Hi Buck - Hope you're over the flu. If not, here's a little pick-you-up. Cheers- Jean
In a current television commercial, Secret
Agent 007 passes through a maze of
security devices that scrutinize his palm
print, voice pattern and retina. The slick
production makes the technology look
futuristic. But the truth is, biometric security
has been around for some time.
And--here's the key--the price of these
products is getting low enough so that
they're not just for James Bond anymore.
A plethora of new, lower-cost products is
coming to market, and IT managers are
giving them a close look. A year ago,
fingerprint scanners cost more than $1,000.
But, in six to nine months, Key Tronic
Corp. will ship a keyboard with an
embedded fingerprint scanner for less than
$100, says Norm Morse, senior product
manager for the Spokane, Wash.,
company.
"That's a price that will make this technology prosper," predicts Dick
Tribble, director of systems operations and networks for Scott and
White Memorial Hospital and Clinic, in Temple, Texas. He recently
started a pilot project using fingerprint scanners to replace passwords on
the hospital's PCs.
The Key Tronic keyboard will rely on a digital sensor chip from
Veridicom Inc., of Santa Clara, Calif. The chip eliminates the need for
analog optical technology and a frame grabber to turn a print into a
digital file. Prices promise to drop lower as competing
fingerprint-scanning chips are introduced by vendors such as
SGS-Thomson Microelectronics N.V., of France, and Harris
Semiconductor, of Melbourne, Fla. SGS-Thomson and Harris both
demonstrated laptops with built-in fingerprint scanners at a biometrics
convention last month.
Cost vs. benefit
Even with the promise of low-cost fingerprint scanners, CIOs remain
unconvinced that those devices, or any other biometric security
technology, are a must-buy. Just 4 percent of 413 companies surveyed
late last year said they use biometric security, and just 6 percent said
they plan to purchase the technology in 1998, according to the
Computer Security Institute, located in San Francisco, and Zona
Research Inc., of Redwood City, Calif. (see charts).
A typical example is ATM manufacturer Diebold Inc., of North Canton,
Ohio. John Zeigler, a business development executive who studies new
technology for the company, has been using FaceIt, biometric face
recognition software from Visionics Corp., on his Pentium Pro 200
desktop PC for about eight months. But the rest of Diebold's more than
3,000 PC users won't see FaceIt, or any other biometric security
product, on their desktops anytime soon.
"We're looking at all kinds of security technology, but that hasn't been
one of them," says Charles Bechtel, Diebold's CIO. "Cost hasn't been
an inhibitor. The more practical issue is making sure we have robust
technology."
Still, IT execs understand that with computer fraud and theft on the rise,
reusable passwords and swipe cards just aren't enough anymore. IT
research company Gartner Group Inc. is fielding more questions from
users about biometrics, says Jackie Fenn, vice president and research
director for advanced technology for the Stamford, Conn., company.
"Certainly, within a couple of years most organizations will have to take
a look at it and see how it fits into their overall security," Fenn says.
"Initially the users will be early adopters who have a strong need for
added security."
Many large companies are exploring the feasibility of adopting biometric
technology. Besides Diebold and Scott and White, a short list includes
The Boeing Co., of Seattle; Fidelity Investments, of Boston;
MasterCard International Inc., of Purchase, N.Y.; the Mayo Clinic, of
Jacksonville, Fla.; and Polaroid Corp., of Cambridge, Mass. Many
companies are reluctant to talk about their projects because of security
concerns.
Pick and choose
The array of choices in biometric security can be dizzying. There are
products that identify a person by scanning his or her fingerprint, hand,
facial features, voice, signature, iris or retina. There is even talk of a
device that could measure the frequency emitted from the vibration of a
person's major organs, according to a source at Boeing.
