Meridien Research: More firms to adopt
biometrics
Jan 12 2001: Biometrics, which relies on voice
scans and digital images of tangible body parts
for security purposes, will be more frequently
used by financial institutions in the future.
According to Meridien Research, biometrics will
become more prevalent and may be integrated
into many hardware devices. The growth of
mcommerce and ecommerce will lead to this
trend, and should help end-users to get
familiarized with the security technology.
There are two key reasons for the appeal of
biometrics—it’s more secure, and it allows easy
access to information. It eliminates the need for
users to remember and type in confusing
passwords, while enhancing the safety of
valuable financial data.
The English firm, Barclaycard, has used
biometric technology at its head office for five
years. It is one of a number of such
organizations using biometrics to allow their
staff to obtain access to the corporate network.
According to a special report ("report" is linked to economist.com , printed below. ) by The
Economist, the biometrics market still faced
hurdles including expensive hardware, and the
fact that the market is still only maturing.
The overall market share for each of the
biometric technologies in 2000, however, was
divided among fingerprint (39.1 percent), hand
(31 percent), voice (15.8 percent), face (7.1
percent), eye (4.3 percent), and signature (2.7
percent).
nua.ie
The measure of man
Sep 7th 2000
From The Economist print edition
“Biometric” technology, which can recognise people
from their fingerprints, eyes or other bodily
characteristics, is becoming cheaper and more powerful.
Is it about to become ubiquitous?
ON THE Internet, goes the old gag, nobody knows you’re a
dog. The usual way to prove who you are when picking up
e-mail, shopping online or visiting a closed area of a website is
to type in a password—a surprisingly old-fashioned form of
security that would be recognisable to a Roman soldier. But
though passwords are simple, they are far from secure. Many
people use the same one for everything. Worse, they may use
a common word such as “hello”, their phone number or their
dog’s name—any of which could be guessed by an intruder.
Which is why some people champion a more high-tech
approach. Rather than using a password to identify yourself to
a computer, why not use a physical characteristic such as your
voice, face or fingerprint? Such bodily measures, known as
biometrics, have the appeal that they cannot be lost, forgotten
or passed from one person to another, and they are very hard
to forge. Proponents of biometric technology imagine a world
in which you sign on to your office computer using a
fingerprint scanner, take money from a cash machine that
scans your eye to ensure you are the account holder, identify
yourself to your bank over the telephone via a voiceprint, and
check in for flights by walking past an airport camera that
identifies you as a frequent traveller.
Such a vision has yet to materialise. Biometric technology still
faces some stiff technical challenges. The hardware is
expensive, different systems are incompatible with each other,
and the technology is still maturing. Yet as computers become
part of the fabric of everyday life and more transactions—from
signing contracts, to shopping, to filing tax returns—are
carried out digitally, biometrics firms think their products will
soon be ubiquitous and indispensable.
Being digital
Biometrics come in many forms. The idea is said to date back
to ancient Egypt, when records of distinguishing features and
bodily measurements were used to make sure that people
were who they claimed to be. Modern computer-based
biometric systems are employed for two basic functions. The
first is identification (“who is this person?”), in which a
subject’s identity is determined by comparing a measured
biometric against a database of stored records—a
one-to-many comparison. The second is verification (“is this
person who they claim to be?”), which makes a one-to-one
comparison between a measured biometric and one known to
come from a particular person.
Fingerprints are the most widely used biometric. Ink-based
fingerprints have been in use for over a century, but in recent
years they have gone digital. Modern electronic systems distil
the arches, loops and whorls of conventional fingerprints into a
numerical code. This can be compared with a database in
seconds and with an extraordinary degree of accuracy.
Fingerprints have the advantage of being cheaper and simpler
than most other biometrics, and account for around 40% of
the market (see chart).
Finger scans are tipped
to become the biometric
of choice for logging on
to corporate networks.
Technology companies
note that a large
proportion of calls to
help-desks are due to
forgotten passwords, so
they are pushing finger
scans as a way to reduce
support costs. Polaroid’s
new finger scanner,
announced in May, costs
around $50 and is being
incorporated into some
new PC keyboards. At the other end of the scale, Argentina is
spending five years and $1 billion to digitise its fingerprint
records, which are kept (in paper form) for every citizen, in
order to combat identity fraud.
