Business 2.0 (UK): February 2001
Biometrics: A helping hand for online security?
Every day, a commuter would flash his season ticket at the inspector and board the same train. He felt insulted when the inspector stopped him because he forgot his pass one day, despite recognising him. "My face is my ticket," the traveller protested. "Very well," said the inspector, rolling up his sleeve with a smug smile. "I've been ordered to punch all tickets."
Security based on possessing tokens (like tickets) or knowledge (such as passwords) is frustrating and inconvenient. Not only can legitimate users be turned away because of their forgetfulness, but the access codes can be easily stolen and often copied. The Gartner Group has estimated the cost of password problems to be around US$340 per employee each year.
That's why websites and computer networks are turning to biometric technology that identifies people from their personal features like their fingerprints, irises or their voices. They can't get lost and can't be copied.
ING Direct implemented Secugen fingerprint recognition technology for its online bank in November 2000, saying that the cost of hardware is more than justified by lower costs administering password security. Customers log on by entering their account number and personal identification number (PIN) and putting their finger on a reader on a mouse or keypad.
The choice of fingerprints over other biometric technologies was dictated by cost and ease of use. Secugen claims that fingerprint scanners cost a fifth of the price of low-grade iris scanners and about the same price as cameras for facial recognition. Although computers might be confused by the faces of identical twins, fingerprints are unique to every finger on each person.
Equally importantly, the public has faith in fingerprints as unique identifiers. "A security system based on fingerprint technology projects an appearance of powerful security, offering heightened deterrence against fraud that other biometrics simply can't offer," says Secugen's director of business development Jim Kawashima. ING Direct is also testing Saflink's speaker recognition technology.
When people become their password, they are put in danger and could be murdered for body parts or forced to help break in. Veritel claims its VoiceCheck will spot static in recordings, but most vendors are coy about techniques they use to confirm life. "I don't mean to trash biometrics, but they're not magically more secure," says Bruce Schneier, security expert and author of the book 'Secrets and Lies'. "If you can't verify the conversion of the biometric to its digital representation, there's an enormous amount of trust missing. Because they use remote equipment, it's no better than a password. But it's no worse either."
Pointy finger? That'll do nicely.
Mastercard and Visa are engaged in separate trials using biometrics to identify and charge shoppers. Visa's trial in its California staff café has been running since 1998 and requires employees to just apply their fingerprint to a till device to be charged. There are no smartcards and over 350 people are using it to spend over US$11,000 a month. The convenience of this system could prove popular in controlled environments like supermarkets, but it's risky for e-commerce. "You have to balance the convenience with the ability to recover," says Schneier. "If someone hacks a fingerprint, you're done. You only have one of those and you can never recover."
Once the biometric measurements are digital, they run the risk of being hacked electronically. "This is a real risk for all products of this type since the mouse cables are not typically shielded," says Thomas Tesluk, spokesman for Siemens ID Mouse, which features a fingerprint sensor. "The real question is, what is the likelihood of such an attack? High level encryption and the fact that only a partial print is captured ensures that even if the network archive or hard disk is penetrated, there is nothing of value to steal." In common with other companies, the stored pattern can't be used to recreate the full fingerprint.
One defence against hackers is also a weakness in the technology: people and environments change, so exact repeats of previous entries can be rejected. But that also means the system can't be definitive."Biometrics wouldn't be useful if it was 100% accurate," says Keyware CEO Francis Declerq, whose company integrates biometrics with other security systems. "You're measuring people and people always change. They might scratch a fingerprint because they were working in the garden, might have a cold that affects their voice, or might shave a beard."
There's a balance to be struck between locking people out wrongly and letting intruders in. False acceptances could be eliminated, for example, if everyone was rejected. ING Direct's false rejection rate is 0.1% and the false acceptance rate is 0.001%.
