The basics of biometrics
RFP Essentials | Biometrics done right can improve security and make life easier for users<@VM>RFP Checklist | Biometric security<@VM>Sidebar | Biometrics Web sites<@VM>Sidebar | Biometric security: buyer's guide
- By Edmund X. DeJesus
- Aug 24, 2007
If you doubt your employees have strong opinions about their computers, just watch the number of complaints to your help desk spike when you add layers of security. It's understandable: Passwords are a pain, especially if you have to change them often.
Biometrics, if properly implemented, offers a win-win solution. Biometric security ' which uses measurements of human characteristics to confirm identity ' can at once enhance security and free users from the plague of passwords.
And biometrics can be applied to more than just computers. It can be used to control access to buildings, rooms, networks and other resources. Proponents of the technology say simply using any kind of biometrics sends a powerful psychological message that your agency takes security seriously, which can produce an important mood of vigilance.
Finally, increased security may be the primary goal of biometrics, but don't let it be the only one. 'Agencies narrow themselves out of solutions,' said Vic Berger, a technologist at reseller CDW.
By deciding too quickly what you want, you may be missing more complete solutions that offer additional benefits. For example, placing video cameras in a corridor may give you all the security you need, but facial-recognition and tracking software can add significant information, including insights into traffic patterns, behavior and resource usage.
'Don't jump into a request for proposals if a request for information is more appropriate,' Berger said.Put your finger on biometrics
Once the province of James Bond-style movies with futuristic facilities, biometrics is becoming commonplace ' even showing up as standard equipment on Dell laptop PCs. The list of available biometric modes is growing all the time:
- Eye, including iris and retina.
- Hand, including fingerprint, palmprint and hand shape.
- Head, including face, earlobe and lips.
- Biochemistry, including DNA and odor.
- Behavior, including voice, signature, keystroke and gait.
Although hand readers and fingerprint readers are employed in about 80 percent of biometric access applications, any of those modes can verify your identity.
They differ, however, in many characteristics, including:
- Ease of enrolling individuals.
- Accuracy in distinguishing individuals.
- Speed of identification.
- Size of reader.
- Operation in various environments.
Each mode ' and, in some cases, each product ' differs greatly in approach and installation, so direct comparison is difficult during a typical bid process. Moreover, each mode involves some trade-offs. For instance, iris identification is accurate but can be slow and requires more cooperation from users than some other types of biometrics.
There are a number of other major issues to consider in selecting the best biometric mode.
Hurdles to clear
- Ease of enrollment. You need to enroll new individuals quickly and simply, not just to save time but to maintain staff goodwill ' and make no mistake, biometrics depends on goodwill just as any other type of security does.
You are asking people to expose their eyes, allow themselves to be fingerprinted or permit other essentially intrusive procedures. Expect resistance for religious or political reasons but also simply because bodies are private, and people aren't comfortable exposing body parts, even for excellent reasons.
- Error rates. Error rates are not a big problem with small populations, but a high error rate with a large population is a recipe for disaster because user patience tends to decrease as error rates increase.
- Recognition speed. Speed of identification can play a similar role. For example, fingerprint identification is relatively slow and most suitable for low-volume applications, not for hundreds of workers waiting impatiently to check into the facility each morning.
- Device size. Size of the sensor device is most important in small areas, such as next to doors.
- Environment. The environment can affect the choice of modes in subtle ways. For example, if you're protecting a lab where the staff wears gloves, fingerprint readers probably aren't a good choice. 'Voice recognition ' or a combination of modes ' might make more sense,' said Gregory Zekster, an associate at consultant Booz Allen Hamilton.
- Cost. Especially for low-volume operations, cost is a key consideration. Biometrics saves the burden and expense of a card-based system, not to mention eliminating the headache of lost or stolen cards. People don't often forget their hands.
- Multiple-factor authentication. What if other constraints push you to biometric solutions that are comparatively less secure? 'Multimodal solutions using two or more different biometrics are becoming more common,' Zekster said. Multimodality can also be more flexible, with certain kinds of access requiring only one mode and others requiring more.
