Should You Give Biometrics a Break?

When do biometrics make sense for identity managment? Davey Winder investigates
When do biometrics make sense for identity managment? Davey Winder investigates

In 1881, a Parisian policeman named Alphonse Bertillon developed a method of using body measurements to identify criminals. This biometric system, known as Bertillonage, was adopted by the British police, although it fell out of favor to the much more accurate method of fingerprinting for identity authentication. The Fingerprint Branch of Scotland Yard was officially created in 1901.

Biometric data as a means of authentication, therefore, is not anything new. These methods are often lauded for their accuracy, but there are numerous other issues that don’t exactly leave biometric ID with a sterling reputation. Yet, even setting aside the cost and deployment issues, the reliability of biometrics may not be so clear-cut.

The Cost Factor

The first question that needs to be answered, and often the first to be asked when looking at implementing an authentication system, is whether biometrics are simply too cumbersome and expensive for most applications? Daniel R Walsh who, as well as being director of Biometrics & Identity Solutions with CiRRUS Management Solutions, is chair of the Human Identity Management Biometrics Consultation Group, gives a simple answer of no.

“When looking at the cost of biometrics, it really is no different [than] looking at the investment in any other security technology”, he explains. “It’s all a question of risk profile, and the value associated with the asset you’re protecting. There is no doubt in my mind though that nowadays there are many scenarios where some security technologies are implemented to secure certain applications and assets, and for a similar cost biometrics could be implemented, thus ensuring at the same time a much higher level of protection for that asset”.

The keyword here is ‘some’ it seems. According to Steve Furnell, a senior member of the IEEE and Head of the Centre for Security, Communications and Network Research at the University of Plymouth, “It really depends upon the application concerned and the choice of biometric”. He adds, “if the biometric can be implemented in a non-intrusive (or, at least, less intrusive) manner than passwords, then they can help to improve the usability of the authentication technique”. A good example is the face recognition capability on some Android devices; the legitimate user just has to look into the camera and they get access, while an impostor remains locked out.

The Business Bottom Line

Biometric authentication can be expensive and requires careful design, but it offers advantages in certain applications. The bottom line is that there have to be clear business advantages to employ biometrics – given the investments needed in equipment, systems and enrolment processes – to justify the cost.

Users should be wary of the risk of biometric technology for technology’s sake, warns one IT security insider, who spoke to us under the condition of anonymity. There is usually an element of technology push to biometric deployments, rather than a considered cost–benefit analysis, he observes. Consultants from his firm were involved with a German banking group that recently conducted trials on biometric ATMs. The trials were about consumer convenience, but with very little consideration about whether these benefits justified the costs, or whether the environment was suitable for reliable biometric authentication.

"When looking at the cost of biometrics, it really is no different [than] looking at the investment in any other security technology"
Daniel R Walsh, CiRRUS Management Solutions

Convenience can never be overlooked in any debate about biometrics, so has the technology become cheaper to implement and easier to use? Steve Furnell isn’t convinced on either argument when transplanted into the real world. While the technology itself has dropped in price as it matures, and that maturity means it’s also easier to implement than in years gone by, Furnell points out this doesn’t mean biometrics are cheaper and easier than, say, password authentication systems. “In some cases such as fingerprint recognition”, he says, “the technique requires explicit, dedicated hardware to support it, and so no matter how cheap it is, it’s going to be more costly than something that leverages existing hardware”.

The Most Accurate Authentication System?

OK, so cost and convenience are open to debate, but surely the accuracy of biometrics for identity authentication is beyond reproach? Not according to Entrust CTO Jon Callas, who argues that biometrics are by definition inaccurate, or at the very least probabilistic.

“Consider a biometric to be a picture, whether it be a photograph, voiceprint or fingerprint”, he explains, adding that “the software compares reference pictures to the sample and deems it either ‘close enough’ or not. The match is never exact”.

Indeed, matching has to balance a reasonable rate of rejecting the right person or accepting the wrong one. “It must lean towards accepting the right person more often”, Callas insists. “If it didn’t, we’d stop using the biometric. They must be inaccurate in order to be usable”.

