FRAMINGHAM (05/08/2000) - Fingerprint readers and iris scanners aren't just for James Bond anymore.
Actually, if biometrics isn't already creeping into your corporate network, it probably will within the next two to four years. That means passwords and identification cards may soon become obsolete, security will be tighter and help desk calls will be reduced.
"The whole world is the walking dead when it comes to security,'' says Martin Reynolds, a vice president and research fellow at Dataquest Inc., an industry research firm. "So many businesses don't realize they have fatal security flaws, especially when it comes to the Internet. They just haven't found them or found out how bad it is yet. Biometrics is a place to start."
Biometrics uses personal characteristics to identify users. When it comes to security, mapping unique patterns and traits in fingerprints, irises or voices is considered light years ahead of forcing employees to memorize combinations of letters and numbers " which are easily compromised and easily forgotten.
The technology works by taking measurements " whether it is the weight and length of bones in the hand or the pattern of blood vessels inside the eye or the pattern of fingerprints " and then storing the specifics, often called minutiae, in a database. When a user scans a hand or retina, the new mapping is compared with the stored data. Access is either granted or denied based on matching patterns that are unique to each individual. It's that ability to identify someone based on unique physical traits that is driving biometrics into the corporate enterprise. As more high-priced transactions are conducted over the Internet, businesses increasingly need ironclad authentication of someone's identity. Add to that the increasing amount of in"house security breaches and corporate espionage, and you'll find network and security administrators grappling for a better way to secure information from unauthorized eyes.
"Somebody who is doing stock trades online wants security that is amazingly accurate," says Michael Thieme, a senior consultant for International Biometric Group in Manhattan, an independent biometrics consulting and integration firm."
A lot of recent security incidents are making people aware that they have a lot of data that just isn't as secure as they thought it would be. . . . If biometrics can even be a small part of that, it will be a tremendous market."
Costs are dropping
Until recently, the problem with biometrics has been its staggering cost. But prices have dropped by 80 percent to 90 percent in the past two to three years.
A boom in research and development "largely driven by an increasing need for accurate forensics" has produced quality improvements and price reductions. A stand-alone fingerprint reader might have cost anywhere from $2,000 to $3,000 two years ago, but now it can sell for less than $100.
Analysts say fingerprint scanning is the top biometric in terms of mind and market share, with hand geometry coming in second, followed by face and iris scanning.
There's a growing crop of biometrics vendors expanding the market and pushing what was once technology solely aimed at forensics and government security into the enterprise market. Companies such as Identix of Sunnyvale, California, Veridicom of Santa Clara and Key Tronic in Spokane, Washington, are taking biometrics corporate.
And they're catching the eye of industry giants like Compaq, which is embedding fingerprint scanners into keyboards and laptops.
"When we first started working with Identix, going back about six years, it cost several thousand dollars for a fingerprint reader the size of a small telephone," says Joel Lisker, senior vice president of security and risk management at MasterCard International in Purchase, New York. "The current model is embedded in the keyboard, and it's in the $5 to $10 range."
MasterCard, which issues employee identification cards with smart chips embedded in them, is testing different biometric methods for everything from building access to network access. Lisker says repeat visitors to the company's headquarters were the first guinea pigs, having their images and fingerprints stored electronically for a digital match every time they returned.
The credit card company also is looking into voice recognition, and earlier this year began a pilot project using fingerprints to authenticate users for network access. Lisker says the trial, involving five or six employees, is going well, and he expects to broaden it to 100 users by year-end.
"Eventually, I expect their employee cards will gain them access to the building, the network, specified applications, and will even be used as an electronic purse at our cafeteria and store," he says. The employee cards will be smart cards with fingerprint minutiae stored on them.
"We're looking at this in lieu of personal identification numbers, which are readily compromised," Lisker says.
Freeing up the help desk
The city of Oceanside, California, is well beyond the initial testing phase when it comes to using fingerprinting to authenticate users. With 90 percent deployment, Michael Sherwood, director of the city's IT department, says the city is already saving $30,000 to $40,000 per year, and the IT department has been unshackled from password torments.
