Authentication with a personal touch

Young singles aren't the only people looking for a perfect match. Government IT managers, border guards, payroll clerks and homeland security officers are just as concerned with matching employees, visitors and others against personally identifiable information to authenticate them for building access, network privileges or entry into the United States.Today's strong authentication often requires people to present something they know (such as a password), something they have (such as a smart card or token) and/or something they are (a biometric identifier). In many cases, the something you are that's unique to you is a fingerprint.To improve identification procedures, Congress included biometric passport provisions in the Patriot Act as well as in the Enhanced Border Security and Visa Entry Reform Act of 2002. Last year, the federal government awarded Accenture Ltd. a $10 billion contract to provide program management services for the Homeland Security Department's U.S. Visit program, including the collecting of biometric data as part of visa applications.The U.S. is not alone in its move toward employing biometrics. In 2003, for example, the International Civil Aviation Organization adopted its own blueprint for integrating biometric information into passports and other machine-readable travel documents such as visas and identity cards. The ICAO blueprint calls for all 188 member countries, including the U.S., to implement a common face recognition system with the data stored on an integrated circuit, and members have the option of adding up to two other biometric forms of personal identification.Although ICAO calls for using facial recognition systems, the most common form of biometrics is still fingerprint identification.Fingerprint readers are the most mature and commonly used biometric technology. According to the International Biometric Group, a New York consultant, the worldwide market for biometric technology hit $1.2 billion in 2004, a 67 percent increase over the previous year. IBG predicts that spending will continue growing rapidly, quadrupling to $4.6 billion by 2008. If those rosy predictions sound overly optimistic, Deutsche Bank sees similar growth ahead'$5 billion in spending by 2010.Of these expenditures, fingerprint technology represents the biggest slice by far, accounting for 48 percent of the biometrics market, according to IBG. The next most popular biometric, facial recognition, commands just 12 percent of spending.Fingerprints have been used in criminal investigations for over a century and are widely recognized as an accurate method of identification. People develop their fingerprints in the womb and retain them long after death. There is an estimated one-in-ten-billion chance of two people having identical prints and, to date, no such matches have been found. Even identical twins don't have identical prints.As an authentication technology, fingerprint readers offer advantages of size and price. Standalone desktop devices for securing workstations are available starting at around $50. And because the scanners that detect fingerprints have evolved into very compact designs, vendors have begun building them into workstation keyboards and laptops.Many fingerprint readers capture data optically, using a light source to illuminate the finger and a charged couple device'the same light sensor system in digital cameras'to capture the image. Optical scanners are the most mature technology and, until recently, were the most widely deployed.Most newer fingerprint readers use silicon chips to acquire images. Silicon chips have become popular over the last several years because they are significantly smaller and can easily be incorporated into laptops, keyboards, USB key drives and other peripherals. In silicon-based scanners, a microchip measures the fingerprint to discover ridge patterns.Whatever type of scanning technology used, data is generally converted into a digital hash for storage and comparison. The overall system requires biometric software for matching the scanner fingerprint against a database.Of course, no security system is foolproof, and fingerprint readers are no exception. For example, according to the British Broadcasting Corp., last April a Malaysian businessman with a fingerprint identification system installed in his Mercedes found it wasn't enough to keep it from being stolen. Thieves cut off his fingertip so they could use it to start the car. Several years ago, Japanese cryptographer Tsutomu Matsumoto took a more civilized approach. He took some latent fingerprints left on glass, darkened them using fumes from superglue, took a digital photo, enhanced it with Adobe Photoshop, printed the image on a transparent sheet and etched it onto a photo-sensitive printed circuit board. He then poured gelatin onto the image etched on the PCB to create a fake finger. He tested the gelatin print on 11 different fingerprint readers. It fooled every one.The government is well aware of biometric spoofing and is sponsoring research into defeating it. The Air Force Research Laboratory Information Directorate has awarded Small Business Innovation Research awards to companies looking into new ways of guarding against fingerprint spoofing [GCN, Aug. 15, Page 15].To get around both types of problems, vendors have started including features in their high-end products that detect, for instance, whether the finger touching the sensor is alive. There are several techniques for fool-proofing fingerprint identification, none of them perfect. But look for them when you're setting up a biometric security system. If the temperature of the finger is not within the normal range of a human hand, it will not authenticate. There are two drawbacks to this technology. If a person's hand is cold, it will be out of range, and if a thin silicon fake fingerprint is placed over a real finger, it may be within range., including absorption, reflection and the scattering of different light frequencies. It's not perfect, because artificial gelatin fingerprints have optical characteristics similar to skin.Pulse and blood pressure detection. It's very high-tech but could be fooled by an actual finger hidden behind a fake fingerprint. This technique measures whether the resistance is in the normal range of skin. Unfortunately, skin resistance varies widely depending on moisture, and devices can be fooled by saliva on a fake fingerprint.Last year, Marie Sandstr'm, a student at Linkoping University in Sweden, tested nine fingerprint readers at Germany's CeBIT trade fair to see how well they did at discerning between live and fake fingers. She published her results in a thesis titled 'Liveness Detection in Fingerprint Recognition Systems,' which is available on the university's Web site [to read it, go to www.gcn.com and enter 478 in the GCN.com/box]. How well did they do?'All tested fingerprint readers were defeated with artificial fingerprints,' she wrote. 'Some systems were easier to fool than others, and some artificial fingerprints were more successful than others. Interesting to note is that a capacitive, an electric-field and a thermal sweeping sensor were all circumvented with artificial fingerprints.'Capacitive technology is used in many silicon chip-based sensors, including most of the models listed in this guide. Sandstr'm did note that more sophisticated liveness detection systems can do a better job at sorting the real from the fake. But that must be weighed against the cost.'Even though it is possible to circumvent a fingerprint scanner with help of an artificial fingerprint, the question can be asked how often this will happen and what the consequences will be,' she wrote.The major factor to consider when deploying fingerprint biometrics is how accurate the systems are at correctly matching fingerprints against stored images. The National Institute of Standards and Technology last year published the results of tests it conducted on 34 systems from 18 vendors. The tests were done on a set of 393,370 fingerprint images from 25,309 individuals. The most accurate system came from NEC Corp. When looking at a single print, it had a true acceptance rate of 99.4 percent and a false acceptance rate of 0.01 percent. When looking at a set of four fingerprints, its accuracy improved to a 99.9 percent true acceptance rate.Systems from Cogent Systems Inc. and Sagem Morpho Inc. were close behind. The worst systems came out at or near zero on some of the tests.Eric Ouellet, a vice president in Gartner Inc.'s security research group, says all biometrics, including fingerprint readers, are still in the early stages and should be adopted with caution. While they do offer some extra security, it is not worthwhile for most applications.'Unless you really need to have a high level of security, generally speaking, biometrics are probably not cost-effective for what most organizations are looking for,' he said.It is not just a matter of the readers themselves, but the back-end security structure to support them. If fingerprint readers are used, they supplement other measures rather than replace them.'A strong authentication system is what you want to focus on and biometrics can be part of it, but not the be-all and end-all,' Ouellet said. 'The user should still have to memorize something or have something like a token, and you still need to make sure the security policies and all the management infrastructure relating to that are in place.'In many cases, fingerprint readers can be a secure convenience'an easy way of logging onto a PC in the morning or authenticating at Web sites, for example. The fingerprint readers in this guide largely fall into that category. Large-scale, mission-critical deployments, such as physical access security applications, will want to look for high-end specialty scanners embedded in more advanced security systems.