Biometric Security - From Fingers To Faces
Gummy fingerprints aside, biometric security has its share of potential issues, including end-user resistance to potential privacy threats and methods that seem invasive.
Biometric security definitely isn't a "one-size-fits-all" proposition. Depending on the needs of the enterprise, administrators might find themselves dealing with fingerprint, iris, hand, or facial biometric identifiers, for example.
Usually, biometrics acts as a second or third layer of security, speakers said, during the recent BiometriTech conference in New York City. Unlike a password, which is "something you know," or a token, which is "something you have," a fingerprint or a facial scan is "something you are."
"You have to adapt to (existing) security. You can't just throw out all that PKI you bought, much as you might want to," said John Ticer, President and CEO of Bionetrix.
"Our view is that you layer in the gateway security that makes everything else more valuable," he added.
Theoretically, biometric identifiers are also "not susceptible to theft, loss, or compromise, and are difficult to repudiate," said Gillian Glasser, senior consultant for the International Biometric Group, an industry analyst, consulting, and product testing firm specializing in biometrics.
"(But) accuracy is still an issue. Some small percentage of users will be falsely matched, non-matched, and not enrolled," Glasser acknowledged.
Biometrics have also shown themselves to be spoofable, she admitted, mentioned "gummy fingers" as one example.
Although Glasser didn't spell out any of the details, "gummy fingers" have been written up in security publications. Tsutomu Matsumoto, a Japanese cryptographer and a teacher at Yokohama National University, first developed "gummy fingers," which he credits with fooling commercial fingerprint readers about 80 percent of the time.
Matsumoto has used two techniques to make the "gummy fingers." In one method, he makes a plaster mold of a live finger and pours liquid gelatin over the mold, waiting till the mold hardens.
The other technique, known as "latent fingerprinting," is more complicated, but yields the same statistical results. Essentially, Matsumoto takes a digital photo of a fingerprint left on a piece of glass, and processes it in Photoshop to improve the contrast. After printing the photo on to a transparency sheet, he uses a photo-sensitive PCB to etch the fingerprint into copper. Finally, he makes a "gummy" mold from the copper finger.
The accuracy of biometric identifiers does vary according to the type of identifier, Glasser said at the conference in New York City. Generally speaking, fingerprints are among the most accurate identifiers, and facial scans among the least.
Even fingerprints can change over time, though. "Manual labor does alter the ability to be repeatable," according to Glasser.
When it comes to facial scanning, lighting conditions and positioning of the subject can matter a lot. "Companies realize what the weaknesses (of facial scanning) are. We're expecting some kind of leap in algorithm technology," she predicted.
Understandably, some end users are worried about their privacy. As a result, administrators should work with legal departments to establish policies around biometrics. "There has to be a legal policy about protecting personal artifacts," Ticer noted.
Beyond security benefits, administrators might be asked to implement biometric systems for reasons ranging from government regulations to better workflow.
Ticer said that one of his customers, a large bank, has gained a lot of productivity by using biometrics to help eliminate lengthy paper trails that used to choke communications with brokerage firms.
"It used to take a couple of months to fax things back and forth. A two month process (is now) a three-day process," he maintained.
On the other hand, productivity gains can be offset by "hidden costs" incurred from systems integration and user training, according to Glasser. Quite commonly, she said, hardware prices account for only about 20 percent of overall implementation costs.
One administrator attending the conference, from Brookhaven National Laboratories, said he found the cost of additional network wiring an unwelcome surprise.
Government agencies, in fact, are becoming big users of biometric security. Other agencies present at the show included the FBI, the INS, and the Department of Defense. Early adopters also include highly regulated fields such as banking, health, and the pharmaceutical industry.
Outside of accuracy levels, biometric identifiers vary along other lines, as well. Costs of biometric hardware systems tend to be lowest for fingerprinting, higher for hand scanning, and even higher for iris scanning. "(But) pricing is coming down," Glasser added.
Hand scanning is "straightforward," so it is suitable for use with children, for instance.
Finger scanning requires "some training" of end users. On the other hand, though, some users resist fingerprinting, associating it with "the criminal element."
Iris scanning can be a good technique for populations such as senior citizens, who might have trouble using their hands. However, some users don't do well at focusing on the camera, and others don't want to "feel invaded."
There are "dozens of vendors" in the finger scanning field, according to Glasser. Iris scanning vendors include Visionics and Visage. Iridian is the only supplier of iris scanning systems, so far, and Hand Recognition Systems is alone in the hand scanning arena.
Also at the BiometriTech show, however, Sprint rolled out plans to provide biometric technologies in several vertical markets. Sprint is looking at health, education, and hospitality, for instance, according to another speaker, Charles G. Warren, director of Sprint's Service Technologies Lab.