Biometrics seems to be the utopia in access control with the promise of no more calls to the IT helpdesk complaining of forgotten passwords or lost hardware tokens but unfortunately its just not that simple in the real world.
Biometric authentication devices are used to measure something a person is. They can compare a physical (fingerprint/voice) or behavioral (Keystrokes / Signature) trait with a stored value.Combine this with something a person knows such as a PIN or a password, and it forms a strong two-factor authentication scheme.
Traditionally only used in high-security military establishments, the last few years have witnessed an explosive growth in this technology for the workplace. From single-user fingerprint scanners to high-tech facial recognition biometric systems are being touted as the answer to a lot of the security problems.
Over the last ten years researchers, hardware engineers and product houses have been looking at ways to bring this technology into our everyday lives in a form that its speed, accuracy, reliability and user acceptability are all adequate for modern day use. Traditionally there have been two main concerns with these systems biometric system effectiveness and social acceptance.
Below I’ve displayed a table of some example biometric systems and where they fit into these two areas. Of course, these are just some of the systems available.
When we talk about biometric efficiency, we think of its usability, its ability to authenticate those authorized individuals and reject those that are not authorized (accuracy and uniqueness) and finally its ability to work well for the given task without any degradation in performance over time.
Accuracy is the most important characteristic of a biometric system obviously because it is this accuracy and the ability to uniquely authorize or reject individuals that form the barrier of protection were looking.
Biometric systems can be tweaked to more or less restrictive in who or what they find acceptable when authenticating a user. To help understand this, there are three terms used by biometric systems we can use to measure their effectiveness:
A False reject rate is a rate at which authentic enrolled users are denied. This typically seen as not a major problem in most environments however if you’re using a biometric in a customer environment such as a replacement to tickets in a theme park then false reject rates become much more important. A theme park wouldn’t want to upset its customers so is much happier to have a higher rate of false reject rates.
A False accept rate is a rate at which an unauthorized un-enrolled person is accepted as authentic users. This is the most crucial error in the majority of environments.
The Crossover error rate is the point at which the false reject rate and the false accept rate are equal to each other or cross over if charted (in a graph). It is a form of measurement for biometric systems usefulness and often is the default point at which a biometric system is installed and tweaked too. As time goes on the business may decide they want to be more or less strict with their authentication scheme changing the cross-over error rate position.
Primarily acceptance is based on users and how they accept the system, but acceptance from a business point of view must also be taken into account before any choice and implementation.
A user may be concerned that a system is not hazardous to the health of its users. It must not impede personnel movement or cause any form of production delays and must not enable management to collect personal or health related information about individuals. Some users are also concerned about making physical contact with surfaces or devices untold numbers of other people have touched before them primarily because of a higher fear of modern day contagious diseases.
A business needs to ensure that the enrolment time (the time it takes a user to be added/enrolled on the system) needs to be acceptable otherwise people get frustrated and queues form quickly. The industry accepted time is 2 minutes per person. Most systems on the market today can meet this standard. The speed and throughput of day-to-day use are another areas of concern. Again acceptable industry standards say a system speed of 5 seconds from start-up to decision making is acceptable. It is only recently that Biometric systems have met this measure.
Todays Biometric uses
Biometrics, despite some high priced systems, are making progress and are being rolled out in general businesses. Some examples of this include the roll-out of systems in healthcare, entertainment, and finance environments.
Unfortunately, the units are very specialist, don’t tend to link up to each other and often require specialists equipment be installed (physical characteristics as opposed to behavioral characteristics).
Some thoughts for choosing a biometric system
System performance of any biometric system should be tested independently ideally in a live environment.
Potential users/businesses should always ask for reference customers and if possible request a site visit.
Systems may suit different sized businesses. What might work well for a mid-sized business may be a poor performer in a larger organization.
System maintenance should be thought about. Some systems may need cleaning daily for example.
How susceptible is a system to sabotage or deliberate damage?
What happens if your system breaks and stops working how do people get in a building etc.
Is a system acceptable from a user point of view? Would your users mind touching physical devices (given contagious diseases etc.)? Is the system non-intrusive
The future of biometrics
The future of biometrics is limited only by one’s imagination. Imagine arriving home from work, walking openly to your front door and ping it pops open because the house had recognized your face as you came back? Or perhaps there will be a day when you go to open your car, you pull then handle, and your fingerprints are read to unlock the vehicle. Your neighbor tries the same thing, pulls the handle and the alarm goes off because they are not authorized in your car.
There are many practical uses for biometrics in the real world, we need to get the systems to a point where the users are happy to accept the introduction of such systems, they are cheap and practical enough to use and they are resistant to damage, dirt, grease and so forth so that they can be used under all sorts of circumstances without performance degradation.
Many biometric systems are available today. Some work and some work not so well. They are often very specific systems for very specific uses at the moment (such as user authentication). We have yet to see the proliferation of a vast and integrated system that does not require the user plug in the device to their USB or parallel ports, and there is no doubt biometrics is the way forward, but are we there yet? Probably not.
So far it has taken over ten years just to get the systems to a useable form and fairly inexpensive (under 100 per unit), but they still have some way to go. We will see different methods been used for various requirements and may even see the combination of the various biometric systems to form a secure two-factor authentication.
If biometrics are to succeed they need to match their environment and be integrated into other hardware much more and their cost per unit needs to fall much more. At the backend, their systems must require low maintenance and offer continuous protection with no system degradation.
Most importantly biometrics will succeed providing they provide continuing, clear and identification in a non-intrusive manner. One such system perhaps is a camera on your PC that is programmed to check the operator identity every 30 seconds. It opens a 5-second window to acquire a good picture and if it cants obtain the data or doesn’t authorize the individual the screen can be locked. This is ideal if someone else sits down at a PC or an individual gets up fro a coffee because as soon as the individual comes back, the system authenticates a valid user once more and provides access.
For the paranoid, we could easily combine this system with a fingerprint reader on the first button of the mouse which has to authenticate a user’s fingerprint every 10 minutes or each time a user wants to access and encrypted file.
There is no doubt that biometrics, implemented correctly, will bring major increases in information security protection and while some systems exist today we still have some way to go before low maintenance, low cost, user acceptable, continuous, transparent and positive identification systems are brought into the real world, but we’ll get there.