Biometrics Explained
by Bill Perry

Throughout history security and risk management have been synonymous. Intrinsically linked but often reduced in priority when pitted against business generation projects. Risk management is accepted and understood as being core to business profitability but what about security. This tiny word is often misconstrued, misunderstood and thus misplaced is the prioritisation schedules. A tiny word it may be, but a tiny subject it is not! Security is an all encapsulating environment ranging from the physical world of building to LANs/WANs and onto uncontrolled external networks (i.e. the Internet).

In the simplest sense, security is concerned with allowing authorised users/personnel cost effective access to buildings, networks, data, services whilst blocking and reporting on access attempts by others. As employees we expect our employers to provide us with the necessary tools to perform our functions to the best of our abilities. In the e-world we find ourselves in today, that translates into “I must be able to access the corporate network not only when I am in the office but at any time of the day or night and from any location in the world”. This is the difficulty as security is made up a number of interconnected elements, and it’s only as strong as the weakest link. Added to this, today’s implemented security measures are not keeping up with today’s security risks. Proof of this is the fact that no one is willing to guarantee total security especially in the e-commerce business-to-business (B2B) and business-to-consumer (B2C) economy.

Security hinges upon the understanding that you know whom you are dealing with; identification of individuals. Everybody needs and uses identification in one form or another without realising it. Interaction between individuals would be non-existent unless you both know something associated with each other’s identity. Whether you are speaking on a phone, drawing cash at a bank teller, logging on to a computer or conducting business in the world of e-commerce ..... you are using identity today.

However, there are many forms of identity in today’s world. These range from the very basic to the complex and sophisticated. How these are used or implemented once again comes down to risk management or perceived risk; what is the value of the asset being protected or transaction being performed. Any successful transaction whether it be financial, a transfer of information or access control, is predicated on the fact that the participating parties are who they claim to be. Once this is breached then all subsequent activity is flawed.

Identity claims can be expressed through three unique methods:

Knowledge – something you know (i.e. password)
Possession – something you have (i.e. access card)
Individual’s characteristics – something you are (i.e. biometric)

These identifying characteristics can be used individually or in combination with each other. The weakest and most vulnerable of these being knowledge; research shows that over 50% of all PC passwords can be “cracked” within minutes. Almost as poor is possession; theft of a card grants the perpetrator access to all its facilities.

Simple forms of possession-based identity are also easily forged (i.e. British Driver’s Licence – text only, paper based) whilst the electronic equivalent of User ID and Password is easily cracked (entire websites dedicated to these processes are common place). The banking industry hinges upon the success of existing Debit / Credit cards. Up to a few years ago all cards consisted of a magnetic strip (on the back) and embossing (on the front); easy to duplicate en-mass. As this type of fraud increased so financial institutions moved to smart cards. Some countries (such as the UK) advocated for an easier route and issued smart cards without PINs (Personal Identifier Number), whilst other countries such as France and Germany endorsed the use of PINs at all points of interaction.

It is only when Individual’s characteristics based identity is used can parties be sure of who they are actually dealing with. The old adage of “over the Internet nobody knows you are a dog” illustrates this well. There are only two known forms of when Individual’s characteristics based identity, namely face-to-face and biometrics.

It is the world of biometrics that is creating a storm in the wake of the terrorist attacks in the USA last year. Organisations throughout the world have a heightened concern about security. IT professionals are actively re-assessing their security policies, procedures, and technologies in order to better safeguard their networks, applications and data. Building managers are re-assessing their management systems, guard requirements and multiple entry/egress points (including emergency exits).

Many IT professionals have examined the biometric industry from afar but few have practical knowledge of its technologies. Biometric technologies are based upon individual characteristics of the human body; fingerprints, hand geometry, two-finger geometry, iris pattern, facial imagery, voice and dynamic signature.

During registration a person’s individual characteristic is captured (i.e. picture of their face or fingerprint) and digitally converted to a biometric template that is unique to the individual from whom it is created. Unlike a password, a PIN, or a smart card, it cannot be forgotten, misplaced, lost or stolen. Biometrics ensures that a person attempting to access a computer system is really the authorised user, not someone who stole a smart card or found a password on a post-it note hidden under a keyboard or in a desk drawer.

So, why are biometric technologies not evident, in numbers, throughout industries? Biometrics is no different to any new technology. E-commerce has stumbled for a number of years because people inherently distrust new technologies; when e-mails first came about didn’t you phone to make sure the recipient got the e-mail safely? In this jargon filled world, people in specialist industries use words and acronyms that scream over the heads of ordinary people. Stock exchange staff use words I have never heard of, banking staff use acronyms that leave me cold, so why should we be any different in the security world? What has been missing in the biometric industry has been the translation of “cool technology” to “business profitability and cost reduction”. However, that is changing and biometrics is predicted to be one of the top ten technologies in 2002, as more and more companies offer biometric solutions that can easily integrate to existing infrastructures.

In conclusion, I would like to re-iterate that the strength of any security solution is only as great as its weakest link. In the ever-increasing virtual world knowing you are dealing with the right person has become business critical. Biometrics doesn’t answer all the questions surrounding security nor does it provide a total solution on its own. But, it does provide the only true verification of credentials based on real-time identification systems. Biometrics establishes the first line of security at the perimeter of other defence mechanisms. It enhances the capabilities of other safeguards by extending security out to the actual identity and verification of individuals.