Before Robert Langdon's adventures in The DaVinci Code, Dan Brown's fictional hero was called upon to thwart a legion of assassins known as the Illuminati, who had stolen the secrets to a lethal antimatter device by penetrating a retinal scan in the most gruesome way imaginable to compromise such a device.
Of course, most enterprises looking to implement biometric solutions (identification technology based on a biological feature, such as a retina, iris, tongue or fingerprint) don't have to worry much about attacks from lethal assassins. But still, "The question always comes up, because of the Hollywood aspect of it," says Andy Germano, director of wireless for Melbourne, Fla.-based AuthenTec, a leading provider of fingerprint recognition devices. "We have a hard time finding employees who are willing to give fingers for that kind of testing," he deadpans.
More advanced biometrics systems have what's called "liveness detection"--not so much for the possibility of severed body parts as to guard against the use of molds and other sophisticated hacking techniques. "AuthenTec's technology is actually imaging below the surface of the skin in the live layer," Germano explains.
Another biometric security provider, San Jose, Calif.--based Atmel, offers fingerprint sensors that measure the temperatures of a digit's ridges and valleys. Bruno Charrat, Atmel's biometrics product line director, says that recent developments in biometric technology have led to an explosion in the market. "A couple years ago, there were very few laptops on the market with biometrics," he says. "Now, if you take the 10 big players on the market, all of them have biometrics offerings they're selling to corporations and small businesses. The devices are more secure, more manageable and more convenient to use."
Anatomy of Biometrics
Among other things, biometric devices are being used as a replacement for (or enhancement to) password technology, access to buildings and automated teller machines, and identification devices at international airports and border checkpoints.
Fujitsu, a leading manufacturer and seller of computers and other electronics, has been working on biometric solutions for years. Paul Moore, director of wireless solutions for Fujitsu, says that early biometric sensors were easy to fool and not very secure. "But as notebooks became more mobile, battery life became better, wireless became ubiquitous and biometrics started getting integrated into [laptops and smartphones]."
Fingerprint identification is currently more popular than all other methods combined. "We've rated different technologies on accuracy, cost and intrusiveness," says John Pescatore, a VP and research fellow for Gartner Research. "Iris identification, for example, although it has gotten better, still scores poorly on intrusiveness, because you're forcing people to put their eyeballs close to things. Facial recognition scores OK, but we still see a high false acceptance rate. Fingerprint scores the best, by far."
Accuracy and Feasibility
To discover which device might be right for you, think first about whether you need a biometric device at all. "We always tell clients, first make sure you're solving an actual problem," says Pescatore. "Most [personal electronic devices] have features that require a PIN number entry or password entry that the enterprise isn't requiring people to use. That in itself may be good enough for the vast majority of users."
Though vendors tout accuracy rates for their biometric devices in the 95 to 99 percent range, Pescatore says potential adopters should still use caution. "When they give these numbers about false rejections being below 1 percent, it turns out that for any of these biometric systems, there tend to be types of users who experience very high rejection rates. People with sweaty fingers or funny voices or, for facial, people who sometimes wear glasses and sometimes don't."
Because of that, all biometric-based systems have backups in place. "Say I burn my fingers and can't do the sensor, or get a cold and it won't recognize my voice," says Pescatore. "The backup is invariably a password or PIN number anyway, so biometrics doesn't eliminate the need for those. The usual problems have all centered around the fact that a password or PIN is binary--you get it right or you don't. If you get it right, it always lets you in, whereas every form of biometrics has some problem where it keeps a legitimate user out at some point or another."
Still, for high-security needs, the devices have come a long way, and the advantages over traditional passwords and PIN numbers are clear. "How often do you see people write down a password in their planner or paste it on a sticky note on their screen?" says AuthenTec's Germano. "We've made security very convenient for people. You never forget your finger."
