A Growing Body of Biometric Tech
James Bond never has to remember his password. Instead, he presses the palm of his bronzed hand against a special reader. Like magic, the door opens -- and a sexy female voice welcomes him: "Hello, Commander Bond."
In the wake of September 11, buyers and providers of security seized on biometrics, as the Bond-like technology is called, as a defensive weapon in the battle against terrorism. The conversion hasn't gone entirely smoothly: The current generation of biometrics is by no means foolproof. And privacy advocates rail against the threat to individuals of having everyone's finger-, face-, and voice-prints on record.
Such drawbacks notwithstanding, momentum is building toward security systems based on biometrics. Facial-recognition cameras at the local mall may be a long way off, but experts say fingerprint scans and voice-recognition systems could be commonplace by the end of 2003. Already, 42 airports are using electronic fingerprint-scanning technology from Minnetonka (Minn.)-based Identix to do background checks on airport workers and to create badges that, when read by an electronic device, allow access to restricted areas.
FIT TO PRINT.
For the near future, fingerprints will remain the biometric of choice, for a simple reason: That practice is time-honored, well understood by experts and familiar to citizens and consumers. The only difference with electronic prints is that you place your hand on a scanner, instead of dipping your fingers in ink.
Iris scans, where a camera examines an individual's retina for identifying characteristics, are considered as reliable if not more so. But the technology, which requires people to stare into a tiny camera, tends to spook those being probed. And there's no storehouse of iris prints such as there is for fingerprints -- the FBI alone already has about 70 million on record.
At the Defense Dept., September 11 mainly added momentum to a plan initiated several years ago to distribute smart ID cards with digitized fingerprints to 3.5 million government workers and military personnel. The cards, which will be used for physical identification and for granting access to buildings and computer networks, are slated to be ready by October, 2003.
The terrorist attacks have moved biometrics onto the front burner at other government agencies as well. The Aviation Security Act, passed last October, mandates the use of fingerprint biometrics for airport-employee background checks. The newly formed Transportation Security Agency, meanwhile, is soliciting proposals for a Transportation Workers Identification Card, which would be issued to 11 million workers from truckers to airport baggage handlers.
And the Enhanced Border Security Act, signed into law by President Bush on May 14, requires that all passports and visas be upgraded to include biometrics by April, 2003 -- and that biometric readers be installed at every land, sea, and air border crossing. The price tag for that initiative alone will be $3.2 billion over three years.
For the moment, the U.S. government is clearly the motivating force for such changes -- which makes sense. Washington has the power to mandate new technologies for widespread use. And as citizens become more accustomed to biometrics at airports, border crossings, and perhaps even on their driver's licenses, corporations will start to implement biometric security for employees and customers.
Test projects are already in the works. MasterCard has been testing fingerprint scans for building access since 1995. Originally, the system tried to identify individuals by searching its database of fingerprints for a match. But as the database grew larger -- it now holds 38,000 fingerprint records of employees and visitors -- the system increasingly misidentified people. False rejections, where an approved person was refused entry, rose to 0.25%.
To fix the problem, MasterCard has required that people sign in with their name or an ID number, then have a finger scanned to verify their identity. The new system only confirms the identity of people, rather than establishing it. With this approach, the false-rejection rate quickly dropped, to 0.038%.
Joel Lisker, senior vice-president for security and risk management at MasterCard, believes that most future biometrics will similarly be used only for authentication. "For several hundred thousand or a million users, there are too many similarities, and the throughput will be too slow. It's much more effective to use biometrics to match a person to their identity," he says.
FOOLED BY A HAT.
That's the same way the top brass are thinking at Fidelity Investments, which has 17 million customers. Among other projects, Fidelity is pilot-testing a voice-recognition system to authenticate customers more securely over the phone. By yearend, says senior systems analyst Sheldon Watson, Fidelity hopes to dispense with the routine of a live operator asking for your mother's maiden name to verify your identity. Instead, a customer will register by speaking his or her name and a series of numbers into the phone. To change an address or PIN number, people will go through the same steps.
Of course, it's way too early to count out more sophisticated technologies, such as facial recognition, says Paul Collier, executive director of Biometric Foundation, a Washington (D.C.) research and advocacy group. "I see the issues [where facial-recognition cameras are fooled by lighting, hats, or sunglasses] being worked out over the next several months, because there's money behind the effort. The real problem now is simply the camera technology. You can't expect regular closed-circuit TV cameras to do a good match against pristine mug shots in a database."
Indeed facial-recognition technology makers are currently experimenting with higher-quality cameras like those used at casinos to spot crooks and cheaters. Says Joseph Atick, CEO of Identix, which also makes facial-recognition software: "The value proposition [of facial recognition] is stronger than it is for other biometrics. It does something no other biometric can: Be on constant look out for terrorists."
Like any security tool, biometrics is just one weapon in the anti-terrorism arsenal. Yet within a few years, it seems bound to become pervasive. "Biometrics will lose its James Bond aura," says Michael Tieme, director of special projects at the International Biometrics Group, a New York research firm. "And that will be good for the industry." It also may mean that most people will no longer have to remember their mother's maiden name.
By Jane Black in New York