|Warriors have long used emblems, uniforms and tattoos to physically identify themselves to their compatriots. Secret passwords were in use long before the first person logged in at a keyboard. Today, the world of enterprise security is increasingly incorporating biometric identifiers as an additional weapon within the security arsenal.
International Biometric Group, a New York City-based consulting firm, reports that the worldwide market for biometric devices grew 67 percent last year to reach $1.2 billion. And analysts there estimate a further expansion to $4.6 billion by 2008.
The largest share of that money (48 percent) goes for fingerprint recognition systems, followed by facial recognition (12 percent). While these two are the most popular, there are other methods that analyze a person’s physical or dynamic characteristics. Physical biometric methodologies also look at the following:
When looking at strong authentication, you want two out of three factors something you have, something you are and something you know. While, eyes, hands and skin are commonly used as biometric identifiers, more dynamic methodologies also are being introduced, such as the following:
Voice Detects vocal pitch and rhythm;
Keystroke Dynamics Analyzes the typing speed and rhythm when the user ID and password are entered;
Signature Matches the signature to one on record, as well as analyzing the speed and pressure used while writing, and
Gait Measures length of stride and its rhythm.
To keep performance high and storage requirements manageable, today’s biometric technologies don’t have to store or analyze a complete picture of the body part or the physical feature being used. Imagine the processing power that would be needed to store a high resolution picture of someone’s face and then compare it with a live image pixel by pixel.
Instead, each method reduces the body part or activity to a few essential parameters and then codes the data, typically as a series of hash marks. For example, a facial recognition system may record only the shape of the nose and the distance between the eyes. That’s all the data that needs to be recorded for an individual’s passport, for example.
When that person comes through customs, the passport doesn’t have to include all the data required to reproduce a full-color picture of the person. Yet, armed with a tiny dose of key biometric information, video equipment at the airport can tell whether the person’s eyes are closer together or if his nose is slightly wider than the passport says they should be.
None of these biometric systems are infallible, of course. However, the rates of false negatives and false positives have markedly improved. One of the problems with fingerprint readers, for instance, is that they couldn’t distinguish between an actual fingerprint and the image of one. In the recent movie National Treasure, Nicholas Cage’s character lifted someone’s fingerprint off a champagne glass and used it to gain access to a vault. That’s not pure fiction.
Japanese cryptographer Tsutomu Matsumoto lifted a fingerprint off a sheet of glass and, following a series of steps, created gelatin copies. He then tested these on 11 fingerprint readers and each accepted the gelatin prints. Outside the lab, Malaysian thieves chopped the fingertip off a businessman and used it with the fingerprint reader on his Mercedes. But none of those methods would work with higher-end fingerprint readers. The latest fingerprint readers are incorporating more advanced features, such as making sure the finger is a certain temperature. Everyone’s hand is different, as some are consistently warm or cold. In addition, they can also check if there is a pulse and tell how much pressure is being applied.
Such sophistication, however, has its drawbacks. Authorized users may find themselves locked out even when the devices are working properly. Why? Tiny changes, due to accidents or injuries, can change a biometrics profile, rendering it effectively obsolete. The thing to keep in mind with any biometrics is that your ID does change over time. If you cut your finger, your biometric may not be the same any more. Or your early morning voice is different than after talking for eight hours.
Biometrics in the Enterprise
While biometric authentication certainly adds an extra layer of security, it would be a mistake to implement a high-end system and then feel that break-ins instantly would be consigned to the history books. It takes back-end integration, constant vigilance and consistent user involvement to keep an enterprise secure. Security is a user issue and must go all the way to the desktop. You need to have a very layered architecture and assume that any layer could fail some day.
The most popular biometric tool at the moment is the fingerprint reader. Some even use USB drives. And some keyboards and laptops come with them built in. These devices have come way down in price. As a standalone device, the unit price has dropped below $100. But, in an enterprise setting, that is just the start of the costs.
IT departments have to ensure, for example, that back-end security systems can accommodate biometric authentication, and scale to the required number of users. Plus, if fingerprint readers are not incorporated into the laptop or desktop, it adds to the number of devices that need to be supported by IT. There is little point, then, in adopting a stand-alone biometrics system that cannot easily be assimilated into the organization’s existing security fabric.
Biometric authorization techniques are no longer so leading edge that they are difficult to marry with traditional security safeguards. Today’s systems are well enough developed that they can be incorporated into enterprise systems without too much effort. A strong authentication system is what you want to focus on and biometrics can be part of it, but the user should still have to memorize something or have a token, and you need to make sure that polices and the management structure relating to it are firmly in place.
Did You Know…
|Key Terms To Understanding Biometrics
Drew Robb is a frequent contributor to Internet.com. He writes regularly for ServerWatch.com, EnterpriseStorageForum.com and SmallBusinessComputing.com.
This article was originally published on January 06, 2006