Biometrics: Still searching for a pulse

A couple of years ago, the uptake of biometric technology was considered a sure thing. But fast forward to present day and companies are reluctant to use biometrics due to their negative stigma.

		Contents Introduction The world's easiest business case? The big sticking point Putting your finger on it Sidebar: Getting a feel for biometrics

Users have been whinging about passwords for years. They've set them, reset them, forgotten them, bullied help desk operators about them, written them on sticky notes attached to their monitors, and made them deliberately easy to remember despite a thousand security warnings from IT staff.
Passwords may be understood as necessary for security, but most users still hate having to try to remember and change many different passwords for different systems.

"[Biometrics] are still not ready for enterprise use as an effective alternative or supplement to widespread authentication."

Offer them an alternative, however, and you're not likely to get a lot of takers. One time password-generating hardware tokens like RSA SecureID have become the most popular alternative for remote user authentication, but they're generally deployed as a second layer of security on top of passwords, rather than as a replacement for them.
Smartcards, once expected to turn the authentication world on its head, faded into the background as technological ennui took the place of once rampant enthusiasm. Ditto public key infrastructure (PKI), the challenge-and-response encryption and authentication framework that was once expected to be ubiquitous by 2003/4, has faded into irrelevance due to customer apathy and solution complexity.

Dramatic change in user authentication policies takes a long time -- even when the alternative can be easier and more practical than current options. One such alternative is biometrics, which has shed its earlier sci-fi image but is still struggling to convince businesses it is a viable replacement for much hated passwords.
Sure, there are limited deployments of the technology: data centres, for example, often use hand geometry recognition devices at the doors of sensitive rooms to screen potential entrants. Disneyland has used the same technology to identify season pass holders. Governments are wrestling with the practical implications of using face recognition and fingerprint scanning to better identify travellers, and financial institutions have long used biometrics to secure sensitive areas of their labyrinthine facilities -- or so we are told, since most companies refuse to discuss just what security technologies they are or are not using.
An indication of just how far below expectations biometric takeup has been comes from comparing the 2000-2005 and 2003-2008 market reports from US-based biometrics cheerleader International Biometric Group (IBG). In 2000, IBG predicted worldwide biometric revenues would grow from US$399.4 million in 2000 to US$1.9 billion by 2005, predicting that private sector deployments would surpass government deployments of the technology by 2003. Biometric sales for PC and network access would, IBG believed, reach US$423 million in 2005.

"There are still issues to resolve regarding accuracy, standards, integration, and leadership... before a common approach can be recommended."

Last year, less partial observer Frost & Sullivan pegged the global market for biometrics at just US$303.3 million in 2003 -- just months after IBG said the market had been worth US$719 million worldwide in 2003, 20 percent lower than its initial predictions for the year. Both companies were bullish in their outlook for the future, with IBG projecting revenues would reach US$1.2 billion in 2004 and Frost & Sullivan predicting revenues of US$3.5 billion by 2009, largely on the back of biometric border control projects.

In its 2000 prediction, IDC projected that fingerprint scanning technology -- by far the most readily accessible and acceptable form of biometric identification -- would be worth US$656 million alone by 2005. However, IBG's own optimistic figures put fingerprint sales at just US$350 million in 2004, a figure the group said reflected the hindrance of initial growth by lack of biometric standards and overall slower uptake.
"Although exciting and potentially useful, [biometrics] is still not ready for enterprise use as an effective alternative or supplement to widespread authentication," META Group analysts wrote last year. "There are still issues to resolve regarding accuracy, standards, integration, and leadership in this area before a common approach can be recommended. We anticipate it will be late 2005 or early 2006 before we see encouraging movement from government and retail investments for potential options."

		Contents Introduction The world's easiest business case? The big sticking point Putting your finger on it Sidebar: Getting a feel for biometrics

The world's easiest business case?
Such difficulties have dogged the growth of what should rightfully be an explosive market, given that password replacement is among the easiest business cases that a company could contemplate.
Not following? Consider the burden that passwords currently place on the IT organisation. Each user has one, or probably several, passwords, each of which must typically be changed every month or two.
Being human, users often forget their passwords, and must call the help desk to have them reset. Simply in terms of lost labour, Gartner estimates the cost of password resets at between US$51 and US$147 each, or US$400 to US$600 per user per year. Between 20 percent and 50 percent of all calls to IT help desks, Gartner research suggests, are because users need their passwords reset.

