 different commercial sensors between 80 and 100 percent of the time—reminiscent of that nifty gadget used by the heroine of the TV series Alias, though that fictitious device did a much faster job.

   Other issues with fingerprint recognition include sensitivity to dirt, or to especially dry skin. Some people are uncomfortable with the use of fingerprints in this way because of the association with police investigations.

   Hand recognition systems can either work on palm prints (using similar technology to fingerprint systems), or by analysing the geometry of the hand or a portion of it. Around 100 measurements of hand geometry are taken and reduced to a template as small as nine bytes.

3. Face
   Although face recognition has been around for several years, it entered the limelight in early 2001 when US authorities used it in an attempt to identify known criminals entering a stadium for a major sporting event.

   Some critics question the reliability of face recognition. The American Civil Liberties Union claims “Facial recognition software is easily tripped up by changes in hairstyle or facial hair, by aging, weight gain or loss, and by simple disguises. A study by the [US] Department of Defense found very high error rates even under ideal conditions, where the subject is staring directly into the camera under bright lights.”

   Zento’s Lysikatos is less scathing, but characterises face recognition as “not what I’d call fully robust” for identifying individuals.

   Apart from any ethical concerns, we need to distinguish between the use of face recognition by law enforcement authorities in public or semi-public areas where people may be trying to conceal their identity, and IT security where people want to be recognised. It is generally easier to disguise yourself than to make your face closely resemble that of another person.

   Face recognition systems typically reduce a face to around 100 bytes of data. There’s even an off-the-shelf biometric network appliance from face recognition vendor Visionics that performs this encoding at up to 100 faces per minute, with a companion appliance to perform the matching.

   Basically, face recognition works by mapping the relative positions of key features, providing (at least theoretical) robustness against changes such as growing a beard. To improve the quality of recognition, a similar process can be applied within individual features such as eyes and mouth.

4. Voice
   Voice identification has a certain appeal to the Star Trek generation. Although voice recognition for the purposes of identification is not as arduous a task as continuous speech recognition, it doesn’t seem to work very well for some people (including this author, who experienced such poor results with one voice-controlled login system that it was unusable). Conversely, a quality recording of an enrolled person’s voice may fool some systems.

   Noisy environments can affect voice recognition, and speech may be unpopular in quiet workplaces even when used only for recognition rather than dictation or control of applications.

   Voice recognition has relatively poor performance when it comes to metrics such as failure to enrol (being able to obtain consistently repeatable measurements during enrolment) and failure to acquire (getting a usable voiceprint), suggests Alsaji, but “no system is ever perfect”, so you shouldn’t rely on technology alone. Security requires cost-effective technology, coupled with appropriate physical, personnel, and business processes, he says.

Which technology?

Whichever technology is used, “biometrics should always be seen as part of an overall [security] solution,” says Lysikatos. “Most clients have a specific requirement . . . but it should be seen in the broader context,” he added.

Phil Dodd, director of e-Government programs at Unisys Australia says each technology does a particular job well, and different tasks call for different technologies.

Furthermore, a single biometric is not acceptable for high security, so attention is turning to multimode systems that use two or three traits in parallel. One example is the BioID system that combines face and voice recognition with an analysis of lip movements.

It is not essential to create your own infrastructure for biometric authentication, as this can be outsourced. Siemens Business Services offers biometric authentication using iris recognition as part of its portfolio of managed e-security services. The service costs around AU$260 per user per year for access control to IT systems (including a small camera for each desktop or notebook machine), and it can also be used in conjunction with access control systems.

Forms of access

Physical access

One of the most common business applications for biometrics is physical access to premises, or to secure areas within a building. There are several advantages to biometrics for this purpose. Most people have experienced the inconvenience that comes from forgetting a pass card, but it's hard to leave your hand or eye on the kitchen table. Similarly, many of us have more PINs than we can comfortably remember, so if a security system can recognise us (rather than making identify ourselves in its terms), life is simplified.

Next there are the security aspects. It isn't particularly difficult to forge a magnetic stripe card for example, but Matsumoto's methods notwithstanding, it isn't so easy to successfully fake a biometric identifier.

For greater security, biometric identification may be used in conjunction with more traditional methods. Combining something you are (biometrics), something you have (a physical device such as a smart card) and something you know (a PIN, password or other secret) provides layers of protection.

eSign controls access to its data centres with a combination of biometrics (handprint in Australia, iris scanning in the US) and a digital certificate stored in an access card. Rowley says you can't expect people to remember many PINs, especially those they don't use at least once a week, and reissuing a PIN is an expensive business. The concept is not limited to providing access to fixed facilities. The Pyxis HelpMate SP is a new robot designed to deliver samples, drugs, and supplies around hospitals at a lower cost than a human courier. It features fingerprint-controlled access to its storage compartment.

