In the wake of the Sept. 11 terrorist attacks, biometrics security vendors are back in the spotlight, promising to detect intruders by the whorl of their fingerprints, the sound of their voice or even subtle differences in how they hunt-and-peck on the keyboard. Biometric tools come in a variety of forms, but all confirm the identity of users by a physical characteristic, whether that is a fingerprint, the sound of their voice, the unique pattern of blood vessels in their eyes or the shape of their face. As biometrics become less expensive, more accurate and easier to deploy than in years past, financial services firms are using biometrics to help reduce consumer fraud, as are hospitals and other healthcare players scrambling to meet the new federal privacy requirements. Airports and other public facilities are experimenting with facial-recognition systems and at least some consumers, more worried about terrorist attacks than privacy, are willing to have a fingerprint or an iris scanned to get to an airport gate or their office. But biometrics is still held back by unproven technology, competing standards and lingering privacy concerns. In the short run, analysts predict, of all the various biometric techniques fingerprint scans will be more popular than other exotic technologies and will usually be used with, rather than instead of, traditional safeguards such as passwords. "Biometrics technology will reinforce and not replace current authentication methods such as passwords," market research firm IDC said in a December 2001 report that predicted worldwide biometrics spending will rise at a 50% compounded annual growth rate from $119 million in 2000. Some observers predict biometrics will be used only to safeguard the most critical data, while relying on smart cards or other less expensive and more proven tools on systems running less sensitive applications. The fingers have it
Although it will usually be used in conjunction with smart cards and tokens, finger scanning will be the predominant biometric technology used through 2005, according to an October 2001 report from Gartner Group. One argument in favor of fingerprint scanning is that passwords just don't work. If users choose simple passwords, such as the name of a pet or child, they're easy for the user to remember, but also easy for a hacker to guess. If forced to choose more complicated passwords or to change their passwords often, users will often write the password down and leave it near their workstation (defeating the whole purpose) or forget the password, requiring an expensive call to the help desk. Organizations such as the city of Glendale, Calif., are using Digital Persona Inc.'s U.are.U Pro Fingerprint Security System to authenticate users. Single quantity pricing is $149 for the workstation version, with a server version allowing for easier administration and user roaming among workstations costing $50 per user. The firm also sells a $69 system which takes advantage of Windows XP Fast User Switching, allowing users to log on shared systems without shutting down applications or logging off, as well as a Web server and software development kit to allow biometric access to Web applications. One way to combine biometrics with other storage techniques is to store the user's profile (such as their fingerprints) on a token or smart card the user carries. This not only increases security, but also can reduce the processing time needed to match the fingerprint with their stored profile, according to the Gartner report. Storing user information on a token or smart card can also ease user fears about such data being stolen from a central server, the report says. When to use biometrics
Gartner recommends considering biometrics if users are having trouble remembering and using secure passwords, where strong authentication is needed for crucial applications or physical spaces and where users can be required to use the device as part of their jobs. In a December 2001 report, Meridian Research Inc. predicted just that trend in the financial services industry, with biometrics being used first by employees "and slowly made available to customers through ATMs, standalone kiosks and at teller windows in branches." Biometrics make less sense, Gartner recommends, for rapidly expanding user bases (which can increase errors and slow performance), harsh physical environments that can increase the number of "false accepts" and "false rejects" and where users are highly sensitive to their personal information being misused. IDC also predicts that biometric vendors will move away from selling hardware based on their own biometric technology and instead build authentication software that can be used with a variety of biometric tools. Last October, for example, Keyware Technologies announced a centralized authentication tool that allows customers to manage biometric and other authentication technologies from a central server. BioNetrix Systems Corp.'s Authentication Suite supports biometrics, smart cards and tokens, among other authentication methods. And if you can't convince your users to change their passwords, BioPassword for Windows NT and Windows 2000 from L. F. Coppenrath & Associates claims to measure the timing of keystrokes to determine if it's the actual user typing their password. The technology is now being evaluated by the Pentagon, built into some software vendors' products and being rolled out to verify the identity of patients in online clinical trials and students taking online classes, says Vice President of Marketing and Alliances Mitch Tarr. Pricing ranges from $40-120 per user based on the number of users, he says. About the author
Robert L. Scheier writes frequently about security from Boylston, Mass., and can be reached at firstname.lastname@example.org.