In other words, a modestly sized environment with just 500 users might be spending US$250,000 annually just to keep those users' passwords updated. These figures are often unavailable to most companies because they're subsumed within overall helpdesk costs, but when broken out of helpdesk costs they represent a significant line item.

Regular password changes also present an often ignored security risk, since authentication by phone requires helpdesk operators to establish to their satisfaction that the person on the phone is the person they say they are. While many companies will have clear guidelines for establishing this fact, such manual processes leave open a significant potential security hole that could be exploited by savvy social engineers.
Now consider the alternative: a AU$75 USB fingerprint scanner installed at each desktop, for a one-off cost of AU$37,500 in the same environment. Users can hardly forget their fingerprints, and both desktops and notebooks can be easily configured to limit access to those whose fingerprints are in the encrypted on-disk database.
Network applications can be secured in the same way, with scanned fingerprints generating a long and unique string of bytes that is infinitely harder for criminals to guess than a simple alphanumeric password.
The volume and cost of password-related helpdesk calls drop to zero, and users can get to the applications they need faster than ever. Particularly sensitive applications might get two or more layers of protection, but elimination of passwords for access to everyday systems nonetheless offers significant savings.
Standalone USB scanners aren't the only way to introduce fingerprint scanning, which certainly isn't the only form of biometric authentication, but it is the only one to have come down in cost enough to be a viable workforce-wide authentication option. Mice, keyboards, and several models of PDAs such as the HP iPaq have offered built-in fingerprint scanning for years; notebook makers have sporadically followed suit. For its part, IBM late last year released its first-ever notebook with an in-built fingerprint scanner.
For companies considering the introduction of biometric authentication, the widespread availability of fingerprint scanners may well make such devices worth considering during their next desktop upgrade. Under the cost equation discussed above, the small incremental cost of biometric-capable devices will be more than made up for by the potential savings from password replacement.

		Contents Introduction The world's easiest business case? The big sticking point Putting your finger on it Sidebar: Getting a feel for biometrics

The big sticking point
For technology that works so well and makes so much business sense, it seems ironic that biometrics has had such a hard time establishing itself within corporate information strategies -- particularly given that analysts such as META Group have identified the movement away from password-based security as a strategic imperative.
The reasons for this reluctance are far from straightforward. It is clear, however, that one key issue is that of confidence in biometrics: despite overall strong performance, confidence has been rattled by sporadic research findings such as the infamous "gummy finger" method of beating fingerprint scanners, in which latent fingerprints are lifted from everyday objects and used to generate a faux finger for identification.
Biometrics vendors have guarded against such fraud by adding, for example, sensors that detect the flow of blood through a finger. Yet claims any security technology can be surmounted can be fundamentally damaging, particularly when the technology is being pitched at critical levels. Faced with the prospect of unknown risk from biometrics, versus the known but expensive cost of passwords, most companies have opted to bite the bullet and wear the cost of password systems.
Such delays can be partly attributed to established perception of biometric technology: years ago, analysts tied the success of biometrics to that of related technologies such as smartcards and PKI, which they believed would be used to secure the biometric signatures to which scanned images would be compared. With PKI and smartcards now little more than a footnote to the story of enterprise security, however, biometrics has suffered by association.

"There are a lot of organisations lining up to use biometrics, but at the moment they're very carefully analysing the cost effectiveness, functionality and pricing of the products," says Terry Aulich, a former state minister and privacy advocate who now acts project manager and strategic advisor with local biometrics centre of excellence the Biometrics Institute. "The industry is poised to take off as clients examine their needs, but I think it's generally following the same pattern as the rest of the industry: people are taking a more realistic view."

