Biometrics: More than a helping hand

Personal computers generally have been a boon to agency and departmental

staff, but they can be a nightmare for those responsible for security. With

users accessing networks remotely, transmitting data via the Internet and

carrying around laptops containing sensitive data, ensuring security is

an increasingly complex challenge. At least one thing is clear: Passwords

are not enough.

An increasing number of agencies and departments are turning to biometrics

to achieve a higher level of security. Biometric devices measure a person's

physical or behavioral characteristics, such as iris patterns, hand measurements,

voice patterns and fingerprints, to ensure that the person accessing a device

or location is who he or she claims to be. Biometric traits, unlike passwords

and personal identification numbers (PINs), cannot be lost, stolen or easily

duplicated.

Security concerns, of course, apply not only to computers and networks

but also to physical access to facilities. And biometrics can be used to

authenticate people for both applications.

The government is taking notice. In fact, the National Security Policy

Board, through the Facilities Protection Committee, has chartered a Biometric

Consortium to help develop, test and evaluate biometric devices on behalf

of the Defense Department.

To get an idea of how well current leading biometric technologies work,

we reviewed a sampling of five types of biometric authentication methods:

hand geometry, fingerprint recognition, iris recognition, voice verification

and face verification.

Several factors play a part in deciding what kind of biometric security

to implement. One factor is infrastructure: How easily can biometric authentication

integrate with the existing network? Does the existing network use technology

that supports certain types of biometric authentication methods?

For example, if all PCs on a network have cameras attached to them,

the infrastructure for face recognition is already in place. Similarly,

PCs with microphones are easily outfitted for voice-recognition technology.

If your department's computers have no cameras or microphones, you may be

more inclined to use stand-alone fingerprint scanners. Buyers should also

consider future security needs and whether the system they are considering

can meet those needs.

Next, environmental factors are important to weigh. Dim lighting can impair

face recognition, a noisy background can hamper voice recognition, and a

scratched or dry finger can affect fingerprint recognition.

Human factors may play a role as well. Some people are nervous about

using their fingerprints and prefer a method such as hand geometry, which

measures the shape and outline of the hand. Other methods are perceived

to be extremely intrusive, such as retinal scanning.

To increase security and help compensate for environmental factors,

several vendors advocate "layered" bio- metrics, which is the use of more

than one biometric technique or device to verify a person. For example,

a user might need to provide a faceprint and voice verification to gain

access to a system. Passwords, smart cards, digital certificates and PINs

can also be combined with biometric authentication for a layered security

solution.

Keyware Technologies Inc., a provider of biometric identification solutions,

is one company that offers layered biometrics. Keyware's LBV Framework

(for layered biometric verification) is an open architecture solution for

biometric verification that includes a middleware application, biometric

engine plug-ins for use with different kinds of biometric technologies,

development tools and application toolkits. Keyware provides data, network,

telephony and physical access security for several markets, including the

federal government.

Another vendor answering the call for layered biometrics is BioNetrix

Systems Corp. The company offers management software called the BioNetrix

Authentication Suite. The suite enables administrators to manage all authentication

systems on a network — whether they are biometric or nonbiometric, such

as passwords — from one console.

The Lineup

For this review, we reviewed a hand reader from Recognition Systems

Inc., currently the only manufacturer of hand geometry products. We chose

fingerprint-scanning technology from SecuGen Corp. because it offers products

we hadn't seen before: a keyboard and mouse with embedded fingerprint scanners.

Only one company holds the worldwide patent for iris recognition technology,

IriScan Inc. IriScan licenses its technology to Sensar Inc., which develops

and markets iris recognition systems. We reviewed one of these systems,

Sensar's SecureCam.

We looked at voice verification from Veritel Corp. and face verification

from Visionics Corp. Each is a leading vendor in its field. Both companies

license their technology to partners and integrators, so we reviewed them

within the BioNetrix Authentication Suite. Visionics does not sell its product

directly to end users; rather, it licenses its technology to other companies

that develop and sell products to end users. Veritel does make a product

called Voicecrypt, which we ordered from the company but never received.

The industry consensus is that iris scanning is the most accurate and

secure biometric. After DNA, irises are the most individualized feature

of the human body. Even identical twins have different irises. Furthermore,

every person's two irises differ from each other. Irises also have many

more minutiae points (IriScan systems measure 266) than fingerprints, so

more encrypted templates can be created from them. Finally, irises are less

susceptible to wear and injury than many other parts of the body.

Second to iris scanning in accuracy is fingerprint scanning. Fingerprints

contain approximately 35 to 46 minutiae points and are a stable, reliable

biometric. However, injury, dry skin and dirt can affect performance.

There is not yet enough reliable data to provide accuracy rates of one-to-many

identification with facial scans, but according to the International Biometric

Group (IBG), a New York-based in-tegration and consulting firm, anecdotal

evidence suggests that facial scan technology is capable of very accurate

performance.

According to IBG, voice verification is considered to be the least accurate

of the five technologies we reviewed.

However, in choosing a biometric technology, more than security needs

to be considered. The ideal biometric will vary for different applications.

Security needs to be balanced against environment, cost, the effort required

to use the biometric solution and the perceived intrusiveness of the device.

For example, voice verification might be a poor choice for someone who

travels often and must authenticate in airports and other noisy environments,

but it might work well for a user who wears gloves at work and cannot conveniently

use a fingerprint-recognition system. As noted above, facial scanning would

not be a good choice for environments with dim lighting, and iris scanning

might be overkill for applications requiring only low levels of security.

Bear in mind that we are rating the technologies and not the products.

The products have been chosen as being representative of each technology.