Federal Computer Week

Biometrics: More than a helping hand

Written by Michelle Speir
Testing by Lisa L. McNair and Michelle Speir
06/05/2000

Personal computers generally have been a boon to agency and departmental staff, but they can be a nightmare for those responsible for security. With users accessing networks remotely, transmitting data via the Internet and carrying around laptops containing sensitive data, ensuring security is an increasingly complex challenge. At least one thing is clear: Passwords are not enough.

An increasing number of agencies and departments are turning to biometrics to achieve a higher level of security. Biometric devices measure a person's physical or behavioral characteristics, such as iris patterns, hand measurements, voice patterns and fingerprints, to ensure that the person accessing a device or location is who he or she claims to be. Biometric traits, unlike passwords and personal identification numbers (PINs), cannot be lost, stolen or easily duplicated.

Security concerns, of course, apply not only to computers and networks but also to physical access to facilities. And biometrics can be used to authenticate people for both applications.

The government is taking notice. In fact, the National Security Policy Board, through the Facilities Protection Committee, has chartered a Biometric Consortium to help develop, test and evaluate biometric devices on behalf of the Defense Department.

To get an idea of how well current leading biometric technologies work, we reviewed a sampling of five types of biometric authentication methods: hand geometry, fingerprint recognition, iris recognition, voice verification and face verification. Several factors play a part in deciding what kind of biometric security to implement. One factor is infrastructure: How easily can biometric authentication integrate with the existing network? Does the existing network use technology that supports certain types of biometric authentication methods?

For example, if all PCs on a network have cameras attached to them, the infrastructure for face recognition is already in place. Similarly, PCs with microphones are easily outfitted for voice-recognition technology. If your department's computers have no cameras or microphones, you may be more inclined to use stand-alone fingerprint scanners. Buyers should also consider future security needs and whether the system they are considering can meet those needs.

Next, environmental factors are important to weigh. Dim lighting can impair face recognition, a noisy background can hamper voice recognition, and a scratched or dry finger can affect fingerprint recognition.

Human factors may play a role as well. Some people are nervous about using their fingerprints and prefer a method such as hand geometry, which measures the shape and outline of the hand. Other methods are perceived to be extremely intrusive, such as retinal scanning.

To increase security and help compensate for environmental factors, several vendors advocate "layered" bio- metrics, which is the use of more than one biometric technique or device to verify a person. For example, a user might need to provide a faceprint and voice verification to gain access to a system. Passwords, smart cards, digital certificates and PINs can also be combined with biometric authentication for a layered security solution.

Keyware Technologies Inc., a provider of biometric identification solutions, is one company that offers layered biometrics. Keyware's LBV Framework (for layered biometric verification) is an open architecture solution for biometric verification that includes a middleware application, biometric engine plug-ins for use with different kinds of biometric technologies, development tools and application toolkits. Keyware provides data, network, telephony and physical access security for several markets, including the federal government.

Another vendor answering the call for layered biometrics is BioNetrix Systems Corp. The company offers management software called the BioNetrix Authentication Suite. The suite enables administrators to manage all authentication systems on a network — whether they are biometric or nonbiometric, such as passwords — from one console.

The Lineup

For this review, we reviewed a hand reader from Recognition Systems Inc., currently the only manufacturer of hand geometry products. We chose fingerprint-scanning technology from SecuGen Corp. because it offers products we hadn't seen before: a keyboard and mouse with embedded fingerprint scanners. Only one company holds the worldwide patent for iris recognition technology, IriScan Inc. IriScan licenses its technology to Sensar Inc., which develops and markets iris recognition systems. We reviewed one of these systems, Sensar's SecureCam.

We looked at voice verification from Veritel Corp. and face verification from Visionics Corp. Each is a leading vendor in its field. Both companies license their technology to partners and integrators, so we reviewed them within the BioNetrix Authentication Suite. Visionics does not sell its product directly to end users; rather, it licenses its technology to other companies that develop and sell products to end users. Veritel does make a product called Voicecrypt, which we ordered from the company but never received.

The industry consensus is that iris scanning is the most accurate and secure biometric. After DNA, irises are the most individualized feature of the human body. Even identical twins have different irises. Furthermore, every person's two irises differ from each other. Irises also have many more minutiae points (IriScan systems measure 266) than fingerprints, so more encrypted templates can be created from them. Finally, irises are less susceptible to wear and injury than many other parts of the body.

Second to iris scanning in accuracy is fingerprint scanning. Fingerprints contain approximately 35 to 46 minutiae points and are a stable, reliable biometric. However, injury, dry skin and dirt can affect performance.

There is not yet enough reliable data to provide accuracy rates of one-to-many identification with facial scans, but according to the International Biometric Group (IBG), a New York-based integration and consulting firm, anecdotal evidence suggests that facial scan technology is capable of very accurate performance. According to IBG, voice verification is considered to be the least accurate of the five technologies we reviewed. However, in choosing a biometric technology, more than security needs to be considered. The ideal biometric will vary for different applications. Security needs to be balanced against environment, cost, the effort required to use the biometric solution and the perceived intrusiveness of the device.

For example, voice verification might be a poor choice for someone who travels often and must authenticate in airports and other noisy environments, but it might work well for a user who wears gloves at work and cannot conveniently use a fingerprint-recognition system. As noted above, facial scanning would not be a good choice for environments with dim lighting, and iris scanning might be overkill for applications requiring only low levels of security.
Bear in mind that we are rating the technologies and not the products. The products have been chosen as being representative of each technology.