Positive ID required

As many government agencies now know, an online application doesn't always translate into convenience or cost-efficiency. The Social Security Administration can vouch for that. Last year, businesses electronically filed 100 million W-2s out of a total of 250 million.

Although transmitting the information proved a snap, the password application process did not. Customers still had to apply for a personal identification number via regular mail and wait several weeks for a reply.

"People were excited about using the online application, but many of them waited until the last day to even go onto the site," said SSA project manager Chuck Liptz. "That's when they found out that it wasn't just a five-minute transaction. We had a lot of businesses miss the deadline for that reason."

Agency officials hope to change all that. In January, they began testing the use of voiceprints to authenticate users of the W-2 and wage-reporting system.

Here's how it works: An employee who wants to access the system on behalf of an employer applies online. The SSA system then sends an e-mail message to the employee's supervisor for permission. The supervisor is directed to the SSA Web site, which then automatically calls the supervisor on the telephone. The supervisor reads a few words on the SSA Web page over the phone and the system records the speech for authentication. From then on, each time the employee wants to make a transaction the system will call the supervisor and verify his or her identity. A voiceprint match means the related transaction was authentic and valid.

So far, so good. In an initial survey, business users found the process easy to use and took just five minutes to complete it. Moreover, users expressed a high level of comfort with having their voiceprints recorded by a government agency, with few concerns about privacy or security. On a scale of 1 to 5, most users rated the system a 4.3 overall.

Testing the Waters

SSA's positive experience would appear to be good news for federal officials exploring the idea of combining biometrics and e-government.

"A lot of agencies are sitting on the sidelines, waiting to see how Social Security fares first before making that leap," said John Zurawski, vice president of Authentify Inc., which provided the identity authentication platform.

A few, however, have already made their own forays into the field. Both the Defense Department and the National Security Agency are using biometrics on a limited basis to authenticate government employees on a few internal applications.

And others are now investigating the logistics of using biometrics in online environments. General Services Administration officials, for example, hope to eventually incorporate biometrics into its smart card program for computer network access and authentication in online transactions. And a handful of states, including Colorado and California, have incorporated biometrics into driver's licenses for verification purposes and could eventually use them in online service applications.

"We're exploring all aspects of biometrics right now," said Jason King, spokesman for the American Association of Motor Vehicle Administrators. "Because the reality today is [that] we don't have a very good means of verifying a person's identity."

Advocates note that both the time and the technology are ripe for online applications. The prices of fingerprint readers, Web cameras and other biometric enablers are coming down, and vendors are beginning to integrate biometric industry standards into products. What's more, with the growing threat of cyberterrorism and identity theft, Americans are increasingly open to providing biometric identifiers for authentication purposes.

"In the physical world, it's easy to see who's been mugged," said Tim Corcoran, senior systems engineer in the government solutions division at Northrop Grumman Information Technology. "But in the virtual world, we might not discover the 'mugging,' if you will, until it's too late. People are beginning to realize this and see the use of their biometric as something that protects them."

Biometric technologies are particularly conducive to e-government because the anonymity of online interactions requires not just a unique identifier, but also an exclusive one, according to Paul Collier, executive director of the Biometric Foundation. "A password or a smart card can be unique, but it can be lost or it can be stolen," he said. "No one can steal your fingerprints or your voiceprint. They're nontransferable, and as such, they bring a higher level of security."

The use of biometrics for online purposes has other benefits as well, Collier said. It can provide a nonrefutable audit trail and save agencies money, particularly given the costs and time associated with password management.

"Security is typically perceived as a cost and something that slows things up," Corcoran said. "What we're looking at through biometrics [are] more precise identification and accountability, but faster and better service as well."

Choppy Seas

Despite all the advantages and SSA's positive results to date, agency officials still view biometrics with trepidation. There are few e-government/biometric pilot projects in the works. One of them is the e-Authentication project, a cross-agency, public-key infrastructure (PKI) gateway being developed by GSA as one of the Office of Management and Budget's 24 e-government initiatives. But project leaders are not even considering biometrics at this point, according to an OMB official.

Why? For most agencies, it's a fear of the unknown. Biometrics continues to be a flash point for privacy advocates, who worry about misuse and mishandling of the data (see box, Page 16). None of the technologies are 100 percent accurate; they've all been known to turn in false negatives.

The enrollment process continues to be the real weak point in the process, as agencies grapple with finding a fail-proof way to accurately capture both employees' and citizens' biometric data on the first attempt. In addition, if a person had stolen someone else's driver's license and Social Security number, he or she could easily use his or her own biometric identifier during the enrollment process, in effect "stealing" the other person's identity and corrupting the entire biometric system.

"That's a real concern," said Jeff Stapleton, a manager with the information risk management practice at KPMG LLP. "If I'm going to run a pilot and I've got 15 people, it's pretty easy to authenticate their identity and enroll them. But if I'm going to do a real rollout and I've got 50,000 employees, there's a lot more potential for inaccuracies and fraud."

Interoperability is another major issue slowing agencies' adoption of biometrics. There are some promising standards efforts, among them the work being done in the United States by the M1 biometrics group of the International Committee for Information Technology Standards and internationally by SC37, a joint subcommittee of the International Organization for Standardization and the International Electrotechnical Commission.

Although industry standards are being pushed, most vendors currently rely on proprietary algorithms for encoding biometric profiles, and that's a major problem for e-government applications, because client-based biometric readers often can't interact with back-end Web systems, according to Bill Windsor, GSA's senior smart card specialist.

"Until we get that interoperability, biometrics can't really take off," he said, noting that standards or a registry of algorithms similar to what's used for PKI digital certificates could be the solution to the problem. "So we're really just exploring their use and trying to promote the whole interoperability aspect."

Despite the hurdles, agency officials and industry observers suggest that biometrics will become more popular as an authenticator of e-government applications within the next few years. "We are beginning to see the beginning of the acceleration at this point," Authentify's Zurawski said.

Still, most people believe that biometrics will not make it as a stand-alone security device within the e-government world. Instead, as envisioned by GSA and other agencies, it will be used in conjunction with smart cards and PKI, adding that extra layer of security in an increasingly insecure world.

"Used individually, biometrics is not going to get us much more than we've got now," Collier said. "But if you combine all three elements — biometrics, smart cards and PKI — all of a sudden you have a solution that equates to a major leap ahead in raising the bar with regard to both physical and logical access security." n

Hayes is a freelance writer based in Stuarts Draft, Va. She can be reached at hbhayes@cfw.com.

***

Finding the right application

Having trouble deciding where to start applying biometrics? Here are some ways to narrow the field:

* Where can you lower your risk? An online application that accesses sensitive data and is vulnerable to hackers and identity thieves would benefit from the added security layer biometrics offers.

* Where do you have a pre-existing relationship that you could easily build on for enrollment? A government-to-employee application involving access to personnel records is a good example.

* Where do you see the best return on investment? Using biometrics to enable employees to automatically change or reset personal identification numbers and passwords, for example, can save thousands of dollars in help-desk costs.