Business Issues -> Security & Risk
RSS Feed:
A turning point for biometrics?
 |
By: Fran Howarth, Principal Analyst, Quocirca (Moved) Published: 27th September 2007 Copyright Quocirca © 2007 |
 |
- September 2009
Making strong authentication easier - July 2009
Should encryption be optional? - July 2009
Careless talk costs profits - July 2009
Security on the move - May 2009
Securing the physical link - April 2009
Before you buy, verify - March 2009
DLP is coming to the datacentre
In an increasingly regulated world and with security risks ever more visible, companies are under greater pressure than ever before to lock down their businesses. Many are ramping up technology investments in areas that provide them with greater insight into who is doing what and when within their organisations. Among these, identity and access management technologies are becoming mainstream tools deployed in the majority of organisations so that actions taken can be tied to the identity of the individual who has performed them.
The weak link in identity and access management technologies is the secure identification of the individual. Security passes can be stolen and used by others. User name and password combinations can be captured by keylogging technologies, not to mention how many users write down passwords and store them insecurely.
On the face of it, biometrics hold great promise for effective secure identification of individuals. But take up of biometric technologies has been low, except in public safety and security applications, such as at airports and for new identification documents used by government agencies in the US.
Some years ago, the prime reasons for lack of take up of biometrics centred on the inaccuracy of the technology and the high cost of the equipment required. In recent years, the technology has come a long way and accuracy rates have improved substantially, especially for fingerprint biometrics. However, cost does remain an issue.
Other concerns holding up adoption include privacy issues. In most biometric technologies, the biometric identifier must be collected and is then stored in a database. But any quick scan of the press will throw to light numerous stories about databases being compromised and personal information stolen. Research done by the EU shows that the storage of biometric identifiers in databases is a key area of concern among European citizens.
With biometrics, the database used must be secure enough so that enrolment biometric data cannot be easily reconstructed. But the stored data must also be informative enough so that the original biometric can be recovered when a person presents their fingerprint, or other biometric identifier, for verification. The particular problem here is that biometrics are subject to environmental conditions, such as dirt or dust, meaning that data must be very accurate to make a match. Various methods have been developed by security researchers for increasing the security of biometric storage systems, such as by using cryptographic constructs such as fuzzy vaults, but these all add to the complexity and cost of using biometrics—one of the key problems holding up wider adoption.
To solve such problems, a new type of personal biometric authentication device is being developed by technology vendors. In these devices, the biometric identifier is stored on the device itself and verification is achieved by pressing the fingerprint on the pad on the device itself. In this way, the device becomes both the identification token and the biometric reader and the biometric credential is never transmitted electronically, nor is it stored in a database as the credentials never leave the device. This means that these devices not only solve the secure identification and privacy issues, but they can also be deployed at relatively low cost, without the need for investing in expensive databases other than the traditional records maintained in the corporate directory.
Two vendors offering such technology are MXI Security and Privaris. The devices from MXI Security are USB-based and perform effective verification of an individual’s identity by use of their biometric identifier to gain access to corporate network resources. As well as providing highly secure login, they also provide security capabilities that include digital signing and email, disk, file and folder encryption.
The personal biometric authentication device from Privaris offers similar functionality for secure identification to the corporate network. For logical computer access, the device interfaces with Microsoft’s smart card technology so that users can log on without the need for additional software to be installed. But it has capabilities beyond this, combining logical authentication with physical access control as well. And it does this without the cost involved in ripping and replacing existing infrastructure.
For physical access control, the device works by transmitting a signal using standard communications transmissions such as RFID or Bluetooth. To initiate identity verification, the user presses a finger on the pad on the device, which is then checked against the biometric template that is stored on the device. Cost reductions are achieved by using standard communications protocols that are used by existing access control systems, so that dedicated, expensive readers do not need to be purchased and affixed to doors.
As well as combining logical and physical access control, future versions of the product will allow it to be used as a tool for proving identity in financial transactions, both online and in person—further reducing cost as just one identification tool is required for a whole range of uses. Also, because the device does not require contact with a reader for verification, it will also be able to be used in applications such as telematics and vehicle access control, even when the vehicle is being driven at speed.
These products provide a new approach to the thorny problem of effective identity verification. It would also solve one of the issues many have with the new ID cards being proposed by many governments—namely a large nationwide database that could be compromised or, perhaps, even used for nefarious purposes by rogue government agencies.
