Integrator Toolbox: Physical safety propels biometrics
Access eclipses information as main security objective
- By David Essex
- Sep 26, 2003
In the days before Sept. 11, 2001, the talk about biometrics was as much about data security as physical security. By recognizing a person's fingerprint, voice or iris pattern, often on an inexpensive device, biometrics was becoming a feasible way to prevent unauthorized people from accessing PCs, notebooks, networks and data.
But with the heightened awareness of threats against people and governments since, biometrics has been propelled into its golden age. Control of physical access is now the main goal, though information security remains an important, if radically transformed, objective.
Homeland security is in the driver's seat. Initiatives such as the U.S. Visitor and Immigrant Status Indication Technology system, known as US Visit, and laws such as the USA Patriot Act even prescribe biometrics for border control, visa processing, nuclear plant access and airport screening.
The overarching concern obviously is to catch ? perhaps with facial-recognition cameras and software that can match passersby against huge databases of known suspects ? the next Mohammed Atta before he boards a commuter plane at a regional airport.
These same surveillance applications are among the most threatening to civil liberties advocates, who worry that law enforcement agencies could use the technology to spy on innocent citizens. But vendors and analysts say Congress and state legislatures have done a decent job of building legal safeguards to allow biometrics to move forward.
Still, government officials must reassure citizens that biometric technologies, which gather information that is far more personal than a simple password or Social Security number, won't be misused.
The technology itself is here, and the options are numerous. Fingerprint readers are the most mature, stable and inexpensive. Most cost less than $100, but combined with powerful PC databases, they go beyond simple PC security to become an affordable screening option for most any agency.
The high-end automated fingerprint identification systems are often in large, expensive fingerprinting stations used by law enforcement. But they are increasingly used in mobile terminals for on-the-spot checks against an ever-growing store of data.
"The FBI has the largest database, more than 40 million fingerprints," said Prianka Chopra, senior industry analyst for biometrics and smart cards for consultant Frost & Sullivan of New York.
Facial recognition is getting more attention of late, in part because it has the unique benefit of potentially drawing from the world's 1.2 billion photographs on passports and driver's licenses, said Joseph Atick, president and chief executive officer of Identix Inc.
The departments of Defense and State, the new Bureau of Citizenship and Immigration Services and other agencies use the company's BioEngine fingerprint technology. Its FaceIt facial recognition has been a part of federal surveillance projects.
A third up-and-coming technology, iris recognition, purportedly has the best accuracy of today's commercial systems. Retinal scans were more accurate, but the devices are no longer sold, according to Chopra.
Low-cost PC cameras, such as Authenticam from Panasonic Security & Digital Imaging Co., make iris systems affordable, and users need only get within about a foot and look at a small light. But there are no large databases of irises for identifying an individual among millions, so the technology is not likely to become mainstream soon.
Of the remaining technologies, hand geometry recognition is the most widely deployed, especially for controlling entry to secure buildings, where it is often paired with smart cards and for time-and-attendance tracking.
It doesn't have the whiff of criminality that fingerprints have, and it can identify users, such as construction workers whose hands are too soiled for fingerprints, Chopra said. But the sensors are much larger and more expensive than fingerprint readers.
They're popular, though. The HandKey and HandReader series from Ingersoll-Rand's division Recognition Systems Inc., for example, are used at border crossings, school cafeterias and municipal buildings.
"Hand geometry is absolutely one of the best biometrics today for high-volume applications," said Bill Spence, the company's director of marketing. On the other hand, Frost & Sullivan predicts facial and iris recognition will gain market share at the expense of fingerprint and hand geometry systems.
Vendors said that along with constant improvements in recognition algorithms and sensors, trends toward data mining and wireless access are helping agencies bring biometrics to the field. This creates new demands on database infrastructures, but the networking piece is easily handled if wireless networks, such as WiFi, are sufficiently secure. Biometrics places little strain on bandwidths, because only small templates, not the actual biometric images, are transmitted.
When people buy biometric access devices, they usually have one or two of four common applications in mind. For example, they may want to control access to IT resources such as PCs, a category dominated by fingerprint scanners. For building security, the physical access-control devices are typically fingerprint or hand-geometry readers, which are mounted beside doors and tied to existing security hardware.
A less clearly defined category of screening and personal-identification devices employs assorted biometrics to validate people at social services agencies, airports and border crossings. Finally, surveillance and law-enforcement applications use fingerprint and facial databases to identify suspects.
You also can categorize devices by the level of matching that each provides, which is mostly a function of the breadth of databases to compare against.
In authentication, also called verification, you're trying to verify that the a person seeking entry has been previously enrolled in a local database created for the purpose. Hand geometry, for example, can only do such one-to-one matching or one-to-few, because there's no huge database of hands to compare against, Chopra said.
In contrast, fingerprint and facial readers can try to identify an person by searching for a match in a large database. Rather than simply addressing the question, "Am I who I claim to be?" Chopra said, these systems can answer, "Who am I?"
The accompanying chart lists a sampling of widely used devices for all four applications. Not shown is pricey law-enforcement equipment, such as large AFIS stations.
Proponents admit that biometrics was oversold in the months after Sept. 11, 2001. It's no panacea. False rejects are a common disappointment, and one-to-many identification requires database investments beyond what you'll spend on biometric gateways. A formal pilot is a smart idea.
Vendors and analysts also say agency buyers will succeed by thinking carefully about their applications and by understanding the recognition, cost and usability trade-offs of each biometric technology and how it fits into existing security.
"Don't buy a system as a standalone," Atick said, adding that implementers "need to understand identity management before they understand security." David Essex is a free-lance technology writer based in Antrim, N.H.