Waters Financial Technology

Biometrics: Any Signs of Life?

December 1, 2004

By Michele Rosen

Like artificial intelligence, flying cars, and virtual reality, biometrics is more sci-fi than IT. Vendors are adding biometrics to their products, but Wall Street remains wary.

By 2054, biometrics will be everywhere. At least that was the conclusion of the futurists who designed the technology on display in Minority Report, the 2002 blockbuster starring Tom Cruise. Throughout the film, the ubiquitous EYEdentiscanner identifies characters for everything from entering top-secret rooms and viewing advertisements to investigating a murder.

Whether the predictions of the film's team of futurists and production designers come true in 50 years remains to be seen. But one thing is certain—despite increasing interest in biometrics, especially after the terrorist attacks of Sept. 11, 2001, the technology has yet to live up to its promise. And Wall Street is stubbornly resistant to implementing it on the trading floor or in the back office where it could do the most good.

"Someone always asks the question, 'Will this work with a dead finger?'" says Clain Anderson, program director, security and wireless for IBM. In October, IBM announced a new laptop in its vaunted ThinkPad line—the T42—which features an optional biometric fingerprint reader. While IBM says the new laptop has been "positively received" in the capital markets, Anderson's comment illustrates the variety of concerns surrounding biometrics.

Biometrics systems are used to identify people using physical or behavioral characteristics, besides fingerprints and voice patterns. There are a surprising number of such identifying characteristics: your iris, retina, face, teeth, hand, skin, veins, odor, and of course DNA, can all be used to identify you or at least to verify that you are the same person whose characteristics are stored in the biometrics system. Technology is also available to capture unique behavioral characteristics such as the way you sign your name, type, or walk.

As usual, the financial services industry is at the forefront of the private sector in the use of biometrics, according to David Fisch, a consultant for the International Biometric Group, a biometric consulting group. However, many of the current deployments relate to building access for employees or to consumer applications. For now, the use of biometrics on the trading room floor remains "very promising" but is far from widespread, he says.

Fisch's assertion is substantiated by the wait-and-see approach trading room technology vendors are taking to biometrics. "We have seen an awful lot of activity in this space, and we continue to monitor it," says Neil Gray, vice president of product development at turret vendor IPC. "But it's not going to appear on the next release or the release after." Gray identifies a number of obstacles to widespread deployment, including cost, a lack of standards, and user resistance because of inconvenience and privacy concerns. But most important, he's not convinced of the reliability of biometric systems. "The security isn't as tight as anyone needs it to be," he says.

One of the major reasons biometrics hasn't been widely implemented on the trading room floor, Fisch says, is that the type of biometrics best suited for that environment—voice recognition—"hasn't come along as far as some of the other technologies." Voice verification systems face many more obstacles than other types of biometrics, including microphone quality, background noise, and the tremendous variability of the human voice, according to Biometrics: Who's Watching You?, a report published by the Electronic Frontier Foundation (EFF), a digital rights advocacy organization. Voice recognition systems can also be susceptible to "replay" attacks, when a recording is used to gain access to a user's account.

But Fisch argues that no other form of biometrics will do for the trading room floor. "Anything else would slow them down because of the intense pace on the floor," he says. However, he believes the problems with voice recognition could be solved within five years.

In the meantime, many traders might get their first taste of biometrics in the near future, courtesy of Bloomberg, which has added a fingerprint reader to its new line of terminal keyboards. Currently, the fingerprint reader is being used in addition to a password, instead of replacing it. Layering different types of security measures like this is called "two-factor authentication," and it's what Bloomberg's clients are asking for, according to Justine Bone, who is responsible for security at the information services firm. Most of Bloomberg's users ask for strong authentication, she says. "Our definition of strong authentication is two-factor authentication," she says. As such, it's not surprising that Bloomberg "strongly recommends" that its clients use the fingerprint reader. While use of the device isn't mandatory, "you'll find very quickly that 99 percent of our clients are employing two-factor authentication," Bone says.

It remains to be seen whether Bloomberg's clients agree that the increased security provided by the fingerprint reader outweighs the inconvenience and privacy concerns inherent in all biometrics systems. For Fisch, the need for two-factor authentication ultimately means that biometrics isn't ready for primetime. "When biometrics explode, it's going to be a replacement for passwords," he says.

The Techno Hurdles

Before biometrics kill off the passwords comprising your mother's maiden name or your dog's birthday, biometrics vendors will have to overcome a number of obstacles that stubbornly refuse to be solved. Let's take a look:

Accuracy. There are three commonly used measures for biometric system accuracy: the false reject rate, the false accept rate, and the equal error rate, which represents an equal number of false rejects and false acceptances.

Vendors insist that their biometric products are extremely accurate. A Japanese researcher, however, was able to fool a fingerprint scanner 80 percent of the time using a fake finger made of gelatin.

Test results can vary dramatically depending on the conditions. But in a 2003 study, the National Institute of Standards and Technology (NIST) found that fingerprint technology can be extremely accurate. The best system the NIST tested achieved a 99.9 percent true accept rate when the system was set to allow a false accept rate of 1 percent. On the other hand, the best facial recognition system could only achieve a 90.3 percent true accept rate under similar circumstances. Of course, not all vendors' products will be this accurate.

Reliability. Biometrics add complexity to an already complex user environment. Inevitably, biometrics scanners will break down, potentially preventing access to critical systems, such as an eager trader to her order management system. To address this issue, Bloomberg provides a 24-hour tech support hotline for its new line of keyboards.

User Acceptance. Users—especially traders—are always resistant to change. In the case of biometrics, that resistance seems justified, given the stakes. If you lose a credit card, you cancel it and get another number. If you lose your keys, you change the locks. But what happens if someone gets access to your fingerprint?

Standards. Several groups are working on biometrics standards for the financial services industry, but many of these standards relate to consumer banking rather than securities firms. One relevant project, however, is underway at the InterNational Committee for Information Technology Standards, which formed its biometrics technical committee, known as M1, in 2001. M1 is working on several new standards, including M1.3, which addresses biometric data interchange formats. It will be some time before all of the details are nailed down, however.

Cost. Because IT budgets are still rather tight, biometrics will have to become a replacement for, not an addition to, existing security systems, according to Fisch.

Given all of these obstacles, it seems as if it just might take until 2054 for biometrics to become as pervasive on Wall Street as they were in Minority Report. On the other hand, it's possible that Bloomberg's and IBM's biometrics initiatives indicate that the industry is reaching an inflection point after which biometrics technology will spread rapidly. "We really felt that so many different factors converged with the ThinkPad T42," IBM's Anderson says. "If you have easy answers for all the problems people come up with, then people are receptive."