Identification by body parts, fingers, face or hands is one way to stop fraudulent activity. Today, airports are becoming the major proving ground for this type of technology, but the list of deployments is growing. Welcome to the world of biometric technology.
Biometrics, from the Greek for life measurement, covers a host of technologies in which the unique, identifiable attributes of each individual are used for identification and authentication.
With increasing concern for government and corporate businesses, biometric technology is becoming more commonplace as customer acceptance grows. But there's still a long ways for it to go, according to some industry commentators.
Fingerprint scanners, retina scanners and voice recognition software all fall under the biometric banner. Voice, iris, hand and fingerprint recognition can be used to validate the identity of individuals seeking to gain access to computers, airlines and databases.
Meanwhile, integrating smart cards, biometrics and key cryptography also provides a solid foundation for developing secure applications and communications.
But there are challenges on the road to widespread adoption including privacy and data handling, along with human factor issues. And those are just a few.
How the information is stored, handled and processed is a worry for many people, according to Dr Ted Dunstone, chairman of the technical committee at the Biometrics Institute, and managing director of Biometix.
"Where data is stored, how it's shared and who has access to it is a big worry," he said.
"One of the challenges with biometrics is integrating the technology properly into security management frameworks, and making sure all data captured is properly handled."
But there was help on the horizon, he said. The Novell network OS, for example, provided federated identity modules that allowed biometrics as a plug-in.
Managing director of distributor Frontier Solutions and Strategies, Paul Hughes, said biometrics standards and reliability were not up to scratch. "It is still not at the tried and true level," he said.
There was also a dark side to the use of biometric and other key cryptographic technology.
"Law enforcement agencies are sometimes faced with computer evidence from technical savvy criminals who have used biometric and key cryptographic technology to encrypt files of incriminating data or to even encrypt entire disk drives," Hughes said.
And while biometrics were an attractive option, he suggested putting in basic computer forensic tools, which could uncover hidden and deleted files, and using Password Recovery software, files can be decrypted and exposed.
This type of technology, like biometrics, added another layer of protection.
"A lot of people talk about firewall and antivirus to keep the bad guys from getting inside, but we're talking about the bad guys already inside the building, the disgruntled employees mailing corporate secrets to their next employer and deleting files," he said.
Indeed, these and other issues fall under the domain of the Biometrics Institute, which was founded by Dunstone in 2001 after doing consultative work in the area of biometrics for a host of government agencies.
"A lot of people are doing good projects, but not getting good results, so we needed a forum to discuss the main challenges and security issues," Dunstone said.
To help alleviate some of the angst surrounding biometrics - particularly on the privacy front - the Institute submitted a Privacy Code to the Office of the Federal Privacy Commissioner in May 2004. The code, which is still under review, aims to ensure that biometrics enhance rather than threaten privacy.
Dunstone said the code covered issues such as extra protection for biometric information collected by an organisation, the rights of consumers, accountability, standards and a complaints system.
Many government agencies and private sector companies want to sign up to the Privacy Code, he said.
In addition to privacy, the list of worries continues.
According to analysts, another concern was that there were too many cooks in the kitchen and not enough good quality food.
IDC software security analyst, Megan Dahlgren, said while there was a host of different providers pumping out the latest gadgets from mice with fingerprint scanners to retina scanners, keyboards and laptops with fingerprint readers, the key issue was the quality of the devices. "Some of these devices get old very quickly," she said.
The other consideration slowing down market adoption was the fact there was no end-to-end solutions available, rather there were bits and pieces floating about, Dahlgren said.
"The problem is there are no vendors providing the whole solution," she said.
There needs to be more software development in order to access the biometric system.
"What device will you use for the authentication?" Dahlgren asked.
Completing the picture
Typically, it was a different company providing the device and the software that sat on the client or server that read (or authenticated) the information, she said.
Dahlgren predicts the biometrics market will consolidate and overcome the lack of complete solutions.
Standards and reliability was another area of angst, Dunstone said.
"While there is a lot of work being done with standards, there is no sufficient adoption of technology in a wide scale to force compliance on vendors," he said. "So there are a lot of solutions out there that are substandard."
On the standards front, the primary interface available is the BIOAPI standard, which acts as a middleware broker allowing users to plug any biometric device into the security architecture without needing to reengineer it, Dunstone said.
Microsoft has also developed the Biometric Application Programming Interface (BAPI) interface, he said, but it was not widely known. "There isn't a lot published about this," Dunstone said. "Microsoft bought the interface off of I/O Software in the late 90s. But I've heard little talked about the BAPI."
Standards aside, Dunstone said people weren't comfortable with the technology. User acceptance was a big issue.
"One of the problems is failure to enroll," he said. "Some people find it difficult or can't use it. So we need more user friendliness. Improving the resistance of the technology to spoofing attacks also needs to be looked at."
Despite the challenges and lack of education, there was a role for resellers to play in peddling biometric services and products, Dahlgren said. Once consolidation took shape and there was more product integration, resellers could better offer biometrics as managed security services. Honeywell was doing just that, Pacific region product manager, Robert Spinetti, said.
