Two important issues globally affecting commerce today are identification and authentication of an individual. Identification says who you are and authentication specifies what you can do with that identity. Biometrics may provide some of the solutions to improving security but how do they work and what questions should be asked when investigating biometrics?
Biometrics are not a new idea. Japanese potters marked their pots with a fingerprint in the wet clay two thousand years ago to identify their work and fingerprints remain the most popular biometric today having provided legal evidence for over a century.
A biometric is a characteristic of your body such as a fingerprint or a feature of you such as your voice. Ideally, a biometric should be unique to you only and impossible for anyone else to copy or forge. There are currently at least 25 different kinds of biometric all offering unique selling points to the marketplace.
Before being used, a users biometric trait must be enrolled. This involves recording their biometric and then linking it to their given identity. Once enrolled, the system administrator will authenticate the individual to specific services.
Whilst biometrics cannot perform initial identification they can aid organisations with verification once a profile has been created, and can be a successful tool in fighting identity theft and other growing issues, including credit card fraud. Recent figures from the Association for Payment Clearing Services in March this year indicated that card fraud increased by 20 per cent in 2004. Citizens are already responding to this, with recent research from Fujitsu Services revealing that one in three UK citizens would like banks to introduce biometric security to help combat card fraud.
At present, some of the most popular solutions on the market include iris recognition, voice recognition, finger-print and palm-vein technologies, with different types being particularly suited to specific applications. For example, voice recognition biometrics has great potential in call centre environments where a caller needs to authenticate themselves in order to change their password. Fingerprint scanners are starting to be integrated into cars to help prevent theft.
The best biometric solutions consider the practical use of the technology. For the Japanese hygiene is very important and they dislike touching buttons on bank ATMs and the Bank of Tokyo Mitsubishi is trial testing 250 biometric enabled ATMs with the hope of reducing card fraud and identity theft. Customers place a palm over a scanner which authenticates them to the bank as a trusted customer and issues cash and services without the need for a pin number. The biometric palm vein scanner within the ATM, designed by Fujitsu, works by scanning the blood vessels in your palm. The vein pattern is compiled through an infra-red scan and is then checked against patterns stored in the system or on your smartcard. Palm vein patterns are hard to fake or copy as they lie under the skin, and can also be read without contact, solving the hygiene concerns many people have about fingerprint readers.
What has to be considered when either testing or investing in a biometric solution is that no solution is 100 per cent perfect. What must be assessed is the False Rejection Rate, where the system rejects the right person, and the False Acceptance Rate, where the wrong person is accepted. Both of these should be as low as possible, and will indicate which method would be best depending upon the level of security required.
How the biometric data will be stored and processed is also important both for data security but especially the speed of retrieval. Some systems are much quicker than others and this is a critical factor for successful adoption of a biometric system.
What has to be remembered is that this is an extremely fast moving environment and this can affect the expected return on investment of a solution. Customers will want to understand the expected lifespan of their investment and will be looking for advice on forthcoming developments. Biometric devices are evolving very rapidly and effective solutions should take this into account.
Biometric technologies will increasingly become part of everyday lives but will not provide all the answers and must be handled with care. Authentication is not the same as identification and the biometric will only be useful if the processes surrounding its use are sufficiently robust and secure.
Richard Boothroyd is principal consultant, Security and Business Risk Practice, Fujitsu Services. He has worked with biometrics for over twenty years.