Technology-savvy organizations looking to develop a competitive advantage should carefully watch developments in biometrics. Simon Liu and Mark Silverman A Practical Guide to Biometric Security Technology s organizations search for more secure Of these, a biometric is the most secure and con- authentication methods for user access, venient authentication tool. It can’t be borrowed, e-commerce, and other security appli- stolen, or forgotten, and forging one is practically cations,biometrics is gaining increasing impossible. (Replacement part surgery, by the Aattention. But should your company use biomet- way, is outside the scope of this article.) rics? And,if so,which ones should you use and how Biometrics measure individuals’ unique physi- do you choose them? There is no one best bio- cal or behavioral characteristics to recognize or metric technology. Different applications require authenticate their identity.Common physical bio- different biometrics. metrics include fingerprints; hand or palm geom- To select the right biometric for your situation, etry; and retina, iris, or facial characteristics. you will need to navigate through some complex Behavioral characters include signature, voice vendor products and keep an eye on future devel- (which also has a physical component), keystroke opments in technology and standards.Your options pattern, and gait. Of this class of biometrics, tech- have never been more diverse. After years of nologies for signature and voice are the most research and development,vendors now have sev- developed. eral products to offer. Some are relatively imma- Figure 1 describes the process involved in using ture, having only recently become commercially a biometric system for security. available,but even these can substantially improve your company’s information security posture.We Fingerprints briefly describe some emerging biometric tech- A fingerprint looks at the patterns found on a nologies to help guide your decision making. fingertip.There are a variety of approaches to fin- gerprint verification. Some emulate the tradi- WHAT IS A BIOMETRIC? tional police method of matching minutiae; others The security field uses three different types of use straight pattern-matching devices; and still authentication: others are a bit more unique, including things like moiré fringe patterns and ultrasonics. Some ver- • something you know—a pass- ification approaches can detect when a live finger word, PIN, or piece of personal is presented; some cannot. Inside information (such as your A greater variety of fingerprint devices is mother’s maiden name); available than for any other biometric. As the Glossary • something you have—a card key, prices of these devices and processing costs fall, smart card, or token (like a using fingerprints for user verification is gain- Resources SecurID card); and/or ing acceptance—despite the common-criminal • something you are—a biometric. stigma. 1520-9202/01/$10.00 © 2001 IEEE January ❘ February 2001 IT Pro 27 SECURITY the unique patterns of the retina. Retinal scan- Figure 1. How a biometric system works. ning can be quite accurate but does require the user to look into a receptacle and focus on a Biometric 2 Biometric 3 Template given point.This is not particularly convenient if 1 devices enrollment storage you wear glasses or are concerned about having close contact with the reading device. For these 6 reasons, retinal scanning is not warmly accepted 4 by all users, even though the technology itself can Biometric 5 Biometric 8 Template work well. devices verification storage 7 Iris Business An iris-based biometric, on the other hand, applications involves analyzing features found in the colored ring of tissue that surrounds the pupil. Iris scan- ning, undoubtedly the less intrusive of the eye- (1) Capture the chosen biometric; (2) process the biometric related biometrics, uses a fairly conventional and extract and enroll the biometric template; (3) store the camera element and requires no close contact template in a local repository,a central repository,or a portable between the user and the reader. In addition, it token such as a smart card; (4) live-scan the chosen biometric; has the potential for higher than average tem- (5) process the biometric and extract the biometric template; plate-matching performance. Iris biometrics (6) match the scanned biometric template against stored tem- work with glasses in place and is one of the few plates; (7) provide a matching score to business applications; (8) devices that can work well in identification mode. record a secure audit trail with respect to system use. Ease of use and system integration have not tra- ditionally been strong points with iris scanning devices, but you can expect improvements in Fingerprint verification may be a good choice for in- these areas as new products emerge. house systems, where you can give users adequate expla- nation and training, and where the system operates in a Face controlled environment. It is not surprising that the work- Face recognition analyzes facial characteristics. It station access application area seems to be based almost requires a digital camera to develop a facial image of the exclusively on fingerprints, due to the relatively low cost, user for authentication.This technique has attracted con- small size, and ease of integration of fingerprint authenti- siderable interest, although many people don’t completely cation devices. understand its capabilities. Some vendors have made extravagant claims—which are very difficult, if not impos- Hand geometry sible, to substantiate in practice—for facial recognition Hand geometry involves analyzing and measuring the devices. Because facial scanning needs an extra peripheral shape of the hand.This biometric offers a good balance of not customarily included with basic PCs, it is more of a performance characteristics and is relatively easy to use. niche market for network authentication. However, the It might be suitable where there are more users or where casino industry has capitalized on this technology to cre- users access the system infrequently and are perhaps less ate a facial database of scam artists for quick detection by disciplined in their approach to the system. security personnel. Accuracy can be very high if desired, and flexible per- formance tuning and configuration can accommodate a Signature wide range of applications. Organizations are using hand Signature verification analyzes the way a user signs her geometry readers in various scenarios, including time and name.Signing features such as speed,velocity,and pressure attendance recording, where they have proved extremely are as important as the finished signature’s static shape. popular. Ease of integration into other systems and Signature verification enjoys a synergy with existing processes, coupled with ease of use, makes hand geometry processes that other biometrics do not. People are used to an obvious first step for many biometric projects. signatures as a means of transaction-related identity veri- fication, and most would see nothing unusual in extending Retina this to encompass biometrics.Signature verification devices A retina-based biometric involves analyzing the layer of are reasonably accurate in operation and obviously lend blood vessels situated at the back of the eye. An estab- themselves to applications where a signature is an accepted lished technology, this technique involves using a low- identifier. Surprisingly, relatively few significant signature intensity light source through an optical coupler to scan applications have emerged compared with other biomet- 28 IT Pro January ❘ February 2001 ric methodologies. But if your application fits, it is a tech- nology worth considering. Glossary Voice Voice authentication is not based on voice recognition Crossover error rate (CER)—a comparison metric for dif- but on voice-to-print authentication, where complex tech- ferent biometric devices and technologies; the error rate nology transforms voice into text.Voice biometrics has the at which FAR equals FRR.The lower the CER, the more most potential for growth, because it requires no new hard- accurate and reliable the biometric device. ware—most PCs already contain a microphone. However, Enrollment—the initial process of collecting biometric poor quality and ambient noise can affect verification. In data from a user and then storing it in a template for later addition, the enrollment procedure has often been more comparison. complicated than with other biometrics, leading to the per- False-acceptance rate (FAR)—the percentage of ception that voice verification is not user friendly. imposters incorrectly matched to a valid user’s biometric. Therefore, voice authentication software needs improve- ment. One day,voice may become an additive technology False-rejection rate (FRR)—the percentage of incorrectly to finger-scan technology.Because many people see finger rejected valid users. scanning as a higher authentication form, voice biometrics Identification—the process by which the biometric sys- will most likely be relegated to replacing or enhancing tem identifies a person by performing a one-to-many (1:n) PINs, passwords, or account names. search against the entire enrolled population. Template—a mathematical representation of biometric USES FOR BIOMETRICS data. A template can vary in size from 9 bytes for hand Security systems use biometrics for two basic purposes: geometry to several thousand bytes for facial recognition. to verify or to identify users. Identification tends