Network Computingwww.networkcomputing.com

Biometric Basics
The most widely deployed biometric security technologies are face recognition, finger scanning, finger and hand geometry, iris and retina recognition, palm-print recognition, voice recognition, and signature (the handwritten type) recognition. Each requires special equipment. For example, voice recognition calls for a microphone and a PC sound card. Fingerprint scanners and eye scanners require specialized network and desktop hardware (though some vendors are starting to offer fingerprint-scanning keyboards and panels for laptops). For face recognition, you need a digital camera.

All biometric technologies work in roughly the same way. First, a user registers with the system, facilitating the capture of initial biometric characteristic samples (usually more than one). This lets the system build a meaningful set of biometric attributes into a template for later matching.

For fingerprint scans, multiple scans of a finger are taken (often more than one finger is multiply scanned--solving the problem of logging in if you've cut or injured one of your fingers). While gleaning attributes from these scans, the biometric software builds templates (one for each of the scanned fingers), which are then stored in a database and identified with the user.

The biometric system is later used for identification or verification. Often leveraged by law enforcement, the identification is labor-intensive, requiring that the system compare a new sample with all possible candidates. Usually, for computer and network applications, the application employs biometrics in conjunction with other information (for example, a user name). In this case, the software looks up the template related to the user name, compares the new sample against it and determines if it has a match.

Of course, biometrics are not 100 percent accurate. Device-use errors and injuries can render false readings, which are broken down into two measured categories: False Rejection Rate (FRR) and False Acceptance Rate (FAR). The FRR is the rate at which authorized users may be erroneously rejected, and FAR is the measurement of how often impostors might be mistakenly granted access.

Which is more important? It depends on your security policy, which should reflect your business-needs analysis and risk analysis. Owners of ATMs (automated teller machines), for example, would rather incur a false acceptance than risk rejecting a real customer's entry. Given banks' emphasis on customer satisfaction, it's understandable that they would rather lose a few hundred dollars than hazard losing a customer.

On the other hand, many secure government facilities would rather err on the side of a low FAR, preferring the system to erroneously reject a legitimate user. Authenticating the user would then involve human intervention--an ID check by a guard or some action by a system manager--but to these institutions the security is worth the occasional inconvenience.

Benefits and Problems
There are three basic levels or stages of security. The lowest level involves something the user has--an ID card, for example. The next level is something the user knows, such as a password or PIN. Combining these makes for tighter security and is the technique used with most ATMs. However, these levels fall short of conclusively identifying an individual. In contrast, biometric systems base authentication on physical characteristics that cannot be shared or easily compromised. Combining a biometric with a PIN or password is stronger still.

The ICSA 1999 Biometrics Survey (www.icsa. net/) notes that for all the potential of biometric-based security, it still hasn't caught on with most industries. One reason is that biometric devices have been expensive, though lately prices have come down--some start as low as $100 per seat. Also, biometric systems usually require additional equipment on the PC. And integrating biometric user verification with existing applications has been difficult. This, however, is not because of a lack of standards.