If you think about it, then this logic makes sense; after all, what if you had a cold and your voice recognition stopped working, for example? Daniel Walsh, however, stands by the authentication accuracy of these technologies. “Using a single or multi-modal biometric linked to suitable middleware will ensure that only those authorized to access data, premises or networks are allowed to do so”, he told Infosecurity, concluding that “with the threat landscape ever evolving, and evasion techniques becoming more complex, the use of biometrics as the only absolute way of authenticating somebody is becoming drawn ever sharper into focus”.

Give It a Break?

Ken Brownlee, CTO of Biometrics at DigitalPersona, argues that biometrics are just beginning to fulfil their potential and are certainly not ready to be consigned to the history books. “Many governments, such as India, Indonesia, Philippines, Nigeria, Brazil and Chile are fingerprinting their populations because of the social benefits derived from biometrics”, he tells us, insisting that “biometrics are indeed the authentication technology of the future”.

Information security expert John Skipper of PA Consulting Group agrees that multi-modal biometrics represent the future “for high-reliance identity verification”, while Benoit Fauve, senior research and development engineer at ValidSoft, sees voice biometrics, in particular, as the future for secure mobile wallet and payment systems, given an increasing emphasis on telecoms-based authentication.

“Recent events indicate that the demand for voice-based authentication of individuals using mobile phones and other devices will accelerate”, he explains, adding that “the largest search engine company in the world, Google, is acquiring the longest-established manufacturer of mobile phones, Motorola Mobility, and has publicized plans to turn phones into electronic wallets. It is very likely that they will incorporate voice biometrics in their security measures that secure their mobile wallet”.

Idan Shoham, CTO at Hitachi ID Systems, meanwhile airs a note of caution, explaining that although biometrics are useful in cases where a high standard of assurance is required, in cases where there are many users but few points of authentication and a fixed infrastructure, it’s not the only scenario in town. “Biometrics are unlikely to replace passwords, tokens or smart cards as the most common mode of signing into consumer or corporate computer devices”, he predicts. “There are too many ‘gotchas’, and the unit cost is too high for that to happen. In the corporate space, I think they’ll remain a special case.” 

 

Idan Shoham of Hitachi ID Systems explains exactly where the problem with biometrics lies:

"The main problems with biometrics, in a general sense, are cost and accessibility. Cost is straightforward because you need a reader embedded in or attached to every device. Depending on the technology, some readers can be quite costly. This is a significant inhibitor of adoption. There are some notable exceptions to the cost problem. There are some very inexpensive fingerprint scanners out there, cheap enough to make sense on laptops and phones. There are also things like face recognition, voice biometrics and typing dynamics that leverage already-deployed hardware (webcam, telephone and keyboard, respectively).

A second inhibitor to adoption is failure to enrol. For every biometric, there are some people and some situations where it just doesn’t work. For example, I’m a frequent traveler between the US and Canada. As a consequence, I enroled in the Nexus program, which uses biometric iris recognition. I have to assume that wouldn’t work if I had a form of blindness that significantly degrades the structure of my eyes.

There are similar problems with most biometrics, such as fingerprints. What if you’re an amputee with no fingers? Voice: What if you’re mute? Finger vein: What if you have really small fingers or have blood circulation problems? Typically, fewer than 1% of users will have problems. The problem is that from an organizational point of view, you are obliged to offer alternatives. If you deploy one biometric technology, you must deploy either passwords or another biometric as a backup. And don’t forget to deploy hardware to every endpoint, including endpoints that you don’t own/control (smartphones?) and endpoints that aren’t able to accept peripherals (phones and tablets).

I think the main barriers to widespread adoption of biometrics are the need to deploy backup technologies, because of failure to enrol problems, inability to integrate with every endpoint device, the need to have pervasive network connectivity, and unit cost. These are serious problems that I think will tend to limit deployment to high-value/low-unit-count scenarios."

 

 

What’s hot on Infosecurity Magazine?