Another popular biometric is hand geometry. Unlike fingerprint
scanning, which is widely regarded as demeaning in America
and Western Europe, it is not stigmatised by an association
with law enforcement. It involves scanning the shape, size and
other characteristics (such as finger length) of some or all of
the hand. Users are required to make some claim about who
they are—by swiping a card, for example—before a scan. The
biometric template of the person they claim to be (which, in
some cases, is stored on the card itself) is then compared with
the scan.
Hand-geometry systems are already used to control access
and verify identities at many airports, offices, factories,
schools, hospitals, nuclear-power plants and high-security
government buildings. They are also used in “time and
attendance” systems, in which shift workers clock on and off
using their handprints—preventing time-card fraud through
“buddy punching”. The best-known example of the technology
is the INSPASS programme, which allows frequent travellers to
the United States to skip immigration queues at seven big
airports by swiping a card and placing their hand on a scanner.
Recognition Systems of Campbell, California, which supplies
the scanners for the INSPASS programme, says that over
35,000 of them are in use around the world.
An eye for an eye
Then there are the eye-scanning systems familiar from spy
thrillers. Scanning the fibres, furrows and freckles in the iris
(the coloured part of the eye) using a video camera at arm’s
length from the eye provides enough information to identify
somebody. But while the technology is regarded as by far the
most reliable biometric, it is relatively expensive. Some users
also consider having their eyes scanned as even more intrusive
than fingerprinting. Not all users, however, have a choice: iris
scanners supplied by IriScan of Marlton, New Jersey are used
in over 20 jails in America to identify prisoners, staff and
visitors and ensure the right people are let in and out. Iris
scanners have also been tested by banks in Britain, Japan and
America, as a way of identifying users of cash machines. Since
the iris scan identifies each customer, there is no need to
insert a bank card or remember a personal identification
number (PIN). In July, US Airways began trials of an
iris-recognition system at two airports. The idea is that
passengers step up to a machine and get their boarding cards
automatically.
Another biometric is facial recognition, a technology that has
gained ground in recent years thanks to the falling price of
computer power. It works by analysing a video image or
photograph and identifying the positions of several dozen
fixed “nodal points” on a person’s face. These nodal points,
mostly between the forehead and the upper lip, are unaffected
by expression or the presence of facial hair, says Joseph Atick
of Visionics, a leading vendor of face-recognition technology
based in New Jersey. Facial recognition is becoming more
widespread, says Dr Atick, because it can exploit existing
cameras and existing databases of facial images from driving
licences and passports.
Facial recognition is used mainly to verify identity. But if the
database of possible matches is kept small, it can be used for
identification. Unlike other biometrics, facial recognition can
also operate “passively”—ie, without people realising they are
being scanned. It can thus help to spot terrorists at airports,
football hooligans at ports, and cheats at casinos. Visionics’
FaceIt system was also used to combat vote-rigging in Mexico,
by analysing the database of images from voter-registration
cards and identifying duplicates where the same person had
registered under several different names. A list of invalid cards
was drawn up to prevent multiple voting. Similar schemes have
been used in some American states to identify people making
multiple applications for driving licences or welfare payments.
Another form of biometric that does not require special
equipment is voice recognition, which works by analysing an
individual’s fundamental vocal characteristics. But while this
technology is cheap, it is less reliable than other biometrics,
particularly when only a few seconds of speech are available.
The market share of voice recognition has fallen over the past
two years, while that of facial recognition has grown.
A handwritten signature can also be a biometric, because how
you sign your name is a “behavioural” characteristic. As
pen-based computers and personal organisers become more
popular, the hardware required to capture a signature is
increasingly available. Several firms are championing signature
analysis as a friendly biometric that can be introduced
wherever signatures are already used. But as with voice
recognition, reliability can be a problem. According to Jackie
Fenn of Gartner, a consultancy based in Lowell,
Massachusetts, firms that experiment with signatures are likely
to go on to adopt other biometrics instead.
There are a handful of other biometric technologies, including
body odour recognition, thermal facial imaging, and acoustic
head resonance. But although they each have advantages of
their own (thermal imaging, unlike conventional facial
recognition, is supposedly able to distinguish between identical
twins), compared with other biometrics they are either too
expensive or too impractical, and so none has been
commercialised.