I got rhythm
One key problem with biometrics for website access is equipping users' computers all over the world. Voice and face recognition can use existing microphones or webcams, but Net Nanny Software's BioPassword requires no additional hardware at all. It studies the rhythm and speed of typing. Musicrypt.com will use it to help stop digital music buyers from sharing their passwords and give them access to their music from multiple platforms anywhere. Users teach the system their typing style by entering their ID and password fifteen times. Mitch Tarr, VP for Net Nanny Software International says: "Because of the ubiquity of passwords and their familiarity to a broad base of users, BioPassword will be virtually invisible to them, leveraging something they use everyday: keyboards and passwords. This means that existing policy and procedure can work for large institutions where change can be onerous." The company's network logon software costs between US$20 and US$90 per machine. Net Nanny claims that it has an accuracy of 98.4% with particularly low false authorisations. "The biggest hurdle is scepticism," says Tarr. "People have a difficult time believing that an 'invisible' biometric actually works."
For other biometrics incompatibility is a barrier. The industry's BioAPI Consortium has already published standards for hardware, but the data formats remain proprietary. With the exception of fingerprints, no standard is expected in the foreseeable future. Jason Wright who authored the Frost & Sullivan report US User Authentication Devices Market believes that the market will be boosted by Microsoft's decision to add biometric support to the next generation of Windows. "This helps to move the biometrics industry to a plug-and-play status, relieving interoperability issues and making the technology more recognisable as a viable mainstream solution," he says. He expects industry consolidation to start next year and run until 2003, leaving clear market leaders in place of current fragmentation. He estimates industry growth to be 69% by 2006.
Already companies can buy some degree of standardisation by outsourcing their biometric authentication to companies like Keyware, Veridicom and eTrue. These companies provide one-stop servers that interface with different technologies to authenticate users. Such services often use Active-X browser extensions to secure websites biometrically. "Outsourcing allows customers to focus on their core business instead of being distracted by hiring and managing new people to administer biometric security," says eTrue's CTO Michael Kuperstein. He claims a client can install eTrue's service in 15 minutes. The service costs US$29 per user per month, including hardware.
Matt Yarbrough from law firm Vinson & Elkins LLP is the former chief Cybercrimes prosecutor for the US Justice Department in Dallas. He believes that people won't worry about the privacy of biometric access systems. "People are not likely to be concerned if their bank, or other e-commerce entity, wants fingerprints, hand geometry, a voiceprint, or iris or retina features," he says. "The exception is DNA. Although it is likely the most unique human identifier, it contains such a wealth of information that should remain confidential, such as predispositions to certain diseases, that it's doubtful most people would be willing to share that information with a commercial entity."
Highway 407 in Canada already charges toll-evaders automatically by analysing digital photos of their numberplates and tracing the registered owner's address. Face and iris verification could be performed without your knowledge if you pass a camera. Traditionally users have sacrificed convenience to security, with the most secure passwords and technologies being cumbersome to remember or use. Biometrics can make for a more convenient security mix, but the technology could threaten privacy.
Hospital computers are often located in areas easily accessible to the public and are plastered with post-it notes containing passwords. Last year, US law was passed forcing doctors to change passwords frequently, a change which costs around US$200 a time and which increases the likelihood of passwords being written down. Novoste is using a fingerprint recognition system from Digital Persona to manage doctors' access to patient records online. Digital Persona provides all authentication as an outsourced service, with Novoste just adding a few lines of code to its site to link to the UareU server. The service costs US$50 per fingerprint sensor and up to US$5 per user per month management cost. The company claims false accept rates of less than 1.4% and says the service has already been used to process 500,000 patient records.
In the same way that shops might employ security guards to look out for loiterers with huge pockets, many websites watch for suspicious transactions. Ori Eisen is the VP of Business Development at Crediview, a company that supplies a product called eCredible Guard for this purpose. "We pattern the transaction, and the behaviors it represents," he says. "A business computer that is ordered at 2am and shipped to a residential address some 3,000 miles away is one behavior that raises our software's eyebrow, for example." The software singles out suspect transactions for review, giving managers the chance to kill a transaction or call a customer to verify its legitimacy. Eisen claims that the product detects over 90% of frauds with less than 5% false authorisations. Managers can set a threshold for how risk averse they want to be, considering the potential inconvenience and insult of declining a genuine transaction.
