All eyes (and hands) on biometrics

But despite improvements, agencies best served by keeping options open

The iAccess VA100 authenticates people by reading blood vessel patterns through an infrared camera.

Rick Steele

The HandKey CM reads hand prints. Both, iAccess VA100 and HandKey CM are suitable for high-traffic environments where agencies want to control physical access to facilities.

The first fingerprint biometrics vendors made both the hardware and the software for their devices. One year's product might suffer from software glitches, while next year the hardware would fall short of buyer expectations.

Some companies, such as Sweden's Precise Biometrics AB, saw that consistency was crucial to their survival and abandoned software development in favor of making more reliable hardware. Others such as Ethentica Inc., which kept producing both hardware and software, went under.

In contrast, the early problems with facial biometrics were mostly with the software engines. They were slow and counterintuitive. Software complexity affected reliability, which gave the earliest facial-biometrics products a reputation for dubious accuracy.

But advanced 3-D imaging'for example, holographic neuro-quantum technology from AcSys Biometrics Corp. of Burlington, On-tario'has dramatically improved reliability. Facial-recognition survivors such as Identix Inc. of Minnetonka, Minn., have now im-proved their products' engines enough to measure skin texture accurately. (Identix was invited to participate in this review but declined. I did, however, try out their latest FaceIt software at the recent Biometric Consortium 2004 conference in Arlington, Va., and was impressed with the improvement.)

For this review, I sampled a variety of the latest biometric technologies, including fingerprint and iris scanning. I also checked out new solutions that recognize handprints, handwriting and even the blood vessels in a finger. What I found is that ultimately, the best choice for agencies may be an enterprise solution that supports multiple biometrics.

Swiss Army knife of biometrics

In past GCN Lab reviews, SafLink Corp. of Bellevue, Wash., and other companies that focus on enterprise-level biometric management software took a back seat to hardware vendors of iris, fingerprint and facial scanners. For a while, government agencies couldn't decide whether any biometric technology was reliable enough. That concern, coupled with indecision about which type of authentication to choose, has kept enterprise biometric management software out of agency buying plans.

SafLink's SafSolution 1.0 is one of the most robust enterprise-level biometric programs around, simple to set up and completely customizable for network and agency needs. And it comes with several individual solutions that an agency can mix and match. I've evaluated some of those individual solutions separately so an IT group has an idea of which to focus on.

SafSolution has a lot of features I've never seen in other programs. Its Delegate option lets one user take on the role of another for admission to a certain area, computer or network. This is handy for managers who need to monitor project areas without having to be enrolled for the projects. It could give a government contractor, for example, a quick, safe, temporary entry to repair something without needing to go through a lengthy enrollment.

An administrator can set up the Delegate option with just one mouse click. SafSolution's audit and cataloging system can distinguish between delegated log-ins and real user log-ins. So, if User X made changes as User Y, the software would catalog those changes as made by X delegated as Y.

The most secure networks have several layers of protection, and SafSolution can work in conjunction with digital certificates and smart cards. It can also be programmed to lock or log off a computer when a smart card is removed.

One improvement I hope to see in a future version of SafSolution is extension of its public-key infrastructure and biometric security to defend network or facility perimeters.

SafSolution has many password options. For example, agencies could tie passwords to user biometrics and have SafSolution randomly create a multiple-character password the user never need memorize. When it's time to change the password, SafSolution can make the change without interrupting the user or administrator. It can even generate a new, 125-character password each time a user signs on.

SafSolution authenticates as well as tracks the authentication'it does not manage users or identities. It uses what SafLink calls Identity Assurance Management, which verifies whether persons logging in or entering a facility are really who they claim to be.
[IMGCAP(2)]
The strongest form of authentication in SafSolution is iris scanning with software from Iridian Technologies Inc. of Moorestown, N.J., and a Panasonic Authenticam webcam.

Iridian's Private ID and KnoWho systems, incorporated into the SafSolution application or available separately, are nearly impossible to circumvent. That's because each human iris is unique and can have up to 30,000 minutiae points.

I did experience a long learning curve for the iris recognition software, however. And it felt somewhat invasive to have my iris scanned repeatedly.

The ultraviolet light scan is safe and fairly fast. It's also unaffected by ambient light.
Obscure enrollment procedures have been corrected in the latest version of KnoWho. A new enrollment window makes it easier to capture an iris image.