Most of the interest among corporate users is in fingerprint technology,
followed by face recognition, says Gartner's Fenn. Of all the biometric
security products available, fingerprint technology has the longest
history. It also promises to come down in price the fastest and should
offer good reliability, she says. "Fingerprints hit the middle ground
between price and usability. Iris and retina scans are more accurate, but
they are more expensive and they involve more equipment. Fingerprint
devices are small and unobtrusive, plus the technology has a strong track
record," Fenn says.
Many of the early adopters of biometric technologies are health care
organizations, because new federal legislation requires health care
organizations to protect the privacy of patients.
Scott and White in December started a pilot project tying fingerprint
security technology into its network using software from The National
Registry Inc. and Computer Associates International Inc. The hospital is
running the software on 14 workstations in its information services
department. Eventually, it will be rolled out to several thousand of the
hospital's 6,500 employees, says network director Tribble.
"We believe this is going to be much more secure than using passwords,
and we won't have to require our physicians and users to change their
passwords all the time," he says. "It also lets you know that the person
signing on is who he says he is, preventing someone from giving their
password to someone else to get a record for them."
Here's how it works. Instead of typing in a password, a doctor or
hospital employee puts his or her finger on a scanner, which is
connected to a PC. The image is sent through the Single Sign On
Server, from Computer Associates, which allows the hospital to input
digitized fingerprints in lieu of passwords on its Novell NetWare
network. "Not all of our applications have the ability to use a fingerprint
as password, and this gives us the ability to use the same process to log
onto multiple sites or servers," Tribble says.
Tribble looked at alternative biometric technologies, such as handprint
scanners, but "they weren't nearly as integrated into the health care
industry," he says. It's very early in the process for Scott and White, but
the early signs indicate that "it's going to work fine," he adds.
Breaking new ground
Interest in fingerprint security is so strong that in February 1997, Oracle
Corp., of Redwood City, Calif., began offering Identix Inc.'s fingerprint
reader and firmware along with Version 7.3 of its database, as well as
all subsequent versions. Demand is still weak, but "there is definitely
some interest," says Pierre Baudin, Oracle's manager of product
management for middleware. "It's picking up."
Interest is particularly strong overseas, where biometrics has been more
readily embraced than in the United States. Australia's Identix
International, a subsidiary of Identix, expects to see sales of
Oracle/Identix's biometric technology package on the order of 5,000
seats in the next few months, says John Parselle, managing director of
Identix International.
The orders will likely come from branches of the Australian government,
which have been testing the system for one to two months to tighten the
security of their Oracle databases, Parselle adds. He declines to reveal
the names of the potential government users, but says it makes sense to
use the technology to protect databases that hold, for example, social
security information, which has been a ripe area for fraud and
black-market trading of data.
Identix already boasts some of the largest user sites of fingerprint
scanners around the world. Woolworth Ltd., Australia's largest
supermarket chain, headquartered in Sydney, has been using the
technology for about three years to monitor employee attendance.
Instead of punching time cards, about 80,000 employees check into
PCs located in 500 stores. Each store has one or two PCs running time
and attendance software.
Besides the cost of fingerprint devices, the other chief concern about the
technology is that fingerprinting is associated with the criminal justice
system. Corporations run the risk of alienating some employees by
forcing them to use such devices.
MasterCard believes it will get around that issue with fingerprint
scanning software from Identicator Technology Corp., of San Bruno,
Calif., says spokesman Ed Dixon. Instead of an image of a fingerprint,
the software uses an algorithm to create a kind of PIN (personal
identification number) that equates to a person's fingerprint. "People
don't want their fingerprints on file," Dixon says.
Employees are spared from worrying about their actual fingerprints
being stored, and the PINs take up very little storage space compared
with an image of a fingerprint, according to Dixon. One fingerprint PIN
equals 50 bytes of storage for a one-to-one matching application, or
250 to 400 bytes for a one-to-many match. In contrast, an image of a
fingerprint can take up to 150KB of storage, says Scott Chase, director
of business development for Identicator. That's for an image of 512 dots
per inch, which is the minimum resolution required for government use.