Other technologies look at databases of transactions that were charged back, or check that the cardholder enters the registered cardholder's address, but these won't pick up on first time fraudsters nor on criminals who know the legal address.
Although these technologies can't uniquely identify shoppers, their advantages over biometrics are that they are invisible to users and don't require their knowledge or assistance.
The measure of a man (or woman)
This isn't Mission Impossible: most biometric technologies are available now for securing websites or company networks. Some are more intuitive than others.
Siemens launched the 'ID Mouse', a mouse with an integrated fingerprint reader, at November's Comdex show. Although fingerprint reading needs dedicated equipment, the concept is well understood, which enhances confidence in the security systems. Fingerprints can suffer from a stigma related to their use in crime fighting.
LCI Smartpen will let you sign your name on paper, and measure the result biometrically while you do it. It tracks features like the pressure on the paper and the angle of the pen to tell fakes from genuine signatures. A wet ink, digital and biometric signature can be produced at the same time. The digital signatures can seal contracts under US law and EU directives.
Livegrip is developing a mouse that will use infrared light to scan the structure inside the hand: blood vessels, veins, fatty tissue tendons and any deep scars. The company claims it's more trustworthy than fingerprints, because they leave a latent print behind on everything touched.
"The iris is formed between the 8th and 12th month of life and then it doesn't change until a few minutes after you die," says Dalton Luz, CEO of Politec, a company that integrates Iridian's iris recognition technology with clients' computer networks. Not to be confused with retina scans, iris scans can work at a distance of 20 inches and are less intrusive than a camera flash. Suitable cameras launched at Comdex in November 2000 for US$200, a sharp fall from the average price of US$12,000 three years ago. Standard webcams aren't good enough, but dual-purpose video conferencing and iris-scanning cameras are now emerging. "Now when you go to an ATM you have to have a card which carries the account information and you then enter a PIN. With iris scanning, you could just walk up to the ATM and say 'Who am I?'," says Luz. Nationwide Building Society tested similar technology in 1998 with 1000 customers in Swindon and found that 91% preferred it to PINs. Further implementation has been limited by the cost of hardware.
A Belgian online learning website called Case Interactive is using Visionics' face recognition technology to authenticate students. "The main benefit of face recognition is that it allows continuous monitoring, not provided by any other biometric," says Visionics director of corporate communications Frances Zelazny. "Once the authorised face leaves, the machine can shut down. It can also provide an audit trail that can be verified." The technology analyses the spacing between facial features influenced by their bone structure. Visionics claims it's unaffected by facial expressions, aging or facial hair. Sony's latest CMR-PC1 USB webcam features face and speaker recognition technology from Keyware to secure a screensaver. The screensaver won't go away until the authorised user is sat in front of the machine and speaks the password.
"A good voice verification system will be working on the anatomical characteristics of speech and should not be unduly influenced by minor colds," says Julian Ashbourn, author of the book 'Biometrics- Advanced Identity Verification' . "If you are seriously ill, you probably wouldn't be thinking about using such a service anyway." Microphones are already widely available on PCs, but the technology can present problems in noisy environments. To try the technology, visit ww.veritelcorp.com, where Veritel is posting a live version of its VoiceCheck Web.
Biopassword, made by Net Nanny software who own the patent, monitors the way in which the password and user ID are typed. Frost & Sullivan industry analyst Jason Wright believes that the technology's success depends on Net Nanny's ability to forge industry alliances to exploit the technology.
Still confined to high security installations and sci-fi fairytales, retina scanners work by shining bright light into the eye to analyse the structure of the retina. Retina scans are uncomfortable and require dedicated equipment, so it's unlikely they will become regular office features.