The use of biometrics for controlling access to buildings and other secure areas is well accepted and increasing in use. But did you know that the same principles can be applied to control access to digital information?
Biometric authentication is a fast growing segment of the IT industry but has it matured enough to become a commercial reality offering the two goals most IT managers are seeking; added security and reduced administration?

The first modern biometric device was introduced on a commercial basis over 25 years ago when a machine that measured finger length was installed for a time keeping application at Shearson Hamil on Wall Street. In the ensuing years, hundreds of these hand geometry devices were installed at high-security facilities operated by Western Electric, Naval Intelligence, the Department of Energy, and the like.

There are now over 20,000 computer rooms, vaults, research labs, day care centers, and blood banks, ATMs and military installations to which access is controlled using devices that scan an individual's unique physiological or behavioral characteristics.

While you would expect sensitive access control applications to be the first uses of a new high-security technology, biometric technologies are also being used increasingly in computer and communications systems, hospitals, airports, and even homes. In some cases, it is the convenience of the devices more than the security level that motivates adoption.

Still, the "biometric revolution" that has been forecast since the mid-1970s has not occurred. Instead, there has been a steady evolution under way that is being led by a new generation of more reliable, less expensive and better-designed biometric devices.

The most dramatic evidence of the evolution is the falling price of biometric verifiers. In 1999, the average price per access point protected was just under £500 compared with a figure of over £6,000 six years ago. Voice and signature verifiers are now available for under £1,000, and highly secure fingerprint and hand geometry devices are available for £200 to £900.

The rate of price drops has slowed recently, however, since major technological improvements have already been implemented by most manufacturers, including custom chip design and solid-state image acquisition. But reductions in end-user costs will continue as production volume increases and manufacturers improve production.

Just this year, the industry experienced price declines in fingerprint devices – some available for as little as £80 per access point protected. Reduced prices have led to increased awareness of biometric technologies; this coupled with lower overall prices will certainly bode well for this industry as we move through the new millennium.

What are biometrics?

Biometric technologies are defined as "automated methods of identifying or authenticating the identity of a living person based on a physiological or behavioral characteristic."

The term biometric device in the access control industry implies that three major components are present:

  • A mechanism to scan and capture a digital or analog image of a living personal characteristic;

  • Compression, processing and comparison of the image;

  • Interface with applications systems.

    These pieces can be configured in a variety of ways for different situations. A common issue is where the stored images (reference templates) reside: on a card, in the device or at a host.

    Applications of biometrics

    The applications for biometric authentication fall into two distinct areas, access locally to directory services or applications and 'off network' access via the Internet or some other carrier.

    The combination of biometric authentication and smart cards creates a multi-function source for user ID card, physical access (usually a magnetic stripe) single sign-oncredentials, PKI, e-cash etc.

    Data access – Local Area Networks

    Access to data has traditionally been protected by user ID and passwords, this can be seen at best as a simple and inexpensive solution and at worst as an administrative headache providing questionable security. If a strict policy of changing passwords every 'x' number of days is enforced the overheads on the support group of forgotten passwords is enormous, estimated to be at least £90 per workstation per annum. If passwords remain static, which is probably the reality in most networks, they become well known and open to abuse.

    Alternatives have been available for some time using a hand held authentication device but these have been found to be both expensive and difficult for users. The 'Holy Grail' for the IT Industry for many years has been single 'sign on', allowing a single user ID and password to access all applications assigned to that user, this has tremendous benefits to the user, who typically has to remember 6-10 application ID's. However this raises concerns over whether a single password is strong enough protection.

    Biometrics offers the ability to identify users and their physical presence, simply and quickly by scanning their finger as part of the network login procedure. Usually the fingerprint templates are stored in the Directory Service as an extension of standard user record, at login the live scan is compared with this and access is then allowed or denied.

    Data access – Wide Area Networks

    Although security in wide area networks has been a hot topic for some time the solutions have been based around the premise that user ID and password are acceptable.

    Many forms of security rely on the TCP/IP address of the machine to provide controls such as VPN's and Firewalls to encrypt a session between the user and the host. PKI also allows for verification of documents on-line, however 90% of the security solutions are based around possession of the PC, with a simple name and password releasing the security.

    The application of Biometrics in this scenario re-enforces the security measures already employed by ensuring that the user is physically present at the time. As with Local Area Networks, templates can be stored in the local directory or on the web server local database.

    The case for smart cards

    The combination of biometric authentication and smart cards creates a multi function source for; user ID card, physical access (usually a magnetic stripe), single sign on credentials, PKI, e-cash etc.

    As part of the login sequence whether to the local machine, the local network or via Internet the user is asked to scan his or her finger and compare this with the template stored on the card. Providing the live scan matches the template, the credentials stored on the card are available to the user.

    As well as the ability to become a multi function card smart cards have key advantages in ensuring security. By detecting their presence and absence actions can be taken, if a card is removed a screen saver can be invoked to lock the workstation, if another card is then inserted the existing user can be logged out (this is dependant upon application).

    Costs

    Budgetary prices depend on the combination of scanning device, smartcard readers if required and software, which depend on the requirements of the user. Two basic forms of scanners exist, standalone devices and those built into keyboards. For standalone devices the inclusive price ranges from £120 - £200 per workstation and for keyboard based systems £200 - £300.

    Where we are now

    The growth of Biometrics is dependant on the availability of hardware Two major PC manufacturers are already offering scanners as options on both their desktop and server ranges, mobile phones are being demonstrated with in built scanners and for notebook users there is the probability that fingerprint devices will be included in the glide pad.

    • Source

    SMT

    Postscript

    Bob Myles is with ISL Informer Systems Limited