Biometrics: More than a helping hand
Personal computers generally have been a boon to agency and departmental staff, but they can be a nightmare for those responsible for security. With users accessing networks remotely, transmitting data via the Internet and carrying around laptops containing sensitive data, ensuring security is an increasingly complex challenge. At least one thing is clear: Passwords are not enough.
Personal computers generally have been a boon to agency and departmental
staff, but they can be a nightmare for those responsible for security. With
users accessing networks remotely, transmitting data via the Internet and
carrying around laptops containing sensitive data, ensuring security is
an increasingly complex challenge. At least one thing is clear: Passwords
are not enough.
An increasing number of agencies and departments are turning to biometrics
to achieve a higher level of security. Biometric devices measure a person's
physical or behavioral characteristics, such as iris patterns, hand measurements,
voice patterns and fingerprints, to ensure that the person accessing a device
or location is who he or she claims to be. Biometric traits, unlike passwords
and personal identification numbers (PINs), cannot be lost, stolen or easily
duplicated.
Security concerns, of course, apply not only to computers and networks
but also to physical access to facilities. And biometrics can be used to
authenticate people for both applications.
The government is taking notice. In fact, the National Security Policy
Board, through the Facilities Protection Committee, has chartered a Biometric
Consortium to help develop, test and evaluate biometric devices on behalf
of the Defense Department.
To get an idea of how well current leading biometric technologies work,
we reviewed a sampling of five types of biometric authentication methods:
hand geometry, fingerprint recognition, iris recognition, voice verification
and face verification.
Several factors play a part in deciding what kind of biometric security
to implement. One factor is infrastructure: How easily can biometric authentication
integrate with the existing network? Does the existing network use technology
that supports certain types of biometric authentication methods?
For example, if all PCs on a network have cameras attached to them,
the infrastructure for face recognition is already in place. Similarly,
PCs with microphones are easily outfitted for voice-recognition technology.
If your department's computers have no cameras or microphones, you may be
more inclined to use stand-alone fingerprint scanners. Buyers should also
consider future security needs and whether the system they are considering
can meet those needs.
Next, environmental factors are important to weigh. Dim lighting can impair
face recognition, a noisy background can hamper voice recognition, and a
scratched or dry finger can affect fingerprint recognition.
Human factors may play a role as well. Some people are nervous about
using their fingerprints and prefer a method such as hand geometry, which
measures the shape and outline of the hand. Other methods are perceived
to be extremely intrusive, such as retinal scanning.
To increase security and help compensate for environmental factors,
several vendors advocate "layered" bio- metrics, which is the use of more
than one biometric technique or device to verify a person. For example,
a user might need to provide a faceprint and voice verification to gain
access to a system. Passwords, smart cards, digital certificates and PINs
can also be combined with biometric authentication for a layered security
solution.
Keyware Technologies Inc., a provider of biometric identification solutions,
is one company that offers layered biometrics. Keyware's LBV Framework
(for layered biometric verification) is an open architecture solution for
biometric verification that includes a middleware application, biometric
engine plug-ins for use with different kinds of biometric technologies,
development tools and application toolkits. Keyware provides data, network,
telephony and physical access security for several markets, including the
federal government.
Another vendor answering the call for layered biometrics is BioNetrix
Systems Corp. The company offers management software called the BioNetrix
Authentication Suite. The suite enables administrators to manage all authentication
systems on a network — whether they are biometric or nonbiometric, such
as passwords — from one console.
The Lineup
For this review, we reviewed a hand reader from Recognition Systems
Inc., currently the only manufacturer of hand geometry products. We chose
fingerprint-scanning technology from SecuGen Corp. because it offers products
we hadn't seen before: a keyboard and mouse with embedded fingerprint scanners.
Only one company holds the worldwide patent for iris recognition technology,
IriScan Inc. IriScan licenses its technology to Sensar Inc., which develops
and markets iris recognition systems. We reviewed one of these systems,
Sensar's SecureCam.
We looked at voice verification from Veritel Corp. and face verification
from Visionics Corp. Each is a leading vendor in its field. Both companies
license their technology to partners and integrators, so we reviewed them
within the BioNetrix Authentication Suite. Visionics does not sell its product
directly to end users; rather, it licenses its technology to other companies
that develop and sell products to end users. Veritel does make a product
called Voicecrypt, which we ordered from the company but never received.
The industry consensus is that iris scanning is the most accurate and
secure biometric. After DNA, irises are the most individualized feature
of the human body. Even identical twins have different irises. Furthermore,
every person's two irises differ from each other. Irises also have many
more minutiae points (IriScan systems measure 266) than fingerprints, so
more encrypted templates can be created from them. Finally, irises are less
susceptible to wear and injury than many other parts of the body.
Second to iris scanning in accuracy is fingerprint scanning. Fingerprints
contain approximately 35 to 46 minutiae points and are a stable, reliable
biometric. However, injury, dry skin and dirt can affect performance.
There is not yet enough reliable data to provide accuracy rates of one-to-many
identification with facial scans, but according to the International Biometric
Group (IBG), a New York-based in-tegration and consulting firm, anecdotal
evidence suggests that facial scan technology is capable of very accurate
performance.
According to IBG, voice verification is considered to be the least accurate
of the five technologies we reviewed.
However, in choosing a biometric technology, more than security needs
to be considered. The ideal biometric will vary for different applications.
Security needs to be balanced against environment, cost, the effort required
to use the biometric solution and the perceived intrusiveness of the device.
For example, voice verification might be a poor choice for someone who
travels often and must authenticate in airports and other noisy environments,
but it might work well for a user who wears gloves at work and cannot conveniently
use a fingerprint-recognition system. As noted above, facial scanning would
not be a good choice for environments with dim lighting, and iris scanning
might be overkill for applications requiring only low levels of security.
Bear in mind that we are rating the technologies and not the products.
The products have been chosen as being representative of each technology.
NEXT STORY: Agarwal takes post at NIC