In a conference room overlooking the site of the World Trade Center, early adopters of biometrics technology this week stressed the importance of determining someone's true identity.
Gathered at the Millennium Hilton across the street from the site, attendees of the Fall 2004 Biometrics Summit heard about the challenges and benefits seen by those who would implement biometrics, both before and after the 9/11 attacks that put a greater focus on security needs. They also heard about why some companies still aren't yet ready for biometrics, technology that uses the personal characteristics of users to identify them.
Acknowledging that most of the 9/11 attackers used driver's licenses to board the airplanes they would use as weapons, one presenter said biometrics should be a key tool, in conjunction with better verification of identity-proving documents, in the process of obtaining driver's licenses.
Illinois was the first to use facial recognition technology in its DMVs, four years before 9/11, and the state is currently preparing an upgrade to its systems, said Beth Langen, administrator of the policy and programs division of the Driver Services Department in the Illinois Office of the Secretary of State. The measures have helped combat fraud, catching those who try to get multiple licenses for different identities.
"One guy came in a couple of times a day, to different facilities, to get licenses," Langen said. Another woman had 13 different identities, one of them real, and used them for theft. She was caught and imprisoned. In all, 1,700 cases of fraud have been discovered using the facial recognition software, with 173 people claiming three or more identities.
Originally, the department had considered using fingerprint readers, but went with facial recognition for several reasons. It's passive and non-intrusive. "When you come to a DMV, you expect to get your picture taken," Langen said. By contrast, people associated fingerprinting, especially a few years ago, with having been arrested, she said.
Huge volumes of pictures have been added to the department's database. It now contains 16 million pictures, and it is growing by 8,000 to 12,000 every day. At night, the system goes through all the new pictures to see if any faces match the pictures already on record. If there are some that look similar, they are sent to a fraud unit in the morning, which compares demographic data and signatures to determine if the similar-looking people are one and the same person.
Another biometrics pioneer represented at the conference was the New York City Law Department, which implemented a hand-geometry system for entering its offices and recording time and attendance.
The department had used a sign-up sheet before that, but employees who didn't want anyone to know they came in late started ripping out pages, said Malachy Higgins, chief of administration. The office tried using card readers, but found that administering the cards was a big headache, and if they were going to be late, employees could give cards to others who went in earlier to make it appear that they were on time.
In 1994, the department brought in the hand readers, and there were several hurdles. One was the union, which was concerned that the readers emitted some sort of radiation that would harm employees, until Higgins and his team explained that the process was more like taking a picture. Another hurdle was that the readers required users to fit their hands around pegs, something that took some getting used to.
"The first day or two, everybody thinks it's going to be a disaster. You sort of have to ride that wave a bit," Higgins said. It didn't take long for employees to adjust.
Getting employees acclimated to using biometrics equipment was a challenge echoed by other early adopters, as well.
Clarendon Insurance Group installed fingerprint readers both for entry to the building and for logging on to computers. The insurance company was helped by identity management software vendor Daon, which made sure users were prepped for the shift to biometrics.
Working with Clarendon's human resources department, Daon put together "welcome packs" for users, said Leo Ring, vice president of business development at Daon. The pack contained little stuffed koala bears -- because they are the only other animal with fingerprints -- and wipes for keeping the fingerprint readers clean.
"That really helped the project," Ring said. "Their buy-in is amazing."
Before getting buy-in from users, however, buy-in from top executives is paramount. Scott Sykes, group managers of strategic technology at Capital One Financial, encountered a lot of resistance to his ideas for bringing biometrics technology into the financial services firm.
The fundamental point of resistance was whether the reduced risk, cost savings and increased efficiency outweigh the expense required, Sykes said. A lot of the potential benefit is hard to quantify. But the cost is easy to quantify: US$5 million over the first two years, tapering off to US$400,000 per year for maintenance and operation.
While one could argue that biometrics provides security benefits over a password system, are the benefits that much greater?
"Getting security folks to release the use of a password is very difficult," Sykes said.
Single sign-on can be difficult to integrate with biometrics systems. Biometrics readers aren't built into laptop or desktop computers, making the readers a hassle to add into a network. And privacy concerns are also an issue. Until these hurdles are overcome, biometrics will have a hard time getting a foothold in most enterprise companies, Sykes said.
"There's really no pull. There's really no push. It's kind of in 'levitation' right now," he said.