Forms of access
Physical access
One of the most common business applications for biometrics is physical access to premises, or to secure areas within a building. There are several advantages to biometrics for this purpose. Most people have experienced the inconvenience that comes from forgetting a pass card, but it's hard to leave your hand or eye on the kitchen table. Similarly, many of us have more PINs than we can comfortably remember, so if a security system can recognise us (rather than making identify ourselves in its terms), life is simplified.
Next there are the security aspects. It isn't particularly difficult to forge a magnetic stripe card for example, but Matsumoto's methods notwithstanding, it isn't so easy to successfully fake a biometric identifier.
For greater security, biometric identification may be used in conjunction with more traditional methods. Combining something you are (biometrics), something you have (a physical device such as a smart card) and something you know (a PIN, password or other secret) provides layers of protection.
eSign controls access to its data centres with a combination of biometrics (handprint in Australia, iris scanning in the US) and a digital certificate stored in an access card. Rowley says you can't expect people to remember many PINs, especially those they don't use at least once a week, and reissuing a PIN is an expensive business. The concept is not limited to providing access to fixed facilities. The Pyxis HelpMate SP is a new robot designed to deliver samples, drugs, and supplies around hospitals at a lower cost than a human courier. It features fingerprint-controlled access to its storage compartment.
A related use is for attendance monitoring. Traditional time-card systems are prone to abuse, and even more modern variations using individual keys or cards permit collusion. Biometric devices can provide far greater assurance that each employee's hours are correctly recorded, and the time recording function can also be integrated with an access control system.
Access to IT systems
As Rowley implied, people aren't particularly good at remembering PINs, and they don't do much better with passwords. As a general rule, if a password is easy to remember, it's also easy to crack. If a system enforces the use of -difficult" passwords, people are likely to write them down somewhere, and that's almost certain to happen if frequent password changes are required.
As much as 50 to 60 percent of help desk time is absorbed by queries involving forgotten passwords, says Dodd. -Forgotten passwords cost around an average of US$450 per user per year," according to a paper written by David Heath, sales and technical manager at Triton Secure. This is a waste of resources and something that can be addressed by biometrics. You can already buy notebooks with fingerprint sensors and cameras that automatically log authorised users on and off as they sit in front of the computer, says Dodd.
-How do you take people from where they are now to [biometrics] without upsetting the service or security?" asks Rowley. While this is a particular problem for large-scale public-facing deployments such as ATMs (see below), some sort of phased approach will be needed for all but the smallest or greenfields deployments, and this increases the project's complexity.
Biometrics can be exploited fairly easily with recent operating systems. For example, Windows 2000 supports Extensible Authentication Protocol (EAP), which provides a hook for the incorporation of biometric devices (or other mechanisms) to strengthen the authentication process. Two- and three-factor authentication is also available to .NET-based systems; .NET Passport has an option for two-factor authentication such as a username and password plus a smart card or biometric device. Similarly, Novell Modular Authentication Service works with a variety of third-party biometric devices, including fingerprint and face recognition, for login and post-login authentication.
BioAPI provides an open standard for applications to communicate with biometric technologies, allowing organisations to mix and match hardware and software from different vendors. In April, BioAPI 1.1 was accepted as ANSI/INCITS standard 358. A reference implementation is already available for Windows, another for Solaris is under development, and a Linux version is planned.
ATMs
Diebold, the company that introduced cash-dispensing ATMs in 1966, offers an iris recognition option for its ATMs that means customers do not need the usual card and PIN. Bank United installed the first units at three grocery stores in Texas. At the launch of the unit, Diebold showed how the iris recognition system could even distinguish between identical twins. At this year's Cebit exhibition, Diebold showed a concept ATM using iris recognition with the template stored on the customer's smart card, employing the same technology used at Schiphol Airport. In 1995, South Africa's Standard Bank tried fingerprint verification on Diebold ATMs. This was the world's first live application of biometrics on ATMs, but it did not prove sufficiently reliable. Diebold also demonstrated a face and voice recognition ATM in 1997, but it did not catch on.
NCR has also been active in trialling biometrics on ATMs but according to John Elsworth, director of NCR's South Pacific centre of expertise for ATM channel management, there are some serious business issues. -NCR was the first to trial with bio-recognition with the iris scan project in UK. It worked perfectly, the bank liked it, the customers loved it, but the business case simply did not stack up," he says.
Elsworth identifies four key issues:
- The cost of installing biometrics is higher than the losses due to fraudulent ATM use.
- Enrolling each customer would be time consuming and expensive, and the equipment would have to remain at each branch to enrol new customers.
- Any bank would need to adopt biometrics across its network, or risk confusing or inconveniencing customers: -The biometrics in question would be an alternative to customer PINs. In Australia, the technology would have to be portable to Point of Sale devices otherwise the banks are simply creating another layer in their security systems."
- And finally, even if one bank adopted biometrics, there's still room for PIN fraud and unauthorised use via other institutions' ATMs. -It's a case of one in, all in. It would be rendered useless unless all banks and ATM deployers used the technology," says Elsworth. -When [biometrics] is available as a $50 application embedded in Windows, and proven in an ATM environment it might be useful, but until then, the PIN will remain."