The learning curve is still there, however. It's not easy to stand precisely at the correct 16 to 22 inches from the camera. KnoWho enrollment would be improved by instructions with a step-by-step demonstration

I found bigger software strides in fingerprint recognition products this year.

The main problem used to be correct finger placement on silicon-chip devices. Optical-sensor devices are much easier because they work like a camera lens, acquiring the image with light and mirrors.

Silicon-chip devices, in contrast, use electrical charges to recreate an image of the fingerprint. The user's finger placement must be consistent every time.

To get around this need for rigid consistency, silicon-chip devices now take random, multiple images during enrollment. A user can miss the mark a little when logging on, and the chip can extrapolate information from the print to determine a match.

Putting a finger on improvement

The latest versions of AuthenTec FingerLoc from AuthenTec Inc. of Melbourne, Fla., and BioKey BSP software from BioKey Inc. of Wall, N.J., guide users to consistent fingerprint placement.

The FingerLoc system, which usually includes sensor technology and end user software, was harder to use than BioKey, but you can choose either as part of SafSolution. I used AuthenTec's software with a keyboard wired to a fingerprint device from Key Source International of Oakland, Calif., and the BioKey with a comparable TouchChip fingerprint reader from UPEK Inc. of Berkeley, Calif. But not all software works with all sensor devices, so check before you mix and match.

BioKey shows a virtual map of where to place the finger for the best image, whereas FingerLoc has annoying pop-ups with somewhat vague directions for placement. I got about 15 percent more bad matches with FingerLoc.

Reading palms

Biometric perimeter security has been around since the early 1990s and is currently in a renaissance mode with new technologies such as blood vessel authentication and new projects such as the Transportation Security Administration's Registered Traveler program.

Among the oldest perimeter access devices is the HandKey CM from Recognition Systems Inc. of Campbell, Calif. The HandKey can analyze more than 31,000 hand geometry points and take 90 measurements of a hand in about a second. It looks at everything from finger width and length to surface area and is well-suited for a high-traffic environment.

The HandKey has proven so reliable that about 95 percent of U.S. nuclear power plants reportedly have used it since 1993.

It took me only seconds to set up. A keypad at the right side controls enrollment, and a user-defined numerical code is part of the log-on. Smart cards can be added for three layers of ID security.

Even more secure than hand geometry is blood vessel authentication. Blood vessel patterns in the hands, like iris patterns, are unique to each individual.

The VA100 from iAccess Systems Inc. of Long Beach, Calif., uses a high-resolution, infrared camera to take a picture of the blood vessels in a finger. The pattern forms an algorithm to identify the user.

Like Iridian's iris recognition technology, the blood vessel biometric works regardless of ambient light and can process several people per minute. It requires a living sample, so fake fingers won't work. One advantage over iris recognition is that reading a finger is easier for the user and less intrusive than scanning an eye.

But blood vessel authentication is a newcomer to the biometric world and works somewhat more slowly. On average it took me two to three seconds per authentication.

The VA100 costs about $3,000 including sensor, control box and cabling. It can be used with any magnetic door for keyless access.

Another new biometric method creates algorithms based on individual behavioral patterns of typing or handwriting.

The Bio-Pen from DynaSig Corp. of Scottsdale, Ariz., can log a user on to a PC or network by authenticating the person's penmanship.

Installation was easy. I connected the Bio-Pen via USB cable to the test computer and directed the installation wizard to an online software driver and management application. It took only three seconds. But the software didn't explain certain necessary settings on the computer.

The Microsoft Windows XP Service Pack 2 firewall on the PC conflicted with the Bio-Pen enrollment. Eventually I resolved the conflict but still ran into the same enrollment difficulty. If I wrote more than three letters, the software would refuse to verify me.

Figuring it was my bad penmanship, I asked people with better handwriting to try the Bio-Pen, but got the same results.

The Bio-Pen left me with the same feeling I had four years ago in the early stages of fingerprint and iris recognition. Logging on seemed like a hit-or-miss activity.

With more time and development, the Bio-Pen could be a viable biometric device for large networks, but for now I recommend choosing an alternative to the $150 pen and software.

Whatever an agency's choice, the best protection is still an ironclad security policy, regardless of the biometric authentication method.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above