|
Warriors have long used emblems,
uniforms and tattoos to physically identify
themselves to their compatriots. Secret passwords
were in use long before the first person logged in
at a keyboard.
Today, the world of enterprise security is
increasingly incorporating biometric
identifiers as an additional weapon within the
security arsenal.
International Biometric Group, a New
York City-based consulting firm, reports that the
worldwide market for biometric
devices
grew 67 percent last year to reach $1.2 billion. And
analysts there estimate a further expansion to $4.6
billion by 2008.
The largest share of that money (48
percent) goes for fingerprint recognition systems,
followed by facial recognition (12 percent). While
these two are the most popular, there are other
methods that analyze a person's physical or dynamic
characteristics. Physical biometric
methodologies also look at the following:
-
Eyes — Examining the
lines of the iris or the blood vessels in the
retina
-
Hands — Taking a 3D
image and measuring the height and width of
bones and joints
-
Skin — Analyzing
surface texture and thickness of skin layers
When looking at strong
authentication, you want two out of three factors
— something you have, something you are and
something you know. While, eyes, hands and skin are
commonly used as biometric
identifiers, more dynamic methodologies also are
being introduced, such as the following:
-
Voice — Detects vocal
pitch and rhythm
-
Keystroke Dynamics —
Analyzes the typing speed and rhythm when the
user ID and password are entered
-
Signature — Matches the
signature to one on record, as well as analyzing
the speed and pressure used while writing
-
Gait — Measures length
of stride and its rhythm
To keep performance high and storage
requirements manageable, today's biometric
technologies don't have to store or analyze a
complete picture of the body part or the physical
feature being used. Imagine the processing power
that would be needed to store a high resolution
picture of someone's face and then compare it with a
live image pixel
by pixel.
Instead, each method reduces the
body part or activity to a few essential parameters
and then codes the data,
typically as a series of hash marks. For example, a
facial recognition system
may record only the shape of the nose and the
distance between the eyes. That's all the data
that needs to be recorded for an individual's
passport, for example.
When that person comes through
customs, the passport doesn't have to include all
the data
required to reproduce a full-color picture of the
person. Yet, armed with a tiny dose of key biometric
information, video equipment at the airport can tell
whether the person's eyes are closer together or if
his nose is slightly wider than the passport says
they should be.
None of these biometric
systems
are infallible, of course. However, the rates of
false negatives and false positives have markedly
improved. One of the problems with fingerprint
readers, for instance, is that they couldn't
distinguish between an actual fingerprint and the
image of one. In the recent movie National Treasure,
Nicholas Cage's character lifted someone's
fingerprint off a champagne glass and used it to
gain access to a vault. That's not pure fiction.
Japanese cryptographer Tsutomu
Matsumoto lifted a fingerprint off a sheet of glass
and, following a series of steps, created gelatin
copies. He then tested these on 11 fingerprint
readers and each accepted the gelatin prints.
Outside the lab, Malaysian thieves chopped the
fingertip off a businessman and used it with the
fingerprint reader on his Mercedes. But none of
those methods would work with higher-end fingerprint
readers. The latest fingerprint readers are
incorporating more advanced features, such as making
sure the finger is a certain temperature. Everyone's
hand is different, as some are consistently warm or
cold. In addition, they can also check if there is a
pulse and tell how much pressure is being applied.
Such sophistication, however, has
its drawbacks. Authorized users may find themselves
locked out even when the devices
are working properly. Why? Tiny changes, due to
accidents or injuries, can change a biometrics
profile, rendering it effectively obsolete. The
thing to keep in mind with any biometrics
is that your ID does change over time. If you cut
your finger, your biometric
may not be the same any more. Or your early morning
voice is different than after talking for eight
hours.
Biometrics
in the Enterprise —
While biometric
authentication certainly adds an extra layer of
security, it would be a mistake to implement a
high-end system
and then feel that break-ins instantly would be
consigned to the history books. It takes back-end
integration, constant vigilance and consistent user
involvement to keep an enterprise secure. Security
is a user issue and must go all the way to the desktop.
You need to have a very layered architecture and
assume that any layer could fail some day.
The most popular biometric
tool at the moment is the fingerprint reader. Some
even use USB
drives. And some keyboards
and laptops
come with them built in. These devices
have come way down in price. As a standalone device,
the unit price has dropped below $100. But, in an
enterprise setting, that is just the start of the
costs.
IT
departments have to ensure, for example, that
back-end security systems
can accommodate biometric
authentication, and scale to the required number of
users. Plus, if fingerprint readers are not
incorporated into the laptop
or desktop,
it adds to the number of devices
that need to be supported by IT.
There is little point, then, in adopting a
stand-alone biometrics
system
that cannot easily be assimilated into the
organization's existing security fabric.
Biometric
authorization techniques are no longer so leading
edge that they are difficult to marry with
traditional security safeguards. Today's systems
are well enough developed that they can be
incorporated into enterprise systems
without too much effort. A strong authentication system
is what you want to focus on and biometrics
can be part of it, but the user should still have to
memorize something or have a token, and you need to
make sure that polices and the management structure
relating to it are firmly in place. |