X
Tech
Home Tech Security

Biometrics finds its niche

Biometrics will never live up to its post-September 11 hype, but Steve Hunt of Giga Information Group says the technology has found its perfect niche: the biometric smart card.
Written by Eric Butterfield, Contributor
Steve Hunt
Vice President of Research
Giga Information Group
Steve Hunt is vice president and security research leader at Giga Information Group, where he recently published research on biometrics. In the wake of all the post-September 11 hype about the technology, Tech Update asked him where it now stands, and which biometric technology he expects to make the biggest splash in enterprise.

But first, Tech Update asked him where all the enthusiasm for biometrics has gone.

The rage was post-9/11 when facial recognition vendors started promoting a media frenzy about the use of biometrics to inhibit terrorism. That promise has never been fulfilled…a lot of folks thought, 'Biometrics are a solution against terrorism.' From that false assumption, we saw a lot of stock activity in biometrics-related companies, and a lot of media attention, and discussion about the potential uses of biometrics.

Biometrics haven't changed in the last year. Nothing changed after September 11 to make biometrics more interesting or useful than they were before, except some excellent public relations and media. The uses of biometric technologies are still as limited and tactical as they have ever been. But biometric technologies extend far beyond facial recognition, whose primary use is picking faces out of a crowd or identifying faces against a database of recorded faces.

There are other biometric technologies besides facial recognition that are interesting. Probably the most useful and flexible biometric technology is the fingerprint reader. It performs an accurate biometric scan. It can be encrypted; it can be protected. It can be built into a keyboard, a smart card reader, or an ATM machine.

We asked if the successful foiling of face recognition systems and fingerprint readers concerns him.

Those methods for bypassing the effectiveness of a biometric reader sound easy, but some of them are not that easy to perform. For example, the photo image to trick a facial recognition reader has to be a digital image, one that's broadcast, probably from an LCD screen--which means you have to walk up to the thing with your laptop open. Now, most facial recognition readers are not in private places--they're right there in the building lobby or other high-traffic area. So it's unlikely that someone can fraudulently bypass them. In real life it's just unlikely that that hack is going to work. But yes, it is possible.

With fingerprints, you can use a "gummy finger" (a gelatin mold of a finger) and the lifted fingerprint. Or, if it's an optical reader, we've heard of people shining a flashlight on the reader, and it accepts the previous fingerprint--the oil residue still remaining on the reader. So, yes, there are shortcomings. But when used in conjunction with another authentication type, those shortcomings just plain go away because you already have to know a password and user ID.

Hunt's research has led him to conclude that sending biometric information to a database is a big security liability.

If two-factor authentication is a good idea in general, and biometrics may play a part, I'm probably not going to recommend many of the solutions out there. Why? Because you still have biometric data passing across a wire and being stored in some database somewhere. If it passes across a wire, it's going to get hacked. It can be sniffed, so you have to assume it will be at some point.

And if it's sitting on a database somewhere, how well is it protected? Most of the vendors will come back and say, "It's encrypted," but so what? It takes me 20 years to decrypt the thing. In 20 years, you're President of the United States, and I've got your fingerprint. So, that doesn't help me to relax at all.Based on his research, Hunt thinks bundling biometric authentication with a smart card is the way to go.

One of the cool technologies that we are seeing is the fingerprint reader built into or onto the smart card reader. Now, this is a new advance. A little company called Precise Biometrics out in Virginia, and ActivCard, have this dynamic duo of authentication, so that biometric data doesn't have to cross a wire of any length. The encrypted hash, or encrypted derivation, of the biometric signature is actually stored on the smart card, which you keep as a plastic card in your wallet, or as your building ID badge. If it's an ID badge, it probably has your picture on it. So it's virtually impossible to perform a fraudulent authentication. In fact, it's tantamount to having the person living and breathing right in front of you with a government-issued photo ID.

For logging into the computer, do you need to use a biometric today? No. You could probably get away with not using it for the next 20 years. But for some transactions, you may want to accompany the smart card with a biometric. So the point I'm making is that it's the smart card that is the key to our success, the key to the future. The smart card is the multifunctioning authentication form factor that enables a tremendous variety of usages. It's easy to transport, and requires no end user training because we're all familiar with carrying plastic cards in our wallet.

Despite the promises, biometric measures don't trump passwords, says Hunt.

In my view, biometrics, as cool as they are, suffer many of the shortcomings of passwords. Because you can lift them--just like you steal a password, you can steal a biometric signature or fingerprint or face. Passwords are often considered not private because people can figure out what those passwords are, or they're passing clear text across the wire. And faces and fingerprints are not private--you leave fingerprints all over the place, on everything you touch.

The bottom line is that biometrics suffer many of the same shortcomings as passwords, and they're a hell of a lot more expensive than passwords. So why use them? The answer is, you can use them in conjunction with a smart card.

Will using biometric smart cards save money over biometric data? Hunt says they won't, but that isn't what's important.

If you have a big $10,000 Unix box storing a bunch of biometrics with lots of expensive encryption and security hardware and software built into it, that's pretty darn expensive. And smart cards themselves are a pretty inexpensive commodity that can be produced and sold for fractions of a dollar apiece. The readers are priced very inexpensively. But when you start scaling them across a large number of employees or high-value customers, the cost might be about the same. But that's irrelevant ultimately, when you can spend $50,000 to have really bad security, or to have really good security. The cost is irrelevant. The quality of the solution is what we're measuring here.

I think smart cards are going to be widely adopted. By 2005, smart cards will be a standard authentication type and identification medium. But biometrics will be used in conjunction with those smart cards in a small percentage.

What additional authentication measures is your company considering? TalkBack below or e-mail us with your thoughts.

Editorial standards
Show Comments

Related

Logitech Mevo Core Streaming camera on a tripod on set

I fly 10 times a year. These 5 tech gadgets are lifesavers

Samsung Galaxy A35 5G home screen on a wooden bench.

Forget the Pixel 8a. This $399 Samsung phone is a force to be reckoned with

West Virginia bridge in spring time

4 ways to connect to the internet for less after the Affordable Connectivity Program expires