our customizable newsletter, sends you security alerts, product updates and software patches on the products you use. Sign up now at www.networkcomputing.com /express/

The per-seat cost of biometric hardware and software has plummeted during the past several years (see "Biometric Authentication Cost Per Seat" on page 124). These price reductions coincide with the adoption of low-cost standardized components--DSPs (digital signal processors), RAM and cameras--as well as new methods of mass production for custom components, such as plastic optics. The common use of desktop cameras, microphones and high-powered computers with spare CPU cycles lowers the total cost of face- and voice-recognition systems by using components already available.

Unfortunately, some of the lowest-cost systems are simply gadgets and too gimmicky for consideration in the enterprise (see the Star Trek Biometric Security system from QVoice at www.qvtrek.com/Startrek.htm). In our review of fingerprint recognition devices in this issue, we found much of the current crop too insecure and unreliable for practical enterprisewide deployment (see "Six Biometric Devices Point the Finger at Security" on page 84).

As a whole, the biometric industry has had substantial difficulty getting off the ground, often coming up short on promises, and more than a few companies have been plagued by allegations of securities fraud. The risk to system integrators is still fairly high, too, since many security firms are small and offer only proprietary application interfaces. If a product fails, then you may be stuck rewriting security hooks in applications. But biometric products, their interfaces and the credibility of the vendors offering them are improving rapidly.

Selecting the Right Approach To choose the right approach to biometric authentication, you must understand the application, the user base and the characteristics of the biometric device itself. You also must consider the conditions under which it will be used and how fallback authentication methods, such as passwords or tokens, will be instituted when biometrics are not available. As with any security measure, you must understand the cost of misuse of the resource you're trying to protect. Here are some factors to consider before choosing a system.

· User acceptance Some biometrics, such as fingerprints, may be perceived as an invasion of personal privacy. Vendors are careful to point out that they are not associated with the FBI's fingerprint-recognition system, that most devices can't store raw fingerprints and that fingerprints can't be reconstructed based on the data stored within these systems. General intrusiveness can be another factor affecting user acceptance of some devices, particularly iris and retinal scanning systems.

· False acceptance rate (FAR) This is the rate at which an intruder can be recognized as a valid user. Many vendors quote the false acceptance rates of their devices, typically generated through mathematical extrapolation of field trial data. As a result, it's difficult to compare these technologies based on vendors' quoted FAR numbers. But it's important to remember that during user verification (a one-to-one match), false acceptance is based on imposter attempts, not on the total number of attempts by valid users. If FAR is 1 percent, that means one out of 100 users trying to break into the system will be successful.

FARs become more critical when you attempt to identify users based on biometrics, instead of simply trying to verify a person with a one-to-one or one-to-few operation. For example, according to IriScan, an iris-recognition technology manufacturer, if the probability of a false match between a known pair of biometrics is .001, then the probability of finding the wrong person in a database of only 200 people is 0.181. This quickly rises to 0.86 with a population of 2,000. Iris-recognition trials show a much lower false acceptance probability of .000000000001 (10-12). This means that you can search a database of all eyeballs on the planet (roughly 1010) with a scant .01 probability of a false acceptance.