First and foremost, don't let a biometric solution lull you into a false sense of security. Don't abandon your firewalls, encryption, passwords and other security precautions just because you have biometrics. The measurements for comparison reside in a database, which must be encrypted and subject to security. 'Always save the raw data of each measurement,' said Chris Crooks, an associate at Booz Allen Hamilton. As capacity for detail improves, you'll find uses for it, and keeping that data in a standard format makes data sharing across agencies possible.
You may want to avoid large, centralized databases of biometric information. Self-contained, individual fingerprint readers, for example, can verify identity and keep the biometric data out of the centralized database. Users also feel more comfortable knowing that their fingerprints aren't in some massive repository. But losing a reader can be expensive and annoying.
And bear in mind that biometric technologies have limitations. Some portion of the population will always be physiologically unable to use certain modes. It's not just that one-armed man, either: Approximately 4 percent of people can't use fingerprint technology because of dry skin.
Psychological and political issues are no less important. 'Most Europeans ' and many Americans ' are unwilling to entrust their fingerprints,' Crooks said. Others are squeamish about exposing their eyes to scanners, no matter how harmless they are. Even the chance of infection from a fingerprint scanner is objectionable to some people.
Biometric systems can also be costly and complicated to deploy. That makes it all the more important to work carefully with vendors. 'Focus on the overall solution, not just the product or even the specific technology,' Berger said. 'Stretch your goals. Ask for a lot from vendors: ideas and possibilities, not just products.'
Don't forget about scalability. Depending on the intent of the biometric implementation, the number of people using it will probably grow, sometimes rapidly. For example, biometric-controlled access may be mandatory first for one group working on a network, then for another and another until all users must be enrolled. Your biometric solution should be scalable to handle increases in users and locations.
Finally, although standards for biometrics are just emerging, you should ensure that your solutions are based on existing standards and not dependent on a vendor's proprietary technology. For one thing, using standards-based components permits a wider range of possible solutions and vendors for each component.
Furthermore, standards-based technology lets you upgrade more easily when newer, better, faster widgets come along ' and they will. The field of biometrics is far from mature, and new modes and implementations come along each year. 'Fingerprints are already being replaced by other modes,' Zekster said. Try to select a vendor with a reputation for keeping up with evolving standards.Weighing the options
When comparing solutions, you'll likely need to do some probing to get the information you need.
Suppose you want to know how fast a prospective biometric solution can handle people waiting for access. The vendor may quote the verification time for the reader, which is the elapsed time from the user presenting themselves at the device until identity verification. This is certainly part of the total time you're looking for, but it's not the whole story. What you need is the total time it takes for a person to use the device.
Depending on environmental conditions at your location, you may also need to look closely at each solution's durability. Does your environment include abrasive sand, electrostatic shock, high or low temperatures, direct sun or radiation, chemicals, rain or snow, wind-driven grit, or other difficult circumstances? If so, make sure the mode and its implementation match the need.
Biometric solutions must also integrate with existing systems. Products that are interoperable will have a longer useful life and greater flexibility. Choose solutions that are independent of operating system and hardware. The ability to acquire hardware from one vendor and software from another can be crucial for creating best-of-breed solutions.
If you need to do special application development, a software development kit can simplify things. You may also require remote enrollment or management capabilities for facilities in multiple locations.
Finally, be aware that the biometrics business is pretty wild these days. Companies merge or acquire one another and sometimes go out of business entirely. This has its advantages: One company may offer many technologies. But there are also potential downsides. For example, long-term product support may be unpredictable and unstable. Working collaboratively with knowledgeable and imaginative systems integrators is vital in a technology that is so complex.
Biometrics is one technology where government agencies have the advantage over businesses.
The government is by far the biggest customer for biometric security, so government agencies get to see the newest and best ideas first. 'Government agencies have a moral responsibility to pioneer and shape biometric solutions,' Berger said. Use this advantage to create a biometric solution that's perfect for your agency.
Implementing a biometric solution to secure access is a major project that will affect many aspects of your organization. Here are the questions you should consider before committing resources to a particular solution.Before exploring an isolated biometric solution, consider how it might also apply to other areas, such as single sign-on, tracking, scheduling and so forth. Try to get as much utility as possible.
Seek vendors ' or vendor-independent integrators ' who can come up with imaginative solutions that combine hardware, software and supporting components. They should have customer references in the government area.
