Biometric technologies not sole answer to security
- By Carlos Soto
- Sep 23, 2002
Don't think biometric access devices are silver bullets for your security vulnerabilities. In fact, if not applied correctly, they can create new gaps in security.
Carlos Soto, associate editor, Government Computer News
The USA Patriot Act, signed into law in October 2001, gave fresh impetus to adoption of biometrics, which vendors were earlier touting as password replacement devices.
Now that they've come under close scrutiny by government and private labs, such as that operated by Washington Technology's sister publication, Government Computer News, companies have acknowledged that biometric devices are effective only when used in conjunction with other forms of authentication.
To ensure these devices protect rather than compromise security, it's important to clear up some misconceptions. The most common of these is that one type of device is good for all applications. Before thinking about biometrics, you've got to think about precisely what it is you're trying to protect: an entrance to a building? A computer network? A data center?
Earlier this year, I reviewed both facial and iris recognition products. Some are designed more for perimeter security than for computer access.
Facial recognition products are less obtrusive than fingerprint devices. They can adjust to changing appearances of an individual. By contrast, most fingerprint devices often won't work if the user's authentication finger is obscured by food, grease or injury.
Biometric devices used for perimeter security are difficult to tamper with, because the servers containing the biometric data are inside the perimeter or in some remote location. But facial recognition has the added advantage of letting you record videos of comings and goings.
I've found that in some instances, facial recognition authenticates faster than fingerprints and is more reliable than many forms of fingerprint recognition, specifically devices with optical sensors.
On the other hand, fingerprint authentication is a better choice on a standalone computer mainly because, unlike facial biometrics technology, it is not affected by change in light. Lighting -- direction, quality and intensity -- seriously impact facial recognition software. And with more users, the reliability of facial recognition can decline, particularly if you can't control the lighting and there are shadows. Quite simply, it is easy to fool a facial recognition engine.
This point leads to two other common misconceptions. One is that the purpose of biometrics is to eliminate the password, and the second is that trying to fool a biometric device is easy.
Because the technology isn't 100 percent reliable, you should always deploy biometrics along with regular passwords, or a keypad for door control systems.
All biometric devices read or measure a physical characteristic and store the results in a database. With most systems, those results -- that is, users' profiles -- are adjusted, converted into an algorithm and encrypted before storing.
The security weakness with biometrics exists between the device that records the biometric information and the computer. That middleware could be hacked, giving the unauthorized user full access.
Fortunately, because the industry is assumed to be on the beginning of a growth curve, companies are getting more specialized, dividing up the development of software and hardware. This split in development, typified by the relationship between Panasonic Security and Digital Imaging Co. and Iridian Technologies Inc., is helping the technology mature and gain customer acceptance.
If a hacker was to gain access to your biometric template, chances are he wouldn't capture any of your users' physical characteristics, since most systems convert recorded traits into numbers and characters impossible to reverse engineer.
So where is the industry heading? I believe iris recognition and facial recognition, where developments are occurring rapidly, are the next big things in biometric security. They're growing more reliable, but they are not inexpensive. Facial recognition infrastructures can cost upward of $20,000 to secure a small area.
I have no doubt that biometric technology is here to stay. By itself, it won't save your network from intelligent and determined evildoers, but it nevertheless can add a secure layer to your network and act as a stronger deterrent.
Carlos Soto is an associate editor of Government Computer News and is a technology reviewer with an expertise in security, storage, wireless devices and digital cameras. His reviews of biometric technologies can be found with this article at www.washingtontechnology.com.