Flesh-and-Blood Biometrics

The high-tech industry has a love-hate relationship with biometrics. We know passwords aren't good enough--they aren't changed often and are prone to theft both through social engineering and electronic attacks. We need an authentication factor that is unique to each user, but biometrics have fallen short of expectations and so have languished on a back shelf.

A new development in biometrics--one that uses venous palm scanning--could bring it to the forefront and to a restricted door in your enterprise. And Fujitsu's PalmSecure, which uses this new method, could be an excellent security product for those who need a two-factor authentication that is nearly impossible to fool.

PalmSecure has an acceptable accuracy rate and, since the device requires blood flow, addresses a rather macabre and possibly paranoid concern about biometrics--that criminals could sever body parts and use them to gain access to a restricted area or network. As a fixed-entry system, PalmSecure could work well. The drawbacks to such a system cannot be ignored, though. Cold temperatures could delay the time for authentication.The Particulars

PalmSecure works by bouncing near-infrared light off of a person's palm and reading the response. Since deoxidized hemoglobin absorbs the infrared beam, a map of the veins in the hand is generated, with the veins displayed at a different density than the rest of the hand.

The accuracy rate of PalmSecure, according to Fujitsu, is greater than 99 percent, with a false positive rate of 0.00007 percent and a false negative rate of 0.00004 percent. Those failure numbers seem awfully low, but if they are born out in widespread deployments, they are definitely within the threshold of acceptable behavior.

Integration of PalmSecure is as simple as plugging it in to a USB port and installing some software. Broad deployments, however, will require more work to centralize the authentication database, though standard builds of the software will make the process go more quickly. You must carry the reader with you, but there's an optional stand that lets you scan each user into the system from a uniform distance. The reader is very portable: It's just 1.5" by 1.5" by 1" and weighs less than 2 oz.; the stand is about four times the size of the reader.

Spoofs And Temperature ProblemsThe palm-reading information is stored in a database, so theft of this data, along with other information, could let attackers create a "spoof" device--for instance, a USB device that acts like PalmSecure but feeds the recorded image to the USB port instead of performing the scan. Although this is possible, the amount of work required might make it impractical for the average identity thief--that is, until the first such device is built and the instructions for building it are published on the Internet.

Another concern is biological: In cold weather, a body contracts blood vessels in the extremities to maintain a higher level of blood flow in its core, to keep the body alive, possibly at the expense of a few fingers, toes, or even hands and feet. This decrease in blood flow changes the look of the veins in the hand. The net result is that in cold weather it can take as long as several minutes for the palm reader to recognize a user; still, this timeframe is better than it would be with, say, finger venous pattern matching, since following exposure to cold, blood flow normalizes in the palm before it does in the fingers.

The Gore Factor

Hollywood has scared us with vivid images of people being killed, their fingers cut off for their fingerprints or their eyes plucked for retina scans. Resulting concerns--whether justified or not--about that kind of scenario have impeded adoption of the technology. IT managers don't want system security that decreases a user's personal security, and while, in the light of day, it's farfetched to think that a user will be maimed or killed if he uses a biometrics system, the concern has been a hard one to completely ignore.Fujitsu has done an end run around the problem by developing a system that requires active blood flow to work. This stipulation may not satisfy the most paranoid of people, but it does offer an added measure of security over other types of biometric systems.

There's also the issue of the system failing because of damage to a body part--for instance, if a user cuts her hand enough to impede the blood flow. Fujitsu rightly says that this is a minor issue--it's not often that serious damage is done to a hand--but acknowledges that if such an injury were to occur, getting locked out of a workplace would add insult to the injury. Thus, the company recommends that both of a user's hands be scanned, since it's very unlikely a user would injure both hands at the same time--and significantly less so than the incidence of users forgetting credential information.

Alternative Technologies

Schlage Recognition Systems produces several HandKey hand-recognition systems. HandKey maps the geometry of the hand, not the venous patterns, using infrared. With such a system, damage to the surface of the hand or broken bones that change the hand's shape could deny user access.Fingerprint technology has been with us for a long time, and it's improving. Fujitsu makes fingerprint readers, as do many other vendors, from Microsoft to Zvetco Biometrics. If you're looking for something more conventional than palm-based venous scanning, check out those products. Meanwhile, Hitachi is one of several vendors making finger venous-scanning systems that work on the same principle as PalmSecure.

Overall, PalmSecure and the palm venous hemoglobin imaging that it uses is a step forward for biometrics, offering a relatively secure solution that's sensitive to temperature changes, but is otherwise adequate. For restricted access--be it doors or highly sensitive systems--PalmSecure would fill the current technology gap.

Don MacVittie is a senior technology editor at Network Computing. Write to him at dmacvittie@ nwc.com.