net.work

The Way Business Is Moving

net.work published by
Issue Date: February 2002

Biometrics: the new personal security paradigm

February 2002
Graham Vorster: chief technology officer, Duxbury Networking

There is a growing need for more physical security in the corporate world and giant leaps are being made towards more positive, fail-safe methods with new technologies such as biometrics.

Since Randall Fowler patented the optical fingerprint scanning system in 1978, manufacturers and analysts alike have predicted the day when our bodies and our behaviour would become the ultimate identification credentials.
Nearly 24 years later, the concept of biometrics - the technology that identifies people by their own unique corporal or behavioural characteristics - is set to blossom, initially as a supplement to traditional methods of personal identification and authentication.
At present, greater emphasis is placed on two key areas - personalisation and security - in terms of accessing and delivering corporate information.
In the first instance the User Personalised Network (UPN) has been developed on the premise that the only way to make technology truly meaningful to a company is to implement solutions that cater to an individual's relationship to the business.
In other words, one of the most important criteria for the success of new generation IT systems should be that the user receives the appropriate service levels to match his or her job function.
Authentication
In order to deliver on these principles, there must be a mechanism for discovering a person's true identity and securing it. Values such as the MAC address, IP address, or physical location within a network are not adequate in determining the true identity of a person.
Presently, users can log on from different machines and negate the MAC address as well as the physical location as identifiers. Also, the proliferation of the Dynamic Host Configuration Protocol (DHCP) has made the IP host address powerless as an identifier.
It is quickly becoming apparent that the only consistent identifier for who a person is on a network system is their login, or their authentication credentials.
Biometric authentication
Only biometric authentication is based on the identification of an intrinsic part of a human being. Human traits and behaviours that can be used in biometrics include fingerprints, voice, face, retina, iris, and handwriting and hand geometry. This data can be collected and analysed in a number of ways.
Essentially biometrics uses the same system the human brain uses to recognise and distinguish the 'man in the mirror' from the man across the street.
Biometrics can be integrated into any application that requires security, access control, and identification or verification of users.
With biometric security, the key, the password, the PIN code can be dispensed with; the access-enabler is you - not something you know, or something you have in your possession.
Science fiction?
For many, the use of biometrics as a means of security remains something of a novelty; utilising the unique characteristics of one's eye or face to gain entrance to buildings or information is that of science fiction.
Or is it? With the explosion in electronic documentation, that scenario is changing.
What are the indicators? First, the physical security industry world wide - not only in crime-ridden South Africa - has cultivated a voracious appetite for technology.
There are growing concerns about the security of intellectual property, and e-commerce initiatives have attracted sizable R&D; investments in tools to protect computers and the networks to which they are attached.
A US-based survey conducted in the middle of 2000 indicated that, while only 4% of participants were currently using biometric authentication, 11% planned to use it within the next 18 months.
Microsoft has certainly seen the writing on the wall and integrated biometric and other authentication features into the Windows XP operating system in the form of the IEEE 802.1x standard to enable easy deployment of secure networks in the enterprise, home and public places.
Moreover, manufacturers of biometric identification products have risen to the challenge and developed more reliable products that drastically reduce false accept (misidentifying and granting access to an unauthorised person) and false reject (misidentifying and denying access to an authorised person) rates.
Integrating with legacy systems
In the past, many biometric suppliers predicted that their technology would make current security technologies obsolete because biometrics were a more reliable authentication technology, easier to use and more cost-effective.
While biometric technology does verify the identity of an individual in a way that card readers and other traditional systems may not be able to approximate, biometrics are still unlikely to replace these legacy technologies in the short term.
Like all of the other security technologies currently available, biometrics will find its application within a hybridised, or layered, approach that exploits the best that each technology has to offer.
Knowing when and how to weave biometrics into the security fabric of an enterprise requires a comprehensive understanding of the magnitude of the unique security needs, the environment in which the technologies will be used, what technologies are already in use, and which specific biometric technology is most appropriate.
Leverage legacy systems
Companies will be more inclined to buy into the biometric value proposition if they can leverage rather than replace their current systems.
This leveraging can be accomplished in a number of ways.
A pure biometric system would function almost exactly like a card access system. Individuals attempting to gain access present their finger, hand, eye or face or speak into a microphone in the same way they would present their card.
The difference is that the typical proximity cardholder identification number requires 26-85 bits of memory. The typical fingerprint template used by a biometric system requires 250-1000 bytes or, if we recalculate those numbers into bits for comparison, 2000-8000 bits.
Obviously, it takes substantially more processing time and power to verify the identity of an individual biometric scan against a database of hundreds or thousands of others versus a cardholder number.
There are a few ways to use a customer's existing card-based system to solve this problem.
One way is to associate each individual cardholder number with that person's biometric template. This can be done easily during the enrolment process and requires that individuals present their existing card to a card reader either installed next to a biometric reader or actually built into it.
The cardholder number tells the biometric system where to look on the template database for the individual's stored template, greatly reducing the amount of processing required to verify the authenticity of the biometric scan.
Smartcard
Another way to simplify processing is to store the biometric template on a smartcard. This eliminates the need for a separate biometric template database and the infrastructure needed to support it, because the smartcard provides all of the storage and security needed in its own memory.
Which kind of biometric technology best matches the task? The four technologies that appear to be the most practical currently are finger scan, hand scan (or hand geometry), eye scan (either retina or iris) and face scan.
There is usually an indirect correlation between accuracy, as measured in the number of unique characteristics the technology can discern, and cost.
The level of intrusiveness is also an important consideration because companies that deploy intrusive procedures into the organisation could become the target of enterprise-wide hostility.
Eye scan technology has, up to now, been the most accurate technology of the group, but it is also the most expensive and perceived to be the most intrusive.
Finger scan technology is probably the most popular of the biometric technologies for a wide range of applications including logical access, Internet security, banking and point-of-purchase. It offers a good balance between accuracy and cost and generally has managed to shake the criminal identification stigma. It is also less intrusive.
Traditional optical finger scan technology will most likely be replaced with newer silicon technology that requires less surface scanning area and less maintenance.
Given the current state of development among the various biometric technology alternatives, hand scan, also known as hand geometry, integrates well with physical access system and is currently a preferred choice for combining accuracy (up to 90 unique features or measurements) and cost with a minimal perceived amount of intrusion.
Hand geometry templates are the smallest available from current biometric technology at around nine bytes (72 bits), which translates into reduced processing and storage requirements.
The area, which is currently attracting the most research, is face recognition technology. Several face detection techniques have been proposed so far, including motion detection (eye blinks), skin colour segmentation and neural network based methods.
The most promising approach works on greyscale still images. It is based on the Hausdorff distance (fixed between two points on the face), which has been used for other visual recognition tasks. In tests this method has performed robust and accurate face detection and its efficiency makes it suitable for realtime applications.
Training
Once the decision has been made about where biometric technology will be used within an organisation, which kind of technology will be used and how it will be integrated with existing systems, the final step is to train security personnel.
Not only will they need to know how to adjust the tolerances of the readers to balance false accept and false reject rates, they also will need to know how to calm employees' fears that their identities may be stolen. Thoroughly preparing the security personnel can go a long way toward smoothing the path to acceptance of the new technology.


Others who read this also read these articles

Search Site





Subscribe

Previous Issues