The latest devices also double as navigation aids. Although Fujitsu manufactures its own biometric devices, it purchased EntrePad 1610 fingerprint readers from AuthenTec, in part because the device offered the right interface with Fujitsu's PCs and in part because of the multiple functions the devices served. "The biometric scanner can also be a cursor manipulator, like a joystick," says Moore. "We mount it in the middle where the [cursor] button is, and when you're not using it as a scanner to authenticate, you can use it as a [cursor controller]."
He continues, "We sell a lot into healthcare, into financial and into insurance and mobile sales forces. A lot of the data that's put into these PCs is pretty sensitive, and it's sensitive at certain layers. You may want to protect with smartcards and passwords to a certain level, but when you want to get into areas like social security numbers, you want to be more careful. You can use biometrics to give a further layer of protection."
Better, Smaller, Cheaper, Faster
"For our first mobile phone," says Germano, "if 10,000 people came up and tried to use your mobile device, 1 would be close enough that they could probably use it. That was three years ago. Now, we're shipping with 1 in 100,000 accuracy. Over that same time, the cost has gone down three-fold, the size and cost have decreased, and the power consumption is smaller."
Germano continues, "In the silicon business, size equals cost. With the cell phone, we're not adding any size at all. Our fingerprint sensor senses the finger moving, so it works like a touchpad on your cell phone."
Germano says that many of his customers are shocked when they find out how inexpensive the technology can be. "When you look at IT budgets and what a software package would be to put on everyone's PC, you're talking about at least two digits per person, whereas the cost of the fingerprint sensor is in the single digits per person. They're almost amazed that it can be delivered so accurately for so little."
Alternatives to Fingerprints
According to Gartner's John Pescatore, alternatives to fingerprint technologies are coming along, but most are not proven enough yet. "Voice recognition is the one that has the most promise, because most mobile devices and PCs have microphones," he says. "Costs are low, but so is the accuracy level. And then there's the concern of yelling out your password on a crowded train. Realistically, nothing has leaped up to take the place of fingerprint in satisfying low intrusion, low cost and high accuracy."
"Right now, we're pretty focused on the fingerprint biometrics, which is by far the leading biometric technology," says AuthenTec's Germano. "It has the highest security level, the 100,000 false accept rate. Facial has a less than 1 in 1,000 chance of making a mistake." But the bigger issue is probably the false reject rate. "When it really is you trying to get into your device, it lets you in without telling you 'I'm not really sure it's you.' With facial technology, the false reject rate can be as high as 30 percent."
Fujitsu recently introduced the world's first palm-vein scanner for use in automated teller machines, called PalmSecure--. "It's the coolest technology you've ever seen," boasts Fujitsu's Paul Moore. "We have the ability to read the vein pattern in the palm, which is as unique as your eye or your fingerprint, and do it from a hover, so you don't have to touch anything. That is as innovative and less nerve-wracking and intrusive than an iris scan. The one we use on the ATMs is about the size of a deck of cards. The mobile one is about the size of a ring box, and that plugs in through a USB. It's very slick."
Atmel is still pursuing other areas of biometrics, but is singularly focused for now. "So far, we have no plans to offer any other technologies other than fingerprint," says Bruno Charrat. "We believe that fingerprint is the by far the most promising commercially."
Exactly How Secure is your Security?
"We're living in a digital age where you have more and more data on mobile devices," says Atmel's Bruno Charrat. "If you are not protecting these data correctly, you're putting your privacy into great difficulties."
Atmel is laser-focused on ensuring that its systems can't be compromised. "What is scary is that with biometrics, you are really putting your privacy into danger if you are using a bad biometrics product. If I steal your password tomorrow, you can change it with no problem. If I steal your fingerprint, you cannot change it. People have to make sure the solutions are secure and private. Biometrics is a great technology. It's convenient, it adds security efficiently and conveniently, but you really need to be aware and seek out a solution that is really securing your privacy."
The bottom line? Find out how the system you are considering purchasing captures and stores data, both on the front end and on the back end. "The last thing we want is to compromise a promising industry like biometrics by putting a bad solution on the market," says Charrat.
Bill Schu is a frequent contributor to the magazine.