FREE ESSAY ON BIOMETRICS SECURITY

BIOMETRICS SECURITY

Biometrics uses personal characteristics to identify users. When it comes to security,
mapping unique patterns and traits in fingerprints, irises or voices is considered light
years ahead of forcing employees to memorize combinations of letters and numbers -- which
are easily compromised and easily forgotten. 
The technology works by taking measurements -- whether it is the weight and length of
bones in the hand or the pattern of blood vessels inside the eye or the pattern of
fingerprints -- and then storing the specifics, often called minutiae, in a database.
When a user scans a hand or retina, the new mapping is compared with the stored data.
Access is either granted or denied based on matching patterns that are unique to each
individual. It's that ability to identify someone based on unique physical traits that is
driving biometrics into the corporate enterprise. As more high-priced transactions are
conducted over the Internet, businesses increasingly need ironclad authentication of
someone's identity. Add to that the increasing amount of inhouse security breaches and
corporate espionage, and you'll find network and security administrators grappling for a
better way to secure information from unauthorized eyes. 
Somebody who is doing stock trades online wants security that is amazingly accurate, says
Michael Thieme, a senior consultant for International Biometric Group in Manhattan, an
independent biometrics consulting and integration firm. A lot of recent security
incidents are making people aware that they have a lot of data that just isn't as secure
as they thought it would be. . . . If biometrics can even be a small part of that, it
will be a tremendous market. 
Costs are dropping 
Until recently, the problem with biometrics has been its staggering cost. But prices have
dropped by 80% to 90% in the past two to three years. A boom in research and development
largely driven by an increasing need for accurate forensics has produced quality
improvements and price reductions. A stand-alone fingerprint reader might have cost
anywhere from $2,000 to $3,000 two years ago, but now it can sell for less than $100. 
Analysts say fingerprint scanning is the top biometric in terms of mind and market share,
with hand geometry coming in second, followed by face and iris scanning. 
There's a growing crop of biometrics vendors expanding the market and pushing what was
once technology solely aimed at forensics and government security into the enterprise
market. Companies such as Identix of Sunnyvale, Calif., Veridicom of Santa Clara and Key
Tronic in Spokane, Wash., are taking biometrics corporate. 
And they're catching the eye of industry giants like Compaq, which is embedding
fingerprint scanners into keyboards and laptops. 
When we first started working with Identix, going back about six years, it cost several
thousand dollars for a fingerprint reader the size of a small telephone, says Joel
Lisker, senior vice president of security and risk management at MasterCard International
in Purchase, N.Y. The current model is embedded in the keyboard, and it's in the $5 to
$10 range. 
MasterCard, which issues employee identification cards with smart chips embedded in them,
is testing different biometric methods for everything from building access to network
access. Lisker says repeat visitors to the company's headquarters were the first guinea
pigs, having their images and fingerprints stored electronically for a digital match
every time they returned. 
The credit card company also is looking into voice recognition, and earlier this year
began a pilot project using fingerprints to authenticate users for network access. Lisker
says the trial, involving five or six employees, is going well, and he expects to broaden
it to 100 users by year-end. 
Eventually, I expect their employee cards will gain them access to the building, the
network, specified applications, and will even be used as an electronic purse at our
cafeteria and store, he says. The employee cards will be smart cards with fingerprint
minutiae stored on them. 
We're looking at this in lieu of personal identification numbers, which are readily
compromised, Lisker says. 
Freeing up the help desk 
The city of Oceanside, Calif., is well beyond the initial testing phase when it comes to
using fingerprinting to authenticate users. With 90% deployment, Michael Sherwood,
director of the city's IT department, says the city is already saving $30,000 to $40,000
per year, and the IT department has been unshackled from password torments. 
Password-related calls made up about 25% of the calls coming into our help desk, says
Sherwood, who started using fingerprinting technologies from Identix about a year and a
half ago. And we figure each one of those calls cost us $20 to $50, factoring in that a
field technician has to be dispatched to make sure the password is delivered to the right
person, not someone posing as that person. 
Then there's the call to check back with the user to make sure everything is OK, plus the
user's downtime while he is waiting for help. 
We have so many different systems, and each system has its own security, Sherwood says.
You need a password to log on in the morning and another password to get to certain files
and then another password for financial applications, for example. And then you figure
that people have to remember their ATM PIN number, their home security PIN, the security
code for their cars and their cell phones. It's just all too much. We had to simplify
that. 
And looking at Oceanside's help desk statistics, it seems they've succeeded. Sherwood
says the IS department has only received 10 calls for assistance with the fingerprint
scanners since Oceanside started using them in 1998, and most of the problems can be
traced to dry skin or small abrasions that inhibit the scanner's reading. 
Our security administrator isn't spending his whole day patrolling passwords now. He's
looking at bigger security issues, Sherwood says. We spent about $170,000 on the system,
and we figure we'll recoup all of our investment in two years. 
Analysts support Sherwood's numbers, citing that calls about forgotten and changing
passwords are a major drain on most help desks. They say it shouldn't come as a surprise,
because the average user has to remember four to eight different strings of characters,
and is supposed to change them every 30 to 60 days. Just getting employees not to use
their own names, nicknames or birthdays as their passwords is a major IS headache. 
I'm a security expert, and my passwords are decent but even they could be better, says
Abner Germanow, a research manager for IDC in Framingham, Mass. It's pretty easy to walk
down the hall in any corporation and see someone who has his password on a post-it note,
or he's got it in his wallet. 
And that's just where Farrokh Shahamiri, an acting management analyst for Oceanside, kept
his password before he started using a fingerprint scanner six months ago. Before, I had
one password to get into the network and a couple of others for different applications. I
never forgot them because I always kept a copy of them in my wallet, he says. 
An issue of privacy 
While biometrics offers tighter security than passwords, industry watchers warn that the
technology poses its own set of threats (see Face-off on the issue of biometrics and
privacy). 
The ugly truth is if you're storing people's fingerprints in a database, that database is
searchable, DataQuest's Reynolds says. Say you have a large company and somebody steals
the CEO's cigar box. They find a fingerprint and compare it to what's in the database. Or
say the police come asking for a copy of someone's fingerprint. That all amounts to an
unlawful search. 
And that is bound to make some users uneasy or even unwilling to hand over their
fingerprints. 
Grant Evans, vice president of Identix, calls it a small problem. The fact is Big Brother
has all the information he needs on you without your fingerprints, he says. 
Gail Koehler, vice president of technology for Purdue Employees Credit Union in West
Lafayette, Ind., was worried that members would be upset when she first deployed
fingerprint scanners in her automated branch kiosks. 
Koehler says 12,000 members have registered their fingerprints with the credit union. We
spent the majority of our marketing dollars preparing ourselves to convince members that
this was secure and not an invasion of their privacy, she says. It was wasted dollars.
We've basically had no objections. Members prefer the security.