Searching for the killer app
According to figures compiled by the International Biometric
Industry Association (IBIA), an industry lobby group, sales of
biometric hardware will amount to $100m during 2000, and are
expected to reach $600m by 2003 (see chart). The six
technologies that are commercially available—finger, hand, eye,
face, voice and signature—each have technical pros and cons,
and are more suitable for some applications than others.
Voice, face and signature all have the advantage that they can
exploit existing infrastructure. Iris recognition is the most
accurate, but the technology to locate the user’s eye, zoom in,
and extract information from the resulting video image is too
expensive to be installed on every desktop PC.
Mitch Rosenberg of
Imaging Automation, a
company that designs
and installs biometric
systems (including
Argentina’s fingerprint
system and the INSPASS
system), suggests that
facial recognition is
emerging as the favoured
biometric for government
applications. It has
already been selected by
the International Civil
Aviation Organisation as
the biometric of choice
for international travel documents, since people are
accustomed to having their pictures on ID cards and
passports. In the workplace, finger and hand scanning are the
most popular. But the “killer app” that will carry the technology
into the consumer mainstream has yet to emerge.
According to Mark Lockie, editor of Biometric Technology
Today, an industry journal, 2000 may prove a pivotal year.
Increasing concern over network security and online
commerce, combined with falling hardware prices, could, he
says, “provide the mass market that biometrics is looking for.”
This optimism stems in part from the fact that this summer
America, Britain and Ireland passed laws making digital
signatures legally binding. The new regulations mean that a
digital signature has the same legal force as an ink-based one.
But a digital signature can be stolen or used by somebody
other than its owner. Proponents of biometrics argue that only
by protecting digital signatures with biometrics (so that a
signature is released only if the owner’s finger is presented, for
example) can people be sure who they are dealing with online.
Another significant development was Microsoft’s
announcement in May that it would provide support for
biometrics in the next big revision of its Windows operating
system, to enable users to log on to their computers “and
conduct secure e-commerce transactions”. Dr Atick, a
proponent of face-recognition systems, has also welcomed the
first prototype mobile phones and personal organisers with
tiny built-in cameras. As it becomes possible to conduct
transactions from mobile devices, he argues, it will become
increasingly important to be able to verify the identity of the
user of a particular device. “I think this is the killer app,” he
says.
Not everyone believes the hype. Nay-sayers come in several
varieties. Some, including Pat Robertson, a television
evangelist, object to biometrics on religious grounds. “The
Bible says the time is going to come that you cannot buy or
sell except with a mark placed on your hand or on your
forehead,” he has warned his followers. “It is happening, ladies
and gentlemen, exactly according to the Book of Revelation.”
More credibly, other opponents object on the grounds that
biometrics sound horribly Big-Brotherish. According to Simon
Davies, director of Privacy International, a lobby group in
Washington, DC, the ability to identify people perfectly is “fatal
for privacy, and fatal for human rights”. The technology will, he
argues, be hijacked by governments and security services for
use against the individual.
Privacy advocates are particularly concerned about “function
creep”—that biometrics will be introduced for one reason, but
used for another. For example, in some countries, individual
social-security numbers or tax codes are now used by
government agencies as unique identification numbers to
control access to health care or higher education. The
existence of a universal biometric identifier in one field might
create irresistible temptations to pull together separate
collections of personal information. A bank, for example, might
build a database of customers’ biometrics so as to verify their
identities when using cash machines. What would happen if the
security services demanded access to such a database?
The biometrics industry has done its best to allay these privacy
concerns. In many applications, the spectre of an Orwellian
central database can be avoided if users carry their own
biometrics around on smart cards, as they do with INSPASS.
Only if the biometric stored on the card matches the user’s
handprint is access granted. Similarly, with face-recognition
systems, verifying an identity can be done by comparing the
photograph in a passport with the face of its bearer; there is
no need for a database.
Indeed, says Richard Norton, executive director of the IBIA,
biometrics can be used in ways that enhance rather than
diminish privacy. A finger-scanning system could, for example,
be used to ensure that only authorised personnel have access
to medical records in a hospital. Biometrics might even enable
patients to find out who had looked at their records, and
when. Part of the motivation for the formation of the IBIA was
to counter the growing perception that biometrics inherently
undermine privacy; the association’s policy is that government
use of biometrics must be strictly regulated, and that private
companies that use the technology must do so transparently.
