Process, not tech, is key to biometric success

An HP senior executive quells privacy and security concerns about biometric security systems.

SINGAPORE--The success of biometric systems depends on the implementation process, not on technology alone, according to a HP security expert.

Speaking on the sidelines of a biometric conference held in the island-state today, Mark Crosbie, senior security technologist at the Hewlett-Packard Security Office, said there are several processes involved in a successful biometric roll-out.

"The failure to do any one of them in the right order will drastically impact the effectiveness of your (biometric) system," he told ZDNet Asia.

The first step in a successful biometric technology implementation, he said, involves the enrolment phase. How organizations gather the biometric data of their users must be done in a controlled fashion. Inaccurate data will result in poor matches, he explained.

Typically, the enrolment process should be supervised by service staff to ensure users present documents--such as existing ID cards--that verify their identities. Multiple biometric samples may be taken, whether they are of facial features or fingerprints, Crosbie added.

Duplicate checks using existing biometric data must also be undertaken to ensure a fresh applicant has not previously applied for a similar document under a different name.

After the biometric document--say a passport or identification card--is issued, comes identification and authentication using fingerprint, iris or facial scans. This is where potential security breaches could occur.

"When people think of biometrics, they naturally think of spoofing, but the security aspect is much broader than that," he said.

Just like any IT deployment, there are security challenges in securing confidential data and access controls. Biometric systems face similar challenges, Crosbie said.

However, spoofing--such as using dummy fingers or holding up pictures of faces to access a protected facility--is more specific to biometric systems, he said.

Crosbie noted that biometric spoofing attacks are about two to three years old and should be less of a concern now, because biometric security systems have been beefed up. "The technology has moved on quite a bit since then."

For instance, there are biometric systems which no longer work with dummy fingers, because they use sensors that recognize "live" fingers.

Also, there are iris sensors that now check for the rotational jitter of the eye, he said. "If you hold up a static photograph, there's no way you can simulate that jitter."

In any case, cooking up ways to bypass biometric security systems only works in unsupervised environments, Crosbie stressed.

"In security sensitive areas, there will always be a layer of physical security checks, with a person watching out for suspicious activity," he noted.

However, biometrics will not replace the human touch. "There is always a role for human security guards," he added.

Crosbie also played down privacy concerns surrounding biometrics, as biometric data are not secrets, he said. "You leave fingerprints everywhere, and your face is quite visible to everybody."

What most people are worried about is the linkage between biometric databases held by different parties. Biometrics does not necessarily make such linkages any easier, because governments can already do so if they wish, he said.

"Biometrics tends to be what people latch on for their 'big brother' concerns, which may be quite legitimate. But in itself, the technology is just another security tool," he pointed out.

Crosbie also quelled fears that terrorists might arm themselves with biometric data readers to identify targets from a crowd. He noted that readers and chips are required to authenticate among themselves with encryption keys before data can pass through.

"This is done in a matter of centimeters away, so standing across the room and reading an RFID tag would be quite difficult to do," he said.