"Password-related calls made up about 25 percent of the calls coming into our help desk," says Sherwood, who started using fingerprinting technologies from Identix about a year and a half ago. "And we figure each one of those calls cost us $20 to $50, factoring in that a field technician has to be dispatched to make sure the password is delivered to the right person, not someone posing as that person."
Then there's the call to check back with the user to make sure everything is OK, plus the user's downtime while he is waiting for help.
"We have so many different systems, and each system has its own security," Sherwood says. "You need a password to log on in the morning and another password to get to certain files and then another password for financial applications, for example. And then you figure that people have to remember their ATM PIN number, their home security PIN, the security code for their cars and their cell phones. It's just all too much. We had to simplify that."
And looking at Oceanside's help desk statistics, it seems they've succeeded.
Sherwood says the IS department has only received 10 calls for assistance with the fingerprint scanners since Oceanside started using them in 1998, and most of the problems can be traced to dry skin or small abrasions that inhibit the scanner's reading.
"Our security administrator isn't spending his whole day patrolling passwords now. He's looking at bigger security issues," Sherwood says. "We spent about $170,000 on the system, and we figure we'll recoup all of our investment in two years."
Analysts support Sherwood's numbers, citing that calls about forgotten and changing passwords are a major drain on most help desks. They say it shouldn't come as a surprise, because the average user has to remember four to eight different strings of characters, and is supposed to change them every 30 to 60 days. Just getting employees not to use their own names, nicknames or birthdays as their passwords is a major IS headache.
"I'm a security expert, and my passwords are decent but even they could be better," says Abner Germanow, a research manager for IDC in Framingham, Massachusetts. "It's pretty easy to walk down the hall in any corporation and see someone who has his password on a post-it note, or he's got it in his wallet."
And that's just where Farrokh Shahamiri, an acting management analyst for Oceanside, kept his password before he started using a fingerprint scanner six months ago. "Before, I had one password to get into the network and a couple of others for different applications. I never forgot them because I always kept a copy of them in my wallet," he says.
An issue of privacy
While biometrics offers tighter security than passwords, industry watchers warn that the technology poses its own set of threats.
"The ugly truth is if you're storing people's fingerprints in a database, that database is searchable," DataQuest's Reynolds says. "Say you have a large company and somebody steals the CEO's cigar box. They find a fingerprint and compare it to what's in the database. Or say the police come asking for a copy of someone's fingerprint. That all amounts to an unlawful search."
And that is bound to make some users uneasy or even unwilling to hand over their fingerprints.
Grant Evans, vice president of Identix, calls it a small problem. " The fact is Big Brother has all the information he needs on you without your fingerprints," he says.
Gail Koehler, vice president of technology for Purdue Employees Credit Union in West Lafayette, Indiana, was worried that members would be upset when she first deployed fingerprint scanners in her automated branch kiosks.
Koehler says 12,000 members have registered their fingerprints with the credit union. "We spent the majority of our marketing dollars preparing ourselves to convince members that this was secure and not an invasion of their privacy," she says. "It was wasted dollars. We've basically had no objections. Members prefer the security."
No system is foolproof
While biometrics may be considered light years ahead of using passwords and IDs when it comes to user authentication and network security, nothing is perfect.
And to prove that point, Martin Reynolds, an analyst at DataQuest, created duplicates of his fingerprints on thin pieces of rubber to trick a fingerprint scanner. After finding success there, he started creating rubber fingers with fingerprints embedded on them. To see how far his "Mission Impossible" kind of efforts will go, he's now working on a whole rubber hand.
"I wanted to see how good these things are," Reynolds says. "It's not trivial, but they can be beaten. I did it right in my own kitchen."
And since cameras are only two-dimensional, Reynolds says face scanners could be fooled as well. But he hasn't had time to try it out " yet.
"Ultimately, a face mask or a photo could break these things," he says. "But if you see someone going into your office with a life-size picture of your face, you might be suspicious. Or if you see a co-worker wearing a mask of your boss' face, that might raise a question."