A related use is for attendance monitoring. Traditional time-card systems are prone to abuse, and even more modern variations using individual keys or cards permit collusion. Biometric devices can provide far greater assurance that each employee's hours are correctly recorded, and the time recording function can also be integrated with an access control system.

Access to IT systems

As Rowley implied, people aren't particularly good at remembering PINs, and they don't do much better with passwords. As a general rule, if a password is easy to remember, it's also easy to crack. If a system enforces the use of -difficult" passwords, people are likely to write them down somewhere, and that's almost certain to happen if frequent password changes are required.

As much as 50 to 60 percent of help desk time is absorbed by queries involving forgotten passwords, says Dodd. -Forgotten passwords cost around an average of US$450 per user per year," according to a paper written by David Heath, sales and technical manager at Triton Secure. This is a waste of resources and something that can be addressed by biometrics. You can already buy notebooks with fingerprint sensors and cameras that automatically log authorised users on and off as they sit in front of the computer, says Dodd.

-How do you take people from where they are now to [biometrics] without upsetting the service or security?" asks Rowley. While this is a particular problem for large-scale public-facing deployments such as ATMs (see below), some sort of phased approach will be needed for all but the smallest or greenfields deployments, and this increases the project's complexity.

Biometrics can be exploited fairly easily with recent operating systems. For example, Windows 2000 supports Extensible Authentication Protocol (EAP), which provides a hook for the incorporation of biometric devices (or other mechanisms) to strengthen the authentication process. Two- and three-factor authentication is also available to .NET-based systems; .NET Passport has an option for two-factor authentication such as a username and password plus a smart card or biometric device. Similarly, Novell Modular Authentication Service works with a variety of third-party biometric devices, including fingerprint and face recognition, for login and post-login authentication.

BioAPI provides an open standard for applications to communicate with biometric technologies, allowing organisations to mix and match hardware and software from different vendors. In April, BioAPI 1.1 was accepted as ANSI/INCITS standard 358. A reference implementation is already available for Windows, another for Solaris is under development, and a Linux version is planned.

ATMs

Diebold, the company that introduced cash-dispensing ATMs in 1966, offers an iris recognition option for its ATMs that means customers do not need the usual card and PIN. Bank United installed the first units at three grocery stores in Texas. At the launch of the unit, Diebold showed how the iris recognition system could even distinguish between identical twins. At this year's Cebit exhibition, Diebold showed a concept ATM using iris recognition with the template stored on the customer's smart card, employing the same technology used at Schiphol Airport. In 1995, South Africa's Standard Bank tried fingerprint verification on Diebold ATMs. This was the world's first live application of biometrics on ATMs, but it did not prove sufficiently reliable. Diebold also demonstrated a face and voice recognition ATM in 1997, but it did not catch on.

NCR has also been active in trialling biometrics on ATMs but according to John Elsworth, director of NCR's South Pacific centre of expertise for ATM channel management, there are some serious business issues. -NCR was the first to trial with bio-recognition with the iris scan project in UK. It worked perfectly, the bank liked it, the customers loved it, but the business case simply did not stack up," he says.

Elsworth identifies four key issues:

• The cost of installing biometrics is higher than the losses due to fraudulent ATM use.
• Enrolling each customer would be time consuming and expensive, and the equipment would have to remain at each branch to enrol new customers.
• Any bank would need to adopt biometrics across its network, or risk confusing or inconveniencing customers: -The biometrics in question would be an alternative to customer PINs. In Australia, the technology would have to be portable to Point of Sale devices otherwise the banks are simply creating another layer in their security systems."
• And finally, even if one bank adopted biometrics, there's still room for PIN fraud and unauthorised use via other institutions' ATMs. -It's a case of one in, all in. It would be rendered useless unless all banks and ATM deployers used the technology," says Elsworth. -When [biometrics] is available as a $50 application embedded in Windows, and proven in an ATM environment it might be useful, but until then, the PIN will remain."

Bona fide

Integration with existing authentication systems -is not cut and dried", says Alsaji, and Lysikatos agrees: -Nine times out of ten, [biometric devices] need a lot of integration," he says.

eSign talks of the -five pillars of trust", which are authentication (who am I), authorisation (what can I access), privacy (in practice, encryption), integrity (assurance that information has not been tampered with), and non-repudiation (collection of evidence about the transaction sufficient to satisfy a court). -Digital certificates are the only way of doing all these things," says Rowley. -We see a really good fit between [biometrics] and digital certificates."

