Cost-savings, convenience and security benefits, along with the need to abide by legislation such as HIPAA, GLBA and Sarbanes Oxley are spurring a range of organizations to consider deploying biometric defenses to their systems.
Fans of biometrics say the trend is long overdue. "All of those [pieces of legislation] conspire to make the IT manager responsible for knowing who did what and when on the network," says Vance Bjorn, CTO with DigitalPersona. "There's pretty much universal acknowledgement that passwords are a pretty low bar."
His view is backed up by Daren Mehl, assistant vice-president of information technology at United Bankers' Bank, based in Bloomington, Indiana. "One of our main goals is to make a more secure network and secure our transactions," he says. "It [biometric technology] adds a level of authentication that wasn't available with smartcards, passwords, and so on – because only the person's fingerprint is going to work, and you can't share that."
He explains that as a $250 million bank clearing house of sorts, whose customers are other banks, UBB needs to be sure who is using the system. Biometric technologies provide the proof needed to mitigate the financial and liability risks, and meet regulatory compliance demands.
All 75 employees at the bank, who used to use passwords, now use DigitalPersona's Pro Fingerprint Solution to sign on to applications.
After that, the company decided to enlist the vendor's consumer version, DigitalPersona Online, for its 500 checking account customers, to take care of basic business activities online. While up to ten percent had questions about privacy, most were excited about the technology. With the success of this roll-out, the bank is now beta testing the product to offer more extensive transactional services, such as wire transfers, payroll activities, and more.
Mehl says calls to the company helpdesk have dropped dramatically, and the system is more secure, convenient and easier to audit. "We went through all the different authentication schemes. We looked at smartcards and tokens, we looked at certificates, we thought about dual user names and passwords and then we thought of biometrics," he says. "We ended up not going with smartcards, tokens, certificates or dual passwords because they all have one thing in common – they do not authenticate who is using it. They authenticate the password, or that they have the token."
Running the numbers
Better security, ease-of-use and more straightforward standards adherence are all drivers coalescing to make biometrics a boon industry, rather than what was once considered a futuristic proposition that would have even the keenest techno geek scratching his head.
According to Kyoko Kaneda, consultant with technology services firm International Biometric Group, the biometrics industry worldwide should hit the $4.7 million mark by 2008. By next year, according to her research, it should be around $1.9 million, with the key penetration not only in the government and law enforcement sectors, but also healthcare and finance.
The case for biometrics as a reliable identifier is a compelling one. Some research indicates that organizations spend around $150 a year on password management for every employee, a task that can be eliminated with the introduction of, for example, fingerprint recognition. In certain applications where an electronic signature is necessary, then some form of biometrics can be combined with a digital certificate. This then solves the problem of someone coming back later to say "I didn't sign that, I was away from my desk for three hours." By tying it to biometrics, you can get non-repudiation.
Still, when compared to other infosecurity markets, it is still an emerging area. Trying to get biometrics tools from different vendors to interoperate can still be a problem, says Kaneda. Plus, most biometrics tools only work well with a handful of platforms, she adds, and there are some end-users who just may not be able to use the technology. Nonetheless, the industry on the whole is working on standards and other issues to improve the technology and roll-outs.
"If deployed properly and implemented in the correct setting, it does provide an unprecedented level of security," she says. "In some cases, it also has a measure of convenience. Smartcards can be stolen, they can be misplaced, PINs can be forgotten, passwords can be forgotten, but pure biometric data, on the other hand, is invulnerable to those kind of things – basically, you won't lose your fingerprint. For the actual performance of the technology, obviously, it's not perfect and it's not completely invulnerable."
Most of the performance problems, she says, center on a small percentage of end-users who are unable to enroll in some biometric systems. For example, some people's fingerprints have diminished so much over time.
"Yet we're also seeing in our annual comparative biometric testing that the error rates decline every year. What we see is that the performance of these technologies across the board is generally improving," she says.
And, for the most part, enrollment errors and match-rate problems can often be overcome with the launch of strong end-user training and awareness programs to ensure that the affected population understands how the technology works, and in what ways they can help to ensure it performs at optimum levels, according to Precise Biometrics' white paper Precise Biomatch Fingerprint Technology.
Indeed, UBB's Mehl says he would advise any organization considering a biometrics deployment to hold training and awareness sessions with end-users throughout the process, in order to make sure they are comfortable with the tools. They need to understand what the technology is, why the company is using it, why it adds value, how it will help them in their business activities, and how it will enhance their own – and the company's – security.
A view of things to come
Currently, some of the major projects involving biometric deployments are happening in the government arena, explains Kaneda.
"The biometric passports that are being issued by Visa Waiver Program countries under the U.S. State Department guidelines, the US-VISIT program, the TSA's Registered Traveler Program, and the TSA's Transportation Worker Identification Credential Program – these projects all involve the use of biometrics to identify individuals against terrorist watch-lists and government agency databases to secure access to the country or secure facilities," she states.
But financial services companies, healthcare organizations and, most recently, manufacturing and energy companies are increasingly testing or deploying biometrics technologies, says Saflink's Cathy Tilton, vice-president of standards and technologies.
Also, biometric tools traditionally have been all about the convergence of physical and logical access. And that still seems to be a main demand by companies helping the segment to prosper – albeit more slowly than some hoped.
"The primary focus is on physical access and credentials," adds Tilton.
Many deployments still focus on physical access, with the ability to create virtual credentials being rolled out as a quick follow-up.
The rise of identity theft across a range of industries is also helping the technology to gain a stronger foothold in the security market, says John Dorr, vice-president of marketing for facial recognition solutions company Viisage. The Federal Trade Commission estimates that 27 million Americans have suffered from identity theft in the past five years, and ten million of those cases occurred last year.
Indeed, protecting companies and customers against identity theft has become a major driving force behind financial organizations' interest in the tools, says Jim Woodhill, chairman of voice authentication solutions provider Authentify.
"Some supplemental form of authentication has got to come," he says. "Identities are under active assault," with such activities morphing from simple amateur activities to organized crime.
But, for the mainstream computing arena – primarily consumers and those companies after their allegiance – the hook that reels many over to biometrics is convenience, says DigitalPersona's Bjorn. He notes that Microsoft has just unveiled mice and keyboard products for consumer-computing activities that have his company's fingerprint recognition technology built-in. This move was made, he says, to help users eliminate the army of passwords on which they often rely to gain access to applications, websites and PCs.
And while security is an obvious benefit of the new tools, he notes that Microsoft's marketing strategy is emphasizing the convenience that the fingerprint sensor offers to users. And that is not a bad approach for consumers or companies in today's still fiscally tight environment, he says.
"A lot of security technologies are viewed as cost centers, not profit centers," he adds. But biometric tools often save on helpdesk costs, since password issues or smartcard PIN problems are reduced substantially.
And anyway, he adds, "convenience induces security."