Thumbs-Up for Biometric I.D.'s?

Network security systems that use fingerprints and faces could soon catch on in the corporate world. Experts, though, are still wary

By Alex Salkever

So it has come to this: O'Rourke Group, an English construction company that employs 2,500, unveiled a new system on Mar. 23 that verifies whether employees are on the job -- by using cameras that digitally recognize their faces. This facial-recognition system can even spot key staffers who might be at one of several job sites. And a large Canadian telecommunications company is expected to roll out a computer network in the next few weeks that will substitute employee fingerprints for passwords to gain access to the company's network.

Sound futuristic? Not anymore. These two businesses are among the first sizable companies to deploy so-called biometric technologies throughout their operations. There will probably be more very soon. On the upside, these systems mean an end to cumbersome password systems. By some estimates, corporate IT departments spend more than 30% of their time reissuing passwords. If your face or your finger is your password, you'll probably never lose it. It's hard to falsify your thumbprint or the texture and color of the iris of your eye. And biometric I.D. systems have fallen dramatically in price, making it economical for big companies to climb aboard.

But some security experts remain wary of biometrics. They point out that this group of technologies relies on databases of digital representations of fingerprints, voices, and hands. And should these representations get stolen electronically, then someone's identity could be permanently compromised -- after all, it's hard to change your fingerprint. Furthermore, many fear that biometrics remains an imperfect screening mechanism. "The biggest problem with biometrics is that no matter what [body trait] you pick, there's always about 1% of the population that doesn't have a usable biometric. Some people don't have fingers -- you can't use a fingerprint system with them. Some people have fingers, but it's very hard for a fingerprint reader to pick up a usable fingerprint," explains Jon Callas, head of engineering at managed security services company Counterpane.


  The growth of biometrics into the digital realm should come as no surprise. Truth is, animals -- and humans -- have relied on biometrics for millions of years. People recognize each other by their faces and their voices, among other biological cues. And when writing became an accepted system of communication, a person's distinctive signature was added to the list of acceptable biometrics.

As more and more human functions enter the digital realm (speech-recognition software, for example), it seems only natural that systems that recognize digital representations of human identity traits -- faces, voices, fingerprints, and body types -- should be used to create secure interfaces between humans and computers. It would mean less reliance on traditional authentication methods -- such as personal identification numbers (PINs), which often require memorization of multiple, frequently changing, passwords.

Biometric systems are becoming attractive from a cost perspective, too. For example, fingerprint scanners, one of the easiest systems to implement, have dropped in price from more than $1,000 five years ago to less than $300 now. One result: Biometric systems are now being examined as an economical means for hospitals to better secure their digital records. "We are beyond the pilot stage in many markets. This has given [companies] a clearer value proposition, as the risk has been minimized," says Joseph Atick, CEO of biometric company Visionics.

But are biometrics completely secure? That remains an open question. The biggest fear, according to Callas, is "replay." He points to a recent James Bond movie, where the spy's high-tech cell phone scans a fingerprint from a glass and then projects it onto a fingerprint scanner. It's not all that hard to do, says Callas. "Suppose I manage to get you to use a fingerprint scanner of mine, and then I send the scan over the Internet to your bank. I might be able to authorize a transaction that would be hard for you to deny," he points out.


  Another criticism Callas has of some biometric systems is that they could replace multiple password systems with reliance on a single biometric measurement. That means all the barriers put in place to keep malicious hackers at bay in a company network could be lifted in a single stroke if a biometric password is hacked. For that reason, Callas thinks biometrics are best reserved for "closed systems" that have no connection to the Internet.

Serious security purists would probably agree. But more and more companies seem to want the simplicity of biometrics. Fortunately, there are ways to make the systems harder to hack. Anil Jain, a biometrics expert at Michigan State University, recommends that companies avoid as much as possible sending biometric data even over their internal networks. And in any electronic form, Jain recommends the biometric be strongly encrypted. But to really increase the safety of using these systems, Jain says companies should use multibiometric measurements -- that is, face and fingerprint, or two different fingers.

Nonintrusive facial recognition might also have the benefit of continuously verifying someone's identify. That could head off situations where, say, one person logs in to the network and another performs the attack. As for the threat of replay, many biometric technologies require not only an image of a fingerprint or a face but also infrared measurements of these markers to ensure that no one is wearing a mask or a fake fingerprint. The last resort to shore up security, says Atick, should be a human. "We should always have a human in the loop to allow someone to prove their identity," he says.

Biometric measures could be a boon to many companies looking to improve network security. Truth is, employees tend to stick with familiar passwords that are often easy to steal. And IT departments often don't enforce the rigorous use of longer PINs and the monthly changes that security gurus prescribe. For that reason, biometrics deserves a hard but cautious look. A perfect solution? That isn't yet proven. But with a few nips and tucks, they might end up being a major improvement over what we have.

Salkever covers security issues for BusinessWeek Online in New York

Edited by Douglas Harbrecht

Before it's here, it's on the Bloomberg Terminal.