Bona fide
Integration with existing authentication systems -is not cut and dried", says Alsaji, and Lysikatos agrees: -Nine times out of ten, [biometric devices] need a lot of integration," he says.
eSign talks of the -five pillars of trust", which are authentication (who am I), authorisation (what can I access), privacy (in practice, encryption), integrity (assurance that information has not been tampered with), and non-repudiation (collection of evidence about the transaction sufficient to satisfy a court). -Digital certificates are the only way of doing all these things," says Rowley. -We see a really good fit between [biometrics] and digital certificates."
Mark Pullen, RSA Security's business development manager for Australia and New Zealand, agrees. Using biometrics to provide access to another credential such as a PKI certificate provides excellent security if the biometric template and the certificate are stored on the same tamperproof device, such as a smart card, he says. The advantages of this arrangement are that it overcomes the problems associated with revoking a biometric template, since the template is only used within the card to authorise the release of the certificate, and the certificate can be readily revoked.
Furthermore, PKI is more standardised than biometrics, so it is generally easier to incorporate certificate-based authentication into new and existing systems.
An example is RSA's SecureID Passage product that provides authentication for Windows. It is being used in conjunction with fingerprint readers by the health industry in order to comply with the privacy principles, providing strong authentication and user convenience without excessive system overheads.
Biometrics and PKI -complement each other very nicely," agrees Cranny, -one's strength is the other's weakness, and vice versa." PKI is a mathematical, deterministic approach, while biometrics is fuzzier, he explains. PKI authenticates the computer (or other device) that contains the certificate, and biometrics authenticates the person and provides access to the PKI certificate. The combination -goes a long way to address the weaknesses of PKI and does the things that biometrics by itself can't do."
Another useful characteristic of biometrics is that it can provide a clearer audit trail, says Cranny. If a system uses a mouse with a thumbprint sensor, it can be used not only to control access in the first place, but also to record who accessed what information.
Big brother
Government departments -stay away from the bleeding edge," says Crannyââ,¬"as a matter of policy, they go for proven technology and products. There is no Federal policy endorsing biometrics yet, and it would be very unusual for a department to pick a security system that wasn't on the EPL (Evaluated Products List). 90East is involved in Iris Australia's efforts to get its iris recognition products onto the EPL.
-[Getting products evaluated] involves a thorough testing process," according to CMG's Alsaji. -There is always a comprehensive technical review carried out prior to the hands-on testing process beginning and before Defence Signals Directorate provide a Certificate. Even when biometric systems have been Certified, agencies still need to consider the potential applications and their implications for users and their privacy," he added.
It's not just a matter of picking a technology, he explains. Questions concerning the number of users, how they will be enrolled in a biometric system, and how their identity can be authenticated must all be addressed.
Smart cards are relatively expensive and they present management issues, as people tend to lose them from time to time.
As far as the immediate future of biometrics is concerned, Alsaji says that as -IT budgets are being cut back there are obviously concerns [about the introduction of potentially costly systems]." This year's Federal Budget included a $3 million allocation for the Department of Foreign Affairs and Trade (DFAT) to conduct further research into biometric passports, with the possibility of their introduction within 18 months.
DFAT researcher John Osborne says a facial biometric was likely to be used, partly due to privacy concerns, and partly because it could be derived from the normal passport photograph. He admits this would be less accurate than iris recognition, but claims -it is accurate enough."
Both Malcolm Crompton, the Federal Privacy Commissioner, and Terry O'Gorman, president of the Australian Council for Civil Liberties, reportedly expressed concern about the privacy implications of the proposal, but Dodd says -whether we like it or not, it's going to happen." He also pointed to Malaysia's MyKad smartcard that already serves as an identity card with digital thumbprint and photograph, and carries driving licence and passport information. Plans call for the addition of health records, digital certificates for e-commerce, and support for cashless transactions.
-People will come to expect the benefits of these things [on a single card]," says Dodd.
Overseas governments are showing interest in the technology. The UK Passport Service is considering the issue of biometric ID cards, possibly using fingerprint or iris scans, within four years. A feasibility study has already been carried out at London's Heathrow Airport, where Virgin Atlantic and British Airways are also trialling an iris recognition system.
The first large-scale use of face recognition in conjunction with drivers' licences was installed in Illinois in 1999. It is used to compare new applicants against previously registered drivers as a precaution against fraud. The state police also use it to identify unknown suspects or victims, or to detect the use of an alias.
Unisys has acted as systems integrator for large projects involving biometrics since the early 1990s, says Dodd. These include national identity, voting, and driving licence systems, but he was unable to identify any of them for confidentiality reasons. -We have an agnostic view of the various technologies," he adds. -The scale of activity in Australia and New Zealand might be smaller, but the work we are conducting is leading edge."
Dodd says the main challenges in biometrics are around processes and privacy, but he suggests these will be overcome in the next few years and people will have easier and more secure access to premises, services, and systems.
Subscribe now to Australian Technology & Business magazine.
Don't forget those are blind and hearing impaired people or disabled people that might affect voice recognition system or iris. I do have cochlear implant and I don't know if iris laser would affect the interference with cochlear implant of metal insertion in the head???