What kinds of biometric modes will your employees accept? Are they willing to be fingerprinted or give their DNA? Will they permit iris or retina scans? Does it make sense for them to carry individual biometric tokens? Do vendors poll workers to identify their concerns? Can vendors educate staff to help them understand and accept possible biometric solutions? How will you handle security for those who cannot or will not use the biometric solution?
What constraints of the work environment ' such as required gloves, masks or hats that hide fingerprints, faces or eyes ' affect biometric choices? Do vendors offer a variety of modes to suit these restrictions?
What other environmental factors affect the possible biometric solution? This might be as simple as a reader that must fit next to a door. But consider extremes of heat and cold, rain or snow, sunlight, radiation, chemicals, vibration, dust and sand. Can vendors provide biometric devices hardened for the necessary environments?
How much security do you need this solution to provide? Which biometric modes provide the level of security you need? If environmental restrictions preclude the most secure modes, can a combination of less-secure modes fill the bill? Can your vendors provide all modes and the means to tie them together logically?
How easy is it to enroll individuals? How accurate are the modes in distinguishing individuals?
How fast can the system identify individuals and grant access? Is that fast enough to handle the expected number of users? Is the error rate so high that employees and administrators will become frustrated with the system?
What is the cost of possible solutions? Because biometric devices can break down at the worst possible times, can you get spares?
How many locations will the biometric security apply to? Is this likely to increase? Do some locations need to be managed remotely? How easy is that to do? How many people will be using the solution? Is that likely to increase?
How and where will biometric data be stored? How will that data be secured? Is the data in formats that support data sharing across agencies?
How will the biometric solution integrate with existing security, physical infrastructure, computer infrastructure and applications? Is the solution standards-based? How does software interoperate with existing platforms, operating systems and applications?
How stable are the vendors? Will they be around in five years? How easy would it be to acquire and integrate similar components from alternate vendors?
For more information on biometrics, check these Web sites:Army's Biometric Task Force
http://www.biometricscatalog.orgIntegrated Automated Fingerprint Identification System
http://www.fbi.gov/hq/cjisd/iafis.htmNational Biometric Security Project
|VENDOR ||PRODUCT ||NOTES |
|Universal Matching |
|Fingerprint-matching software with |
one-to-many (identify) and one-to-one
(verify) matching from any live scanner.
|Automated palm print and fingerprint |
Cogent applicant livescan.
|Cognitec Systems |
|Biometric facial-identification system for video surveillance and image capture. |
|Communication Intelligence |
|Sign-it, Sign-it XF ||Electronic signature (eSignature) software. |
|Cross Match Technologies |
|Cross Match L SCAN Guardian |
Cross Match PIV
One Enrollment Suite
|Compact scanner for autocapture of fingerprint images in under 15 seconds. |
Facilitates collecting and creating electronic biometric records for creating PIV-
|Digital Defense Group |
|Factor4 ||On-card, self-enrolling biometric-based radio frequency identification access control device. |
|Fujitsu Microelectronics America |
|Single-touch fingerprint sensor with 500-dpi 8-bit grayscale. |
Capacitive-based fingerprint sweep sensor with automatic finger detection.
|Ingersoll Rand Security Technologies |
|HandKey II |
|Automatically takes a 3-D reading of the size and shape of a hand and verifies user's identity in less than one second. |
|L-1 Identity Solutions |
|DFR 2080 ||Single fingerprint reader with 500 ppi resolution in rugged, compact design. |
|Automated Fingerprint Identification System ||Advanced identification solution for law enforcement, government, civil and commercial applications. |
|Panasonic System Solutions |
|BM-ET200 Iris Reader ||Biometric iris-recognition technology for fast and accurate identity verification and access control. |
|plusID ||Multifunction, personal biometric token with built-in fingerprint reader and secure processor. |
|SecuGen Hamster IV |
FDx SDK Pro
|Rugged and durable USB fingerprint reader. |
Software developer kit includes APIs and tools to help developers build software applications.
|SOFTPRO North America |
|SignCheck ||Automatic verification of single signatures and signing rules. |
|TouchChip Fingerprint Sensor (TCS1) ||Silicon fingerprint sensor. |