Another major setback, and a problem that has always plagued biometrics, is user perception. IT managers may appreciate the benefits of fingerprint scanning technology, but many users would still prefer to struggle with passwords for identification no matter how much easier it is to use their fingers.
Inherent mistrust of biometric technology has unclear roots, since debates about misuse of biometric identifiers are still speculative. "It's just a cultural thing," says Aulich. "To some extent, biometrics such as fingerprints have been associated with criminal control, and this sits there on people's minds."
Paired with intrinsic mistrust of any government initiative seen as trying to harvest too much personal information, biometrics may seem doomed. Discussions about potential use of biometric identifiers within passports -- a conclusion that now seems inevitable given the US Government's hard-line stance on biometric-laced passports -- have created a spectre of privacy concerns that has further shrouded any useful discussions about the technology.
Whether or not the use of biometrics leads to privacy breaches is irrelevant; users' negative perceptions of the technology could well lead to a rebellion in companies that tried to introduce it, even though it would theoretically be well within a company's right to mandate biometric systems access just as password-based access is now mandatory.
"There's an element of change management to it," says Ted Dunstone, CEO of biometrics integrator Biometix, who recommends companies take a slow-and-steady approach to biometrics that varies from biometrics-only authentication for general-use applications, to a layered approach for more sensitive applications.
"If you go in there and insist that people use the technology, there's a built-in resentment towards it. In introducing this into a workforce, you wouldn't want to make it compulsory; you would find there would be enough buzz generated by its use, just by making it easier for users than having to type in their passwords."
Companies may find that certain types of biometrics are more acceptable than others; generally, the less intrusive the technology, the more likely it will be acceptable to users. For this reason, speech recognition vendors are enjoying some success in adding voice pattern-based authentication to existing speech recognition applications, such as the call centre systems used for flight bookings and other phone interactions.
Since everyday use of the phone and the network for carrying a voice is already ubiquitous, voice verification technology may well be the least intrusive form of biometrics out there -- and it can be invaluable for organisations that need to verify the identity of remote workers or customers over the phone.
"The applications for voice biometrics actually become quite self-evident," says Clive Summerfield, a speech systems expert who founded and sold Syrinx Speech Systems to move into biometrics through his current venture 3sh.
"Having call centre operators ask callers for personal information is time-consuming, frustrating for consumers, and it's a big security hole because call centre agents have been known to use that information for personal gain," Summerfield says.
"With voice biometrics, you can implement a two-factor authentication system that uses both an aspect of something you know -- such as your name or address -- and your voice characteristic. You're not only doubling up the factors of the authentication credential, but you have the telephone network out there so it's readily accessible."
Introduction of other biometric technologies, however, is hard to accomplish without specific user assent. Recognising this fact, Biometrics Institute member organisations have been working on a formal code of practice for the collection and use of biometric information within various organisations.
Currently before the federal Privacy Commissioner for assessment against the requirements of the Commonwealth Privacy Act, the introduction of the code -- hoped to be in place by midyear -- will provide a more coherent policy target for companies interested in introducing biometrics, whether for identification of employees or customers.
A carefully managed logo program will allow organisations to certify their compliance with the code of practice, a move that Aulich hopes will encourage companies to consider biometric technologies in the long term. "A lot of organisations need to try harder to make sure they systematically assess the privacy implications of new technologies and procedures they bring in, and new services they offer," he says.
"Currently, there really isn't a benchmark for biometrics, and I think the code of practice will make companies, the general public, and government agencies more comfortable with biometrics. It will give them a benchmark to work against, and procedures that will help them systematically assess whether they have covered privacy adequately."

		Contents Introduction The world's easiest business case? The big sticking point Putting your finger on it Sidebar: Getting a feel for biometrics

Putting your finger on it
Biometrics technology is far more reliable and better understood than it was just a few years ago. Having lost its sci-fi perception, finding the road forward will rely on the willingness of various companies to embrace the technology -- and to do so publicly so that others can learn from their experiences.
Over time, biometric authentication may find its speed as an element of the overall trend towards implementation of comprehensive identity management infrastructures. This trend is based around the idea of identity management, a relatively new catchphrase that has revived disparate earlier efforts in areas such as remote user authentication, PKI, policy-based access control, directory services integration, and other elements.
A recent META Group analysis argued that identity infrastructure would be tightly integrated into application stacks over the next few years, then cease to be a standalone product market by 2007 as user lifecycle management is brought closer to other IT operations functions. As such identity management becomes pervasive and standards are put into place, biometrics could well merit another look as one of many end user authentication technologies capable of integrating with federated identity management systems.