Mark Pullen, RSA Security's business development manager for Australia and New Zealand, agrees. Using biometrics to provide access to another credential such as a PKI certificate provides excellent security if the biometric template and the certificate are stored on the same tamperproof device, such as a smart card, he says. The advantages of this arrangement are that it overcomes the problems associated with revoking a biometric template, since the template is only used within the card to authorise the release of the certificate, and the certificate can be readily revoked.

Furthermore, PKI is more standardised than biometrics, so it is generally easier to incorporate certificate-based authentication into new and existing systems.

An example is RSA's SecureID Passage product that provides authentication for Windows. It is being used in conjunction with fingerprint readers by the health industry in order to comply with the privacy principles, providing strong authentication and user convenience without excessive system overheads.

Biometrics and PKI -complement each other very nicely," agrees Cranny, -one's strength is the other's weakness, and vice versa." PKI is a mathematical, deterministic approach, while biometrics is fuzzier, he explains. PKI authenticates the computer (or other device) that contains the certificate, and biometrics authenticates the person and provides access to the PKI certificate. The combination -goes a long way to address the weaknesses of PKI and does the things that biometrics by itself can't do."

Another useful characteristic of biometrics is that it can provide a clearer audit trail, says Cranny. If a system uses a mouse with a thumbprint sensor, it can be used not only to control access in the first place, but also to record who accessed what information.

Big brother

Government departments -stay away from the bleeding edge," says Crannyââ,¬"as a matter of policy, they go for proven technology and products. There is no Federal policy endorsing biometrics yet, and it would be very unusual for a department to pick a security system that wasn't on the EPL (Evaluated Products List). 90East is involved in Iris Australia's efforts to get its iris recognition products onto the EPL.

-[Getting products evaluated] involves a thorough testing process," according to CMG's Alsaji. -There is always a comprehensive technical review carried out prior to the hands-on testing process beginning and before Defence Signals Directorate provide a Certificate. Even when biometric systems have been Certified, agencies still need to consider the potential applications and their implications for users and their privacy," he added.

It's not just a matter of picking a technology, he explains. Questions concerning the number of users, how they will be enrolled in a biometric system, and how their identity can be authenticated must all be addressed.

Smart cards are relatively expensive and they present management issues, as people tend to lose them from time to time.

As far as the immediate future of biometrics is concerned, Alsaji says that as -IT budgets are being cut back there are obviously concerns [about the introduction of potentially costly systems]." This year's Federal Budget included a $3 million allocation for the Department of Foreign Affairs and Trade (DFAT) to conduct further research into biometric passports, with the possibility of their introduction within 18 months.

DFAT researcher John Osborne says a facial biometric was likely to be used, partly due to privacy concerns, and partly because it could be derived from the normal passport photograph. He admits this would be less accurate than iris recognition, but claims -it is accurate enough."

Both Malcolm Crompton, the Federal Privacy Commissioner, and Terry O'Gorman, president of the Australian Council for Civil Liberties, reportedly expressed concern about the privacy implications of the proposal, but Dodd says -whether we like it or not, it's going to happen." He also pointed to Malaysia's MyKad smartcard that already serves as an identity card with digital thumbprint and photograph, and carries driving licence and passport information. Plans call for the addition of health records, digital certificates for e-commerce, and support for cashless transactions.

-People will come to expect the benefits of these things [on a single card]," says Dodd.

Overseas governments are showing interest in the technology. The UK Passport Service is considering the issue of biometric ID cards, possibly using fingerprint or iris scans, within four years. A feasibility study has already been carried out at London's Heathrow Airport, where Virgin Atlantic and British Airways are also trialling an iris recognition system.

The first large-scale use of face recognition in conjunction with drivers' licences was installed in Illinois in 1999. It is used to compare new applicants against previously registered drivers as a precaution against fraud. The state police also use it to identify unknown suspects or victims, or to detect the use of an alias.

Unisys has acted as systems integrator for large projects involving biometrics since the early 1990s, says Dodd. These include national identity, voting, and driving licence systems, but he was unable to identify any of them for confidentiality reasons. -We have an agnostic view of the various technologies," he adds. -The scale of activity in Australia and New Zealand might be smaller, but the work we are conducting is leading edge."

Dodd says the main challenges in biometrics are around processes and privacy, but he suggests these will be overcome in the next few years and people will have easier and more secure access to premises, services, and systems.

Subscribe now to Australian Technology & Business magazine.

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.