Reader Comments
Sorry, we are no longer accepting comments on this item. We suggest trying to contact the author directly.
27th September 2007: 'Doug' said:
Fran, excellent article & congrats on the appointment with Quocirca.
27th September 2007: 'Yogesh Raja' said:
Dear Sir/Madam
These details show that proposed ID KEY system could be treated like international ID card since it will personalise signature and PIN numbers to right individuals only.These details show that unless banks implement fraud deterring ID KEY system, fraud crimes will continue to grow.Banks have option to reduce card, cheque, mail order and identity fraud to VIRTUALLY ZERO permanently simply by implementing ID KEY system described on website www.xwave.co.uk Fake documents have made signature system unreliable but ID stickers will enable us to personalise them like passports to make these signatures reliable again.Skimmers and pin-hole cameras have made ATM transactions unreliable but use of Card Key Code stored on ID KEY required to activate ATMs will make ATM transactions reliable again. This system will make use of stolen and skimmed cards meaningless.This shows that if banks implement ID KEY system we will not have to prosecute organisations for failing to protect our personal and card details since these details will not get misused.Please do not hesitate to contact us if you have any questions on ID KEY system.
27th September 2007: 'Jim Kerr' said:
Other concerns holding up adoption include privacy issues. In most biometric technologies, the biometric identifier must be collected and is then stored in a database. But any quick scan of the press will throw to light numerous stories about databases being compromised and personal information stolen. Research done by the EU shows that the storage of biometric identifiers in databases is a key area of concern among European citizens.
This is yesterday's approach to biometrics. Today this is not the case. Templates are represented by algorithims which are extremely safe. At no time is there an actual print stored so there is no danger of a hacker using lifted information to gain access to another system.
The costs have come way down. In fact it is less expensive to use a biometric for authentication then the money lost per person on Help Desk password reset activities.
28th September 2007: 'zippy' said:
If you need to embed a processor and biometric algorithm to perform the authentication on the device, then I believe the cost for the device itself would become much higher. Also if you multiply that with the number of device holders, the total cost of ownership may likely exceed the cost of the database.
Also from a security stand point, having all your biometric identification data distributed on each device may be a higher security risk than having it all centrally managed in a database.
28th September 2007: 'Stewart Hefferman' said:
Identity verification experts, TSSI, agree with Fran Howarth’s views that storing the biometric identifier away from the central database and on the actual device certainly addresses public liberty concerns. However TSSI COO, Stewart Hefferman, believes that Fran Howarth, Quocirca analyst recently quoted in IT Director, may have overlooked the more serious issue of the welfare of sensitive public data - in practice, storing biometric data in the actual unit is likely to be less secure than a central database.
“Databases, especially those containing sensitive public data, tend to be tucked away behind secure networks. Data sensitive networks today are protected by firewalls and may even have high-security physical access devices in place to prevent entry into the server room. A unit placed on the outside wall of a building however, can be easily unscrewed and stolen while it is far less straightforward to break an entry into a secure network to steal a database,” said Stewart Hefferman, COO, TSSI.
In terms of cost savings, what price do businesses place on their security? Yes biometric readers are more expensive than keys or RFID readers, but a lot is at stake and business continuity should be of paramount concern in today’s security sensitive business environment. Unfortunately, security normally comes at a price - it is up to the end user to determine the "value" of the asset they are trying to protect and hence whether the higher price of biometric readers can be justified.”
28th September 2007: 'Senitor' said:
Great piece. We already have the systems in place, their need to continuous testing/development.. not to mention "better management of the total system requirement and regulations.".
29th September 2007: 'Juan' said:
Fran: Thank you for accurately and concisely describing the sea change occurring in the biometric security field. The old "solutions" relying on databases have been proven fatally flawed from many different perspectives. I find it interesting that some of the other commentators on your article attempt to prop up the database model. My company has scanned the available technologies for a long time now. We've decided to adopt the Privaris product because of its flexibility, accuracy, ease of use, and value. We already use HID for physical access. Privaris' partnership with HID allowed us to adopt its solution for both logical and physical access. Compared to the expense of password protection regimes for our 1000 user, 12 office, network, the Privaris solution is extremely cost-effective. Its as if the physical protection is free. Juan
The messages above were all contributed by IT-Director.com readers. Whilst we take care to remove any posts deemed inappropriate, we can take no responsibility for these comments. If you would like a comment removed please contact our editorial team.