MasterCard has been testing the technology on a Pentium PC in the
main lobby of its headquarters. Employees and frequent visitors place
their fingers on a scanner attached to the PC. The PC looks in 15,000
files for a match, then issues a badge upon approval.
The next step in the testing will be the production of fingerprint-based
smart cards for employees to use as security passes. The smart card will
store an employee's fingerprint PIN on a chip, which will be matched
against the employee's print on a scanner. The program will start
sometime this year with about 50 people, then grow to include all of the
1,000 employees at MasterCard's headquarters.
Also this year, MasterCard will run a pilot with several thousand
customers who will use fingerprint-based smart cards to make
purchases. The company is also looking at locking down PCs with the
technology but has no set schedule.
At face value
One way around the sticky issue of fingerprints is to go with another
biometric, such as facial recognition. "Fingerprinting has the stigma of
being associated with crooks, while the facial thing is, 'Oh, you're taking
my picture. That's OK,"' says Len Polizzotto, corporate vice president
for new ventures for Polaroid. He's been running Visionics' FaceIt
software on his NEC Versa laptop for about two months. A camera
snaps his photo when he boots his machine and matches it with a photo
stored on his hard drive. If there is no match, the PC will not boot up.
Polizzotto doesn't expect to see an enterprisewide rollout at Polaroid.
"We have a pretty secure company," he says. "The need to secure
individual PCs has not been a burning need." But he says he wouldn't be
surprised to see individual users adopt the technology because it's "such
a super value that people may want to start using it for extra security."
The software alone is about $150. To run it, a user needs a camera
(about $60 for an inexpensive one) and a video capture card (about
$125). Or users can buy a bundle from Visionics for $300 that includes
the software and the ViCam parallel port videoconferencing camera
from Vista Imaging Inc., of Belmont, Calif.
FaceIt will be particularly useful to ensure the security of transactions
with Polaroid's many partners, Polizzotto says. "You really want to
make sure that the person who is getting [the information] on the other
end is really the person you want to get it," he explains. "If I send it to a
particular PC that only certain people have access to because of the
biometric, you're ensuring that."
On a personal note, Polizzotto says FaceIt has made his life easier. "I
always forget my password," he confesses. To test the accuracy of the
software, Polizzotto checked his photo against a database of 5,000
digital ID cards at Polaroid. A match came up right the first time, he
says. The program also recognizes him with or without glasses and with
or without a beard, he adds.
Zeigler, of Diebold, also likes what he sees in FaceIt, but he has found
that the technology isn't glitch-free. Zeigler, who comes and goes from
his office frequently, says his PC doesn't recognize him sometimes
because the light has changed in his windowed office. (Ironically, he uses
a password--one of the weakest forms of protection--to override the
system.) Zeigler has gotten around that by storing several different
photos of himself.
Even though Diebold's CIO has yet to be convinced of the need for
biometric security, Zeigler is bullish. The Visionics system is costly
now--mainly because of the hardware it requires--but the price will
come down over time as PC vendors start to include video capture
cards and cameras with their PCs, Zeigler predicts. Demand will
primarily be driven by videoconferencing applications. Once the
hardware is standardized, a corporation can add the software at a
reasonable cost for security as well as monitoring time and attendance.
"I see it as an evolution, not a revolution," he says.
Richard Powers, editorial director of the Computer Security Institute,
says cost is just one part of the equation. Another big factor is that
corporations feel they're getting by with reusable passwords, so they
aren't in a hurry to go to a more secure system. One clear sign of this is
that most corporations aren't using smart cards, which can be purchased
for well less than $50. "If you can't spend that amount, spending money
on more expensive biometric systems is unlikely," Powers says.
He predicts that biometrics will be used in a small number of
corporations until a major security breach makes headlines and puts the
fear of God into top management. Until then, many company trade
secrets will be easy targets for hackers, corporate spies and rogue
employees. And once those secrets are stolen, it will take the likes of
Agent 007 to retrieve them. |
