Use biometrics, with extra care

Organizations that implement biometrics need to consider security audits and pay attention to customer acceptance, says industry observer.

SINGAPORE--The use of biometrics may be catching on, but organizations need to give proper thought to risks across their system architecture and user education, according to an industry observer.

At the Secure IT 2006 conference, Ted Dunstone, chair of the technical committee under the Biometrics Institute, noted that while biometrics "frontiers are starting to look a lot less exotic today" compared to a few years ago, there are "still a lot of barriers to adoption".

According to Dunstone, biometrics is different from other authentication modes given that it is "always a probability-based science". There is almost never an exact match; in fact, an exact match "could signal vulnerability", he noted.

This signals implications for businesses, Dunstone said. In a non probability-based system, the source of a security breach typically lies with the individual who, for example, may have been careless with his password. In probability-based systems however, the "risk is assumed by the organization, not the individual", he explained. Organizations therefore, need to perform audits on the security of their biometric systems.

Dunstone, who is also the managing director of biometrics consulting company Biometix, added that government agencies have been early adopters as the "cost-benefit tradeoff is easier to establish"--a security breach could lead to serious, and costly, ramifications.

Today, biometrics is also increasingly being used in other sectors such as consumer electronics and banking and financial services, he said.

When implementing biometrics systems, businesses and organizations need to set user expectation right, said Dunstone. They need to spend time with users and explain how the system works. There also has to be an element of incentive for putting in place biometrics, and have the benefits articulated properly, so that people will be willing to use such tools, he said.

He urged companies that have previously explored the use of biometrics, but found the technology to be immature or unsuitable, to revisit the option and evaluate if the technology has "evolved to be a good fit for your organization's requirements".

Mobile, better-designed systems
At the Governmentware 2006 held this week in Singapore, a representative from the biometrics group of the country's Ministry of Home Affairs noted that the industry is moving toward mobile biometrics devices for enrolment and identification. There is also more attention being focused on enhancing the ergonomics of such systems. Governmentware, which ends its run tomorrow, is an annual platform for the public and private sectors to exchange ideas on information security.

However, the government representative noted that there were areas which need to be improved, such as the speed of biometric sensors and the quality of biometric templates, as well as product interoperability.