Biometrics: Coming of Age
by Fred Avolio, Avolio Consulting, Inc.
Almost any self-respecting action movie these days includes a scene
set in a high-security area. Invariably, the camera follows a character who gains admission through titanium vault doors by having
his palm print read, his voice recognized, or his retina scanned. Just as invariably, later in the film someone fakes out these intimidating
security measures, turning them into a joke. (The latest example is in the film
"The Sixth Day," where
Arnold Schwarzenegger penetrates the
protected corridors of a giant, high-security lab by jamming a former enemy’s dismembered thumb into various fingerprint scanners.)
Back in the real world, though, this category of security device is about to outgrow the joke stage. In fact, it may be time to
consider adding biometric measures to your company’s security strategy. This article explains why.
Authentic Authentication
When it comes to user authentication, we want to identify an individual in a strong way. We define “strong way” to mean in a way that does indeed establish the validity of a claimed identity and is not vulnerable to a replay attack. Traditionally, in security, we talk of three ways to establish identity:
-
Something a person has. Possession of a physical item, such as a token, card, or key.
-
Something a person knows. Possession of information, such as a password, passphrase (in spy novels, combined with a counter-phrase), or a series of numbers (e. g., a combination lock on a safe or briefcase).
-
Something a person is. Possession of a physical attribute, such as a particular face (the way we recognize our Uncle Charlie at a reunion) or voice (the way we recognize Mom on the telephone) or fingerprint. This is the aspect of security known as “biometrics.”
The Glossary of Biometric Terms by the Association for Biometrics and the ICSA defines the term “biometric” as “a measurable, unique physical characteristic or personal trait used to recognize the identity, or verify the claimed identity, of a person, through automated means.”
We move towards strong authentication, when we combine more than one kind of authentication method. Something a person knows (for example, a password) is easily obtained through guessing or eavesdropping. However, combine that with something a person is (biometric information) and you have a much stronger combination.
The Growing Support for Biometrics
Biometric devices cover an array of different physical characteristics: fingerprint scanning, finger and hand geometry, palm print, facial and voice recognition, retinal and iris scanning, and recognition of signatures (the wet, written kind). Although early adopters of security solutions, including a few law enforcement agencies, have used some of these technologies for decades, the ICSA 1999 Biometrics Survey states, “The biometrics industry is in a strange predicament. On one hand, it has a great deal of potential. On the other lies an unerring need for expectations about biometrics to become fully realized. Faced with a degree of uncertainty about the industry’s future and a misunderstanding about its intentions, the information security industry has historically looked at biometrics with an expression of bemusement. As a result, the case for biometrics really has yet to be won.”
Yet biometrics shows evidence of being on the cusp of acceptance as part of a defense-in-depth security strategy. For one thing, biometric hardware devices are becoming affordable. Oh, not all of them, but certainly some, such as voice recognition, face recognition, and finger print scanning.
Secondly, just in the past year or so, biometric devices that easily interface to PCs have become available. Most biometric techniques require special equipment, but many are now easy to add on to a computer. Voice recognition works with a microphone and the sound cards resident in most of today’s PCs. Face recognition uses a digital camera, an increasingly common device for a PC user. Fingerprint scanners, or eye scanners, need specialized hardware, but some vendors are now offering fingerprint-scanning keyboards.
Third, vendors are working actively to integrate biometric devices into real computer products. Formerly, biometric devices did not come with anything useful except a screensaver program interface (kind of a way to demo the technology without actually using it for much). But through the efforts of vendors along with industry standards bodies and consortia (see links below), work is progressing to smooth the integration of biometric technology into other, traditionally text-based, authentication mechanisms. Additionally, companies — like BioNetrix (Tysons Corner, VA) — are bridging the world of biometric products and authentication systems.
Because of these trends, it is time for most of us to start learning about biometric devices, and to think about using them — to start playing with them, if you will. The Web sites listed below offer information about biometrics. You can use them to get acquainted with the technology, standards, companies, and products. Read about them, decide how they might fit into your current security plan, and figure out which product to obtain to experiment with. In the next couple of years, the use of biometrics will become the next logical security step.
Sites of Interest:
Biometric Consortium
International Biometric Group (IBG)
AVANTI, the Biometric Reference Site