Besides, the nightmare vision of vast computers, correlating
biometric scans to monitor citizens’ activities, assumes a level
of technical expertise on the part of governments that is
lacking in the real world. John Woodward, a legal consultant
who specialises in biometrics, has coined the term “biometric
balkanisation” to describe the inability of biometric systems
from different vendors to talk to each other—something that,
he argues, serves to protect privacy.
Arguments over privacy have also obscured the industry’s
failure to deal with technical objections. Bruce Schneier, a
security guru, says that biometrics are unsuitable for use as
keys because, unlike passwords or digital signatures, they are
not secret, and cannot be changed, destroyed or declared
invalid. What happens if a record of your biometric is
intercepted as it travels over a network, or is extracted from a
smart card? “You can’t issue someone with a new finger,” says
Ms Fenn.
The risk of interception—either of a biometric itself as it travels
across a network, or of the authentication message issued
when a correct biometric has been presented—means that
using biometrics as a form of authentication on open networks
such as the Internet is hugely problematic, because such
messages could subsequently be forged. A related danger is
that biometrics will lead to overconfidence in the security of the
systems they protect. Computer security is a chain with many
weak links, of which only one is the use of passwords.
Strengthening that link using biometrics merely shifts the
weakest point elsewhere. The same is true of digital signatures
for documents sent over the Internet, which has been likened
by one sceptic to “building a vault door into a cardboard box”.
Since there are so many security holes in web browsers,
servers and operating systems, using biometrics to secure
online transactions looks like overkill.
Worse, some biometrics may not be as secure as they seem
anyway. Research carried out by Axel Munde of the German
Information Security Agency, to be published next month,
found that many biometric systems available in Germany could
be fooled. Some finger scanners, for example, could be tricked
using thin layers of silicone applied to an intruder’s fingers—a
trick James Bond fans will recall from the film “Diamonds are
Forever”. This kind of attack may sound implausible, but Mr
Munde notes that people are prepared to go to great lengths
to crack security systems on the Internet. Another drawback is
that no biometric covers 100% of the population. Not
everybody has hands, or eyes.
There is also a more straightforward problem: cost. Banks that
have tried iris-recognition systems in cash machines have
found that they work well and improve security, but they have
not used them widely because they are too expensive. (Public
wariness of biometrics also plays a part, but research suggests
that this is largely due to unfamiliarity with the technology.)
The cost of biometric readers has fallen dramatically over the
past decade, but it still exceeds the benefits of introducing
them. The technology also remains too expensive to become
standard equipment on new PCs.
Software standards are also a problem. After much bickering,
the industry agreed in March of this year on a protocol that
would govern how computers should handle biometrics, called
BioAPI. But Microsoft then announced in May that it will use its
own standard, called BAPI, to provide support for biometrics
within Windows. Whether BioAPI and BAPI will be able to talk
to each other is unclear, so the industry’s delight that
Microsoft has endorsed biometrics as an important technology
is tempered by concern that the software giant will end up
defining and controlling the industry standard.
Scanning the future
Biometrics are sure to grow in importance for both
governments and companies. In welfare offices, prisons,
high-security facilities or when providing access control to
networks, the technology can be imposed on users, the
security of the entire system is under central control, and the
biometric scanners are used by many people, spreading their
costs. But the outlook for voluntary adoption of biometrics by
consumers is less rosy. In some fields, such as airports or
banking, customers may volunteer to use them if they can see
a tangible benefit such as faster service, lower charges, or
points in a loyalty scheme. Systems that allow consumers to
opt in will do much to dispel some of the myths surrounding
the technology, and could prepare the ground for wider use.
Even so biometrics, despite the dreams of their supporters,
will remain a niche technology for some time to come.
Consumers will be reluctant to adopt the technology if they
have to pay for it, and if it seems to offer little benefit—as is
now the case for most consumer applications, including online
shopping. Today’s e-shoppers seem perfectly happy to use
passwords. They may not be secure, but they are cheap and
cheerful. Passwords have been around for millennia, and will
live on for some time yet.
steve |
