Recent Article on Biometric Security:
ENTERPRISE
Tech Talk
Body of evidence suggests increased use of biometrics
Chaim Yudkowsky
More than two years ago, I saw the future. Traveling through Ben Gurion Airport in Tel Aviv, Israel, to return to the U.S., I watched frequent fliers use biometric systems (a form of the much-talked-about trusted traveler program) to quickly get their exit visas, instead of waiting in long lines like most of us. In the days following Sept. 11, 2001, and in light of provocative movies like "Minority Report," looking at alternative means of identifying ourselves is becoming a growing concern.
What is biometrics? The IT-specific encyclopedia Whatis.com defines it as "the science and technology of measuring and statistically analyzing biological data." For IT, the measuring and analyzing is used to verify that an individual is who he says he is, much like a computer password. Many human characteristics are statistically unique enough to identify each of us. These characteristics may be used individually or in combination with others. The characteristics most frequently used are face (spatial pattern of the face), fingerprint, hand and finger geometry (used in Ben Gurion), handwriting, eye retinas or irises, and speech.
Why use biometrics? There are many reasons to consider this form of personal ID. For each reason, authenticating ourselves by who we are and not what we know, what we carry, or how we choose to identify ourselves (i.e. PINs, passwords, smart card security token) solves and simplifies these issues. Some of the most cited justifications for biometric use in identity include ...
* Passwords are expensive. Aberdeen Group research finds that depending on company size the labor costs per user per year for configuring and maintaining password systems is $100 to $350. We forget passwords and frequently have passwords set up granularly - program by program.
* Passwords are overwhelming. Simply put, we have so many of them that we cannot remember them all. Our saturation of these secrets increases the likelihood that we do not properly protect them. How many truly random constructs of words, numbers and even punctuation can a human really remember before jeopardizing the whole security strategy by writing stuff down?
* Applications demand it. Travel and immigration specifically lend themselves to this form of authentication. For example, the European Union has a plan to use biometric data to help police departments check the authenticity of European passports and to imbed biometric data in visas of non-European citizens. This will increase traceability of nefarious individuals or stolen identities.
* Increase financial accountability. Used with some applications, like government assistance programs, biometrics could help eliminate instances of identity fraud. This is the ultimate identifier for a government-issued credit card or a low-income assistance program.
* Improve physical security. We are now more sensitive than ever about the need to ensure that physical premises are safeguarded at point of entry. Knowing exactly who is coming into our buildings is indispensable. Biometrics can provide ubiquitous building entry identifiers - at least for pre-approved people.
* Reduce paper. In many cases, traditional forms of verification generate boatloads of paper. Furthermore, other instances of authentication, such as notaries, often rely solely on paper to document an event. Biometrics combined with other automation can significantly reduce this paper and reliance on only a paper trail for a transaction or event.
Where to use biometrics? Once we appreciate the empowerment of biometrics, we can begin to consider the possible uses of one or more biometric characteristic for authentication. Some applications are:
* On laptops to secure data even when the laptop is not communicating with the corporate network.
* On desktops that are connected to the corporate network.
* In environments conducive to specific identity, such as buildings or even ATMs.
* In situations where exception identity is desired. The most common example is screening crowds in airports and casinos using face analysis. (While London Heathrow and airports in the U.K. use this technology, the media has reported that U.S. airports have not achieved satisfactory results with this technology.)
Use is growing. In the private sector, use is growing as prices have dropped and accuracy has improved. Legislation is demanding that this option be at least evaluated in the public sector. Three pieces of legislation passed since Sept. 11, 2001, the USA Patriot Act, the Aviation and Transportation Act, and the Enhanced Border Security and Visa Entry Reform Act, have all "mentioned the need for biometrics." Probably the most notable new phenomenon is the handwriting biometric technology used by some vendors for credit card signature authorization in the checkout line.
What are the concerns?
As with any new technology that studies and leverages human individuality, the critics and the ethicists grapple with some real concerns. They include:
* Accuracy of performance. Real applications that involve establishing "that I am who I say I am" require 100 percent accuracy. While some have achieved superior accuracy to just a few years ago, very rarely will a vendor commit to 100 percent for an application of biometric ID.
* How easy is it to fool? After an experiment with a fingerprint saved on a piece of candy fooled a fingerprint system, this has become a rallying cry of some. However, the more neurotic (possibly justifiably so) focus on the next concern.
* Systematic bypass. "Minority Report" and many movies like it have highlighted that nearly any authentication technique, at least by itself, can be short-circuited by a really determined and creative individual. Thus, it is not likely as foolproof as we would like to believe. Nonetheless, biometric-based authentication would significantly reduce the statistical likelihood of a misrepresentation common with passwords and even many picture IDs.
* Biometric information abuse. Some civil libertarians are incensed by the risks posed by personal nature of biometric information and how this information can be manipulated or misused for unimaginably evil purposes by other people, employers, or even governments. The privacy and ownership of this statistical biological information about each of us is a major issue. Control over access to others' information is a similar critical objection.
The biometric use of personal information will continue to make inroads in how we interact with each other, our employers, and even our machines and buildings. Therefore, staying informed about this technology as it develops should be of great interest to even the most committed Luddite as an employee, citizen and possessor of his own biometric identity.
Yudkowsky is chief information officer at Textilease Corp. and president of Byte of Success Inc., a technology consulting company.
© 2003 American City Business Journals Inc.
http://triangle.bizjournals.com/triangle/stories/2003/10/06/smallb3.html