Much of that integration will come as biometrics vendors continue their work to standardise interfaces to biometric authentication devices. In this area, the work of the BioAPI Consortium (www.bioapi.org) has united around 90 vendors to standardise interfaces between biometric equipment and corporate security infrastructures.

Hardware interfaces have been relatively standardised by the publication of BioAPI 1.0 back in 2000, a more recent update to v1.1 and the companion international v2.0; however, tying BioAPI-compliant devices into corporate authentication frameworks still requires more work.

For biometrics advocates, the technology's ongoing slow progress remains a source of considerable frustration. Although gradual penetration of fingerprint scanners indicates theindustry is showing tentative support for biometrics as a general form of authentication, it is still not clear what will make the industry dispel corporate fears of the technology once and for all.
Although many corporates continue to consider biometrics for limited use in niche applications, for now most will continue to watch government-run biometrics projects with interest.
 Despite their ambitious scope, such projects -- initially focused on border control -- will be the litmus test for biometrics in broad usage, highlighting how far the technology has actually come and providing a framework for future planning among businesses keen to revisit their user authentication. "I don't think biometrics is likely to reach ubiquity at a corporate level until the business case for the introduction of biometrics is so clearly apparent for people [that they can't avoid it]," says Dunstone.
"The cost of biometrics has decreased and the relative level of threat and awareness by business has increased, but I think we're probably at least five years away from seeing it in a ubiquitous sense."

		Contents Introduction The world's easiest business case? The big sticking point Putting your finger on it Sidebar: Getting a feel for biometrics

Sidebar: Getting a feel for biometrics
Biometrics would seem to be a clear advantage when it comes to security, but there are a few things to consider before you jump into the technology:

• Measure your risk. Like all security technologies, each form of biometrics has its own risk profile. You must be comfortable with the risk exposure and benefits it provides, particularly in comparison with your existing authentication methods.


• What price, security? Fingerprint scanners have come down in price substantially, but other forms of biometrics still remain relatively expensive. Weigh the technology's likely cost against the value of the information you're protecting, and you'll have a good sense of whether it's worth the extra investment (it usually is).


• Assess your current costs. You may never have considered it, but maintaining passwords for employees is probably costing you a bundle. Work with the call centre manager to get some clear statistics about how much time is being spent servicing password change requests, and your business case for biometrics is likely to jump out at you.


• Consider a staged rollout. You don't have to jump straight into biometrics with both feet; be sure to trial it in small user groups to catch any problems before you expand its scope. It's easier to wean people off their passwords slowly than forcing them to go cold turkey. Use the onion approach. Security in layers can be even better than a completely new form of security. Rather than necessarily seeing biometrics as a complete password replacement, consider retaining passwords but allowing users to keep much easier-to-remember passwords.
• Get physical. Biometrics isn't just for securing systems access; many companies use expensive hand geometry scanners or iris scanners as super-strength door locks to physically secure sensitive parts of the business, but still use passwords for general systems access.
• Respect their privacy. Fingerprint and other scanning devices simply produce a string of numbers, but oh!, how contentious that string of numbers can be. You are not outside of your rights to implement biometric security, but be sure rollout plans are made with the full involvement of users, legal, business and technical representatives so nobody gets their nose out of bent later on.
• There are many benefits below the radar. Each form of biometric identification has its own level of intrusiveness. You may find employees balk at highly intrusive forms of authentication, but that your business can still get benefits by introducing non-intrusive voice authentication over the phone. This could be useful both for authenticating customers and, for example, confirming the identity of a purported employee who is calling an internal help desk for a password change.


• Single sign-on at last? One of the biggest benefits of non-repudiable authentication is its ability to enable single sign-on (SSO), that security nirvana in which one challenge-response authorisation is enough to provide employees with access to all of their various corporate applications. Biometrics are far more appropriate for SSO than passwords -- so now may be the chance to make SSO a reality.


• Plan for biometrics. Reliable fingerprint scanning technology has been available, and built into everything from mice to keyboards to PDAs, for years. However, most corporate IT buyers have ignored biometrics unless their needs demanded it -- and that has rarely been the case. With prices for fingerprint-capable devices now only nominally higher than those for ordinary devices, your next hardware refresh is a great time to consider rolling out ubiquitous biometrics. Once the hardware is in place, the apps will flow from there.

This article was first published in Technology & Business magazine.
Click here for subscription information.