Warriors have long used emblems, uniforms and tattoos to physically
identify themselves to their compatriots. Secret passwords were in use
long before the first person logged in at a keyboard.
Today, the world of enterprise security is increasingly incorporating
biometric identifiers as an additional weapon within the security
arsenal.
International Biometric Group, a New York City-based consulting firm,
reports that the worldwide market for biometric devices grew 67 percent
last year to reach $1.2 billion. And analysts there estimate a further
expansion to $4.6 billion by 2008.
The largest share of that money (48 percent) goes for fingerprint
recognition systems, followed by facial recognition (12 percent). While
these two are the most popular, there are other methods that analyze a
person’s physical or dynamic characteristics. Physical biometric
methodologies also look at:
in the retina;
of bones and joints, and
”When looking at strong authentication, you want two out of three
factors — something you have, something you are and something you
know,” says Eric Oullet, vice president in Gartner, Inc’s security
research group.
While, eyes, hands and skin are commonly used as biometric identifiers,
more dynamic methodologies also are being introduced, such as:
when the user ID and password are entered;
as analyzing the speed and pressure used while writing, and
To keep performance high and storage requirements manageable, today’s
biometric technologies do not have to store or analyze a complete picture
of the body part or the physical feature being used. Imagine the
processing power that would be needed to store a high resolution picture
of someone’s face and then compare it with a live image pixel by pixel.
Instead, each method reduces the body part or activity to a few
essential parameters and then codes the data, typically as a series of
hash marks.
For example, a facial recognition system may record only the shape of the
nose and the distance between the eyes. That’s all the data that needs to
be recorded for an individual’s passport, for example.
When that person comes through customs, the passport doesn’t have to
include all the data required to reproduce a full-color picture of the
person. Yet, armed with a tiny dose of key biometric information, video
equipment at the airport can tell whether the person’s eyes are closer
together or if his nose is slightly wider than the passport says they
should be.
None of these biometric systems are infallible, of course, though the
rates of false negatives and false positives have markedly improved. One
of the problems with fingerprint readers, for instance, is that they
couldn’t distinguish between an actual fingerprint and the image of one.
In the recent movie National Treasure, Nicholas Cage’s character
lifted someone’s fingerprint off a champagne glass and used it to gain
access to a vault. That is not pure fiction.
Japanese cryptographer Tsutomu Matsumoto lifted a fingerprint off a sheet
of glass and, following a series of steps, created gelatin copies. He
then tested these on 11 fingerprint readers and each accepted the gelatin
prints.
Outside the lab, Malaysian thieves chopped the fingertip off a
businessman and used it with the fingerprint reader on his Mercedes. But
none of those methods would work with higher-end fingerprint readers.
”The latest fingerprint readers are incorporating more advanced
features, such as making sure the finger is a certain temperature,” says
Ouellet. ”Everyone’s hand is different, as some are consistently warm or
cold. In addition, they can also check if there is a pulse and tell how
much pressure is being applied.”
Such sophistication, however, has its drawbacks.
Authorized users may find themselves locked out even when the devices are
working properly. Why? Tiny changes, due to accidents or injuries, can
change a biometrics profile, rendering it effectively obsolete.
”The thing to keep in mind with any biometrics is that your ID does
change over time,” Ouellet says. ”If you cut your finger, your
biometric may not be the same any more. Or your early morning voice is
different than after talking for eight hours.”
Biometrics in the Enterprise
While biometric authentication certainly adds an extra layer of security,
it would be a mistake to implement a high-end system and then feel that
break ins instantly would be consigned to the history books. It takes
back-end integration, constant vigilance and consistent user involvement
to keep an enterprise secure.
”We feel security is a user issue and must go all the way to the
desktop,” says Stan Gatewood, chief information security officer at the
University of Georgia, Athens. ”Our philosophy is to do defense in
depth. We have a very layered architecture and assume that any layer will
fail some day.”
The most popular biometric tool at the moment is the fingerprint reader.
Some even use USB drives. And some keyboards and laptops come with them
built in. These devices have come way down in price. As a standalone
device, the unit price has dropped below $100. But, in an enterprise
setting, that is just the start of the costs.
”Often, companies look at biometrics as being ultrasexy, cool
technology, but they forget that there are integration issues,” says
Oullet.
IT departments have to ensure, for example, that back-end security
systems can accommodate biometric authentication, and scale to the
required number of users. Plus, if fingerprint readers are not
incorporated into the laptop or desktop, it adds to the number of devices
that need to be supported by IT.
There is little point, then, in adopting a stand-alone biometrics system
that cannot easily be assimilated into the organization’s existing
security fabric.
”Security is no longer something you can address as an afterthought,”
says Brett Rushton, vice president of strategic services for network
consulting firm Calence, Inc. in Tempe, Ariz. ”It needs to be built into
the infrastructure to deal with pervasive threats.”
The good news is that the biometric authorization techniques are no
longer so leading edge that they are difficult to marry with traditional
security safeguards. Today’s systems are well enough developed that they
can be incorporated into enterprise systems without too much effort.
”A strong authentication system is what you want to focus on and
biometrics can be part of it,” says Oullet. ”But the user should still
have to memorize something or have a token, and you need to make sure
that polices and the management structure relating to it are firmly in
place.”