Upcoming Events

Cloud Connect
Santa Clara
Feb 13-16, 2012

Cloud Connect brings together the entire cloud eco-system to better understand the transformation we're experiencing and promises to be the defining event of the cloud computing industry. Learn about the latest cloud technologies and platforms from thought leaders in Cloud Connect’s comprehensive conference.

Register Now!

More Events »

Subscribe to Newsletter

  • Keep up with all of the latest news and analysis on the fast-moving IT industry with Network Computing newsletters.
Sign Up

  

Buyer's Guide: Biometrically Speaking

August 23, 1999
By Frederick M. Avolio

our customizable newsletter, sends you security alerts, product updates and software patches on the products you use. Sign up now at www.networkcomputing.com /express/
Finger, hand and retinal scanning, and voice recognition all have been around for years-- and not just in science fiction, spy novels and movies. In the real world, banks and other traditionally early adopters of security solutions have been using hand-geometry readers and other biometric devices in operational environments for decades. Law enforcement has used biometric-based security just as long. And high-security (usually government) installations employ biometrics, often in conjunction with personal ID numbers, for authentication and access control.

But what about biometric authentication for the rest of us? Will biometrics work in real business applications?

Biometric Basics
The most widely deployed biometric security technologies are face recognition, finger scanning, finger and hand geometry, iris and retina recognition, palm-print recognition, voice recognition, and signature (the handwritten type) recognition. Each requires special equipment. For example, voice recognition calls for a microphone and a PC sound card. Fingerprint scanners and eye scanners require specialized network and desktop hardware (though some vendors are starting to offer fingerprint-scanning keyboards and panels for laptops). For face recognition, you need a digital camera.

All biometric technologies work in roughly the same way. First, a user registers with the system, facilitating the capture of initial biometric characteristic samples (usually more than one). This lets the system build a meaningful set of biometric attributes into a template for later matching.

For fingerprint scans, multiple scans of a finger are taken (often more than one finger is multiply scanned--solving the problem of logging in if you've cut or injured one of your fingers). While gleaning attributes from these scans, the biometric software builds templates (one for each of the scanned fingers), which are then stored in a database and identified with the user.

The biometric system is later used for identification or verification. Often leveraged by law enforcement, the identification is labor-intensive, requiring that the system compare a new sample with all possible candidates. Usually, for computer and network applications, the application employs biometrics in conjunction with other information (for example, a user name). In this case, the software looks up the template related to the user name, compares the new sample against it and determines if it has a match.

Of course, biometrics are not 100 percent accurate. Device-use errors and injuries can render false readings, which are broken down into two measured categories: False Rejection Rate (FRR) and False Acceptance Rate (FAR). The FRR is the rate at which authorized users may be erroneously rejected, and FAR is the measurement of how often impostors might be mistakenly granted access.

Which is more important? It depends on your security policy, which should reflect your business-needs analysis and risk analysis. Owners of ATMs (automated teller machines), for example, would rather incur a false acceptance than risk rejecting a real customer's entry. Given banks' emphasis on customer satisfaction, it's understandable that they would rather lose a few hundred dollars than hazard losing a customer.

On the other hand, many secure government facilities would rather err on the side of a low FAR, preferring the system to erroneously reject a legitimate user. Authenticating the user would then involve human intervention--an ID check by a guard or some action by a system manager--but to these institutions the security is worth the occasional inconvenience.

Benefits and Problems
There are three basic levels or stages of security. The lowest level involves something the user has--an ID card, for example. The next level is something the user knows, such as a password or PIN. Combining these makes for tighter security and is the technique used with most ATMs. However, these levels fall short of conclusively identifying an individual. In contrast, biometric systems base authentication on physical characteristics that cannot be shared or easily compromised. Combining a biometric with a PIN or password is stronger still.

The ICSA 1999 Biometrics Survey (www.icsa. net/) notes that for all the potential of biometric-based security, it still hasn't caught on with most industries. One reason is that biometric devices have been expensive, though lately prices have come down--some start as low as $100 per seat. Also, biometric systems usually require additional equipment on the PC. And integrating biometric user verification with existing applications has been difficult. This, however, is not because of a lack of standards.



PAGE: 1 I 2 I 3 I 4 I 5 I NEXT PAGE
 

Research and Reports

Hypervisor Derby
August 2011

Network Computing: August 2011

TechWeb Careers