Keep networks safe with body language
Biometric identification, common in science fiction and James Bond films, is just
starting to mature enough for mainstream viability.
Network firewalls protect against Internet intruders, but they cannot deny physical
After two decades of security awareness efforts, many PC users still tape their
passwords to a monitor or desk drawer. And, frankly, it has never been practical to count
on users to choose hard-to-guess passwords.
Now, government agencies face another security challenge: positive identification of
citizens who receive electronic services.
Security would be a lot easier if we could uniquely identify a person by an electronic
signature, face contour, retina scan, palm print or fingerprint.
A number of law enforcement agencies, government organizations and banking institutions
have started investing in biometric identity verification. The cost is less when the
devices work in concert with passwords or physical access controls.
A good biometric ID method more than doubles the security of a password. Not only do
intruders have to guess or steal a password, they also have to cheat the biometric device.
Biometric security devices fall into several categories:
Someday, we might not have to rely on these secondary characteristics. We could go
right to the individual genetic patterns revealed by, say, a skin flake. Government
agencies already do DNA tests in a matter of weeks, and it's conceivable that new
technology could complete them much faster.
Researchers are studying other exotic biometric measurements such as body odors and
patterns formed by skin pores. But no one has thought of a way around the genetic
identification problem presented by twins or human clones.
Developing biometric hardware is one thing. Agreeing on a standard way to connect it to
other hardware and to software is another. At least three application programming
interfaces have been proposed for interfacing biometric hardware with computer systems.
Last fall, IBM Corp. introduced the IBM API. The National Registry Inc. of Tampa, Fla.,
whose Web site is at http://www.nrid.com, and the
government's Biometric Consortium, whose site is at http://www.biometrics.org,
also announced the Human Authentication API, a 32-bit Windows specification developed for
the Defense Department. HA-API supports several types of devices through high-level
The third candidate is the Biometric API, or BAPI, from I/O Software Inc. of Riverside,
Calif. All three proposed standards are vying to become the API for biometrics.
Also announced late last year was the Speaker Verification API, or SVAPI, which is
limited to voice recognition systems.
The biggest barrier to biometrics had been its high cost. That barrier, however, has
fallen. Key Tronic Corp. of Spokane, Wash., has introduced a $100 keyboard with a built-in
digital sensor chip that can scan fingerprints.
Until now, a fingerprint recognition unit cost several hundred dollars. Key Tronic's
far lower price comes by way of its $50 digital sensor chip from Veridicon Inc. of Santa
Earlier fingerprint systems required a light source, optical sensor, image-capture
hardware and PC interface. The new chips translate a fingerprint directly into digital
The inexpensive fingerprint systems now under development will likely create not a
digitized copy of a fingerprint but rather a unique personal identification number based
on the finger scan. MasterCard International is experimenting with that type of PIN
recognition at point of purchase.
Last fall, the Immigration and Nationalization Service funded the development of a
computerized fingerprint system with fingerprinting machines at INS centers, reducing the
agency's reliance on contractors. INS will forward the electronic prints to the FBI for
The FBI itself plans to replace paper-and-ink fingerprinting with electronic
measurements and digital records.
The Federal Highway Administration wants to use biometrics to identify commercial truck
drivers and has a contract with California's San Jose State University to do a feasibility
State and local governments have been active, too. For years, Cook County, Ill., has
identified sheriff's prisoners by retina scans.
Pennsylvania's Assistance Recipient Identification Program uses the Pennsylvania
Automated Recipient Identification System to capture digitized fingerprints, photos and
signature images on welfare identification cards.
The commonwealth has estimated it could save up to $31 million annually by preventing
fraud in its food stamp and medical assistance programs.
Connecticut plans a digital fingerprinting project, described at http://www.dss.state.ct.us/digital/ditutor.htm.
Information about more government projects is posted at http://www.biometrics.org:8080/#govt,
which links to other biometric information sites.
John McCormick, a free-lance writer and computer consultant, has been working with
computers since the early 1960s. E-mail him at email@example.com.