Biometric Security – From Fingers To Faces

Biometric security definitely isn’t a “one-size-fits-all” proposition.
Depending on the needs of the enterprise, administrators might find
themselves dealing with fingerprint, iris, hand, or facial biometric
identifiers, for example.

Usually, biometrics acts as a second or third layer of security, speakers
said, during the recent BiometriTech conference in New York City. Unlike a
password, which is “something you know,” or a token, which is “something
you have,” a fingerprint or a facial scan is “something you are.”

“You have to adapt to (existing) security. You can’t just throw out all
that PKI you bought, much as you might want to,” said John Ticer, President
and CEO of Bionetrix.

“Our view is that you layer in the gateway security that makes everything
else more valuable,” he added.

Theoretically, biometric identifiers are also “not susceptible to theft,
loss, or compromise, and are difficult to repudiate,” said Gillian Glasser,
senior consultant for the International Biometric Group, an industry
analyst, consulting, and product testing firm specializing in biometrics.

“(But) accuracy is still an issue. Some small percentage of users will be
falsely matched, non-matched, and not enrolled,” Glasser acknowledged.

Biometrics have also shown themselves to be spoofable, she admitted,
mentioned “gummy fingers” as one example.

Although Glasser didn’t spell out any of the details, “gummy fingers” have
been written up in security publications. Tsutomu Matsumoto, a Japanese
cryptographer and a teacher at Yokohama National University, first
developed “gummy fingers,” which he credits with fooling commercial
fingerprint readers about 80 percent of the time.

Matsumoto has used two techniques to make the “gummy fingers.” In one
method, he makes a plaster mold of a live finger and pours liquid gelatin
over the mold, waiting till the mold hardens.

The other technique, known as “latent fingerprinting,” is more complicated,
but yields the same statistical results. Essentially, Matsumoto takes a
digital photo of a fingerprint left on a piece of glass, and processes it
in Photoshop to improve the contrast. After printing the photo on to a
transparency sheet, he uses a photo-sensitive PCB to etch the fingerprint
into copper. Finally, he makes a “gummy” mold from the copper finger.

The accuracy of biometric identifiers does vary according to the type of
identifier, Glasser said at the conference in New York City. Generally
speaking, fingerprints are among the most accurate identifiers, and facial
scans among the least.

Even fingerprints can change over time, though. “Manual labor does alter
the ability to be repeatable,” according to Glasser.

When it comes to facial scanning, lighting conditions and positioning of
the subject can matter a lot. “Companies realize what the weaknesses (of
facial scanning) are. We’re expecting some kind of leap in algorithm
technology,” she predicted.

Understandably, some end users are worried about their privacy. As a
result, administrators should work with legal departments to establish
policies around biometrics. “There has to be a legal policy about
protecting personal artifacts,” Ticer noted.

Beyond security benefits, administrators might be asked to implement
biometric systems for reasons ranging from government regulations to better

Ticer said that one of his customers, a large bank, has gained a lot of
productivity by using biometrics to help eliminate lengthy paper trails
that used to choke communications with brokerage firms.

“It used to take a couple of months to fax things back and forth. A
two month
process (is now) a three-day process,” he maintained.

On the other hand, productivity gains can be offset by “hidden costs”
incurred from systems integration and user training, according to Glasser.
Quite commonly, she said, hardware prices account for only about 20 percent
of overall implementation costs.

One administrator attending the conference, from Brookhaven National
Laboratories, said he found the cost of additional network wiring an
unwelcome surprise.

Government agencies, in fact, are becoming big users of biometric security.
Other agencies present at the show included the FBI, the INS, and the
Department of Defense. Early adopters also include highly regulated fields
such as banking, health, and the pharmaceutical industry.

Outside of accuracy levels, biometric identifiers vary along other lines,
as well. Costs of biometric hardware systems tend to be lowest for
fingerprinting, higher for hand scanning, and even higher for iris
scanning. “(But) pricing is coming down,” Glasser added.

Hand scanning is “straightforward,” so it is suitable for use with
children, for instance.

Finger scanning requires “some training” of end users. On the other hand,
though, some users resist fingerprinting, associating it with “the criminal

Iris scanning can be a good technique for populations such as senior
citizens, who might have trouble using their hands. However, some users
don’t do well at focusing on the camera, and others don’t want to “feel

There are “dozens of vendors” in the finger scanning field, according to
Glasser. Iris scanning vendors include Visionics and Visage. Iridian is the
only supplier of iris scanning systems, so far, and Hand Recognition
Systems is alone in the hand scanning arena.

Also at the BiometriTech show, however, Sprint rolled out plans to provide
biometric technologies in several vertical markets. Sprint is looking at
health, education, and hospitality, for instance, according to another
speaker, Charles G. Warren, director of Sprint’s Service Technologies Lab.

Latest Articles

Follow Us On Social Media

Explore More