"Most of our high-end customers are seriously looking at biometrics to tighten up security in their data centres or computer rooms to protect critical information," Spinetti said.
In order to keep intellectual property under control, people working in government, pharmaceutical and manufacturing spheres, in particular, were taking a shine to the technology, he said.
"Companies are using biometrics in a couple of different ways," Spinetti said. "As the second layer of defence, it can be tied into the access control systems."
Currently, fingerprint technology was getting the most hype, he said. The oldest and most widely accepted of biometric practices, the fingerprint biometric measures the tip of the finger, looking at friction ridges. No two friction ridges are the same.
"Iris scanning isn't as popular because people don't like lasers shone in their eyes," Spinetti said. "Iris imaging, is less intrusive but both these methods are more costly than fingerprint technology."
IBM's latest ThinkPad, the X41, incorporated a built-in fingerprint reader and software, IBM ThinkPad brand manager for A/NZ, Greg Hunt, said. The notebook featured a fingerprint reader built into the palm rest.
"It needs a live finger to make it work, which puts to rest all of those jokes about using dead fingers," he said.
Essentially, these types of solutions are helping businesses comply with regulatory compliance.
"We see the fingerprint reader as the most cost-effective method for encryption and authentication," Hunt said.
According to a 2004 Gartner research note, the increased focus on system security for regulatory purposes leads the firm to predict today's PC password standards will no longer be accepted in 2008.
Hunt said the biometric functionality would arrive on the R series in Q4. It had been available on select models in the T range since February. "SMBs, executives, or a corporate user will have the added security functionality," he said. "It will span across all segments."
And there was an additional security layer, he said. By combining the fingerprint reader with IBM Password Manager and the Embedded Security Subsystem, users couldn authenticate with a fingerprint and a single password instead of multiple passwords.
"You can lose your password easily, but it's hard to lose your finger," Hunt said.
Big Blue was expecting a lot of demand for the security feature among the Express line. It would be an attractive up-sell option for resellers. APC Australia's data centre infrastructure trainer, Jason Rylands, said reduced prices would also attract resellers to the market.
"It's a hot topic at the moment," he said. "The barrier for a long time was price, but now that the cost of chips is coming down dramatically, we're seeing many laptop manufacturers introducing biometrics as a standard."
Biometrics eliminates the enormous hassles with passwords, and addresses the single-sign on trend pervading the market.
"Passwords are the weak link," Rylands said. "Being able to sign in with a biometric device allows you to have a complex password."
APC is offering a USB biometric reader that attaches to a PC or notebook, and can enroll up to 20 individual fingerprints. Locally, the reader has been on the market for a year and is popular with the government sector, and catching the attention of the corporate market.
Resellers catering to the mobile computing space can bundle the biometrics devices and software as a complete security package.
"It's all about adding on options to get incremental revenue," Rylands said.
Despite the benefits, integrating the technology around business operations was still a challenge, Honeywell's Spinetti said. But biometrics fitted in nicely to the equation because another big trend was linking IT physical security.
"There's a convergence between physical and access control, linking the different types of applications and having identity management," Spinetti said. "One card controls permission on the network and physical permissions."
There were many services associated with biometrics, he said.
"As a technology solutions provider, we go down the path and consider risk mitigation, safety, security breaches, litigation and compliance," Spinetti said.
Executive general manager of NEC's Network Solutions Group, Ian Marks, said resellers could offer biometrics as part of the overall security package.
"We're working with our Nexstep channel partners to help them focus on total building awareness," he said.
A hot part of the mix at the moment was fingerprint identity, Marks said.
The company has had great success peddling automated fingerprint systems to the federal state police forces. It was recently awarded Singapore's first biometric passport project, and a tender was out for the CentreLink welfare project here in Australia.
And while the company is seeing the majority of uptake in the government space, the corporate space is coming to the table since prices have dropped, and the technology is the most accurate of the biometric bunch.
But there was still concern over the intrusive nature of fingerprint technology, whereas iris scanning was seen as more acceptable, Marks said. "There's still some stigma associated with handing over your fingerprints - I guess you might feel too much like a criminal - whereas for some reason people are happy to peer into a hole for iris scanning," he said.
Facial recognition was an area to watch in the commercial space, he said.
"While facial technology is not as accurate, the main advantage is it's non-cooperative. With all the others, people have to participate."
While fingerprint technology has a one in 10,000 accuracy rate, he said the figure for facial recognition was about one in 1000. He expected the facial accuracy rate to improve in the next 12 months.
Despite the technological promise, Dunstone warned the industry not to get too excited - just yet.
"It definitely represents a growing opportunity for resellers, but it is still dangerous waters because it's hard to make the business case for the technology," he said.
But the pendulum would swing once there were more high profile deployments, Dunstone said.
"The CentreLink project is a case in point," he said. "There is a big push to have fingerprints out to every desktop." Speaker verification was another area of promise, he said.
Beyond these examples of single use biometrics, the future was likely to revolve around offering multimodal technology, Dunstone said. This grouped more than one biometric technology including voice and face or iris and fingerprint. "It will give us even more information and better access," he said.