MIcrosoft Executive Circle

Indelible signatures

By Steve Ulfelder
Summer, 2002, Vol. 2, No.2

Biometric technologies are poised to improve enterprise security, but their true cost and scalability are question marks.

Passwords are expensive. More precisely, forgotten passwords are expensive. Some experts say that every time a PC user forgets his login and calls the help desk for assistance, it costs the corporation $50 to $60.

With businesses striving to trim away such deadwood expenditures, biometric verification technologies—such as fingerprint readers and retinal scanners that may supplement or replace computer passwords—have been slowly gaining favor. While the Sept. 11 terrorist attacks clearly added urgency to all security matters, analysts say enterprise interest in biometrics is also driven by the need to control costs, protect corporate data and improve customer service.

Though much has been written about biometrics, enterprise implementations are rare. However, experts say this will change, as plummeting price points, improved scalability and rising convenience propel these systems into the mainstream.

In business, "biometrics" generally refers to technologies that measure and analyze such human characteristics as fingerprints, eyes, vocal and facial patterns, and hand measurements. Biometric systems usually include a reader or scanning device, software that converts the scanned information into digital form and a database that stores the biometric data for comparison with previous records.

The need to store biometric data often raises concerns about information privacy; after all, the thought of employee fingerprints or voice patterns being exposed to the world is every enterprise's public-relations nightmare. However, many vendors are addressing privacy concerns by encrypting biometric data when it's gathered, then discarding the original data. In other systems, only an algorithmically derived number that represents the biometric data is stored on the client, so there is no single database that holds all bio IDs.

Bio drivers

While privacy is indeed an issue, the desire for improved security is nonetheless fueling the momentum behind biometrics.

"Reliable biometric systems are tightly bound to the individual and cannot be easily used by an impostor," says Stan Li, a researcher in the Media Computing Group at Microsoft Research in Beijing. "While traditional passwords, security-access cards or signatures could be used by someone who found a key card in a desk or a password in an envelope, biometrics ensures that the user is actually the authorized person."

But other businesses implement biometric devices for a critical reason that's easy to overlook: speedy customer service. In many enterprises, customer-facing employees need to access a dozen or more databases, each with its own access system and password. This can lead to customers fuming on the phone while reps frantically seek out passwords.

California Commerce Bank, the U.S. arm of Banco Nacional de Mexico, recently installed a fingerprint recognition system from Redwood City, Calif.-based DigitalPersona Inc. for 200 of its employees. Salvador Villar, president of California Commerce Bank, says convenience was a major factor.

Previously, bank employees needed to memorize "multiple passwords for multiple databases," Villar says. Using DigitalPersona's U.are.U fingerprint reader with a single sign-on, he says, employees have "faster access to customer information without compromising the integrity of that information."

Fingerprints first

In addition to fingerprint readers, there are other promising biometric systems. Iris scanning and facial recognition top the list, and analysts point out that user acceptance is a key factor. While many people associate fingerprinting with criminals, and thus balk at fingerprint readers, facial recognition is relatively nonintrusive and could more easily find acceptance. Microsoft Research's Li says his group, which is working on a facial-recognition system called EyeCU, has made great strides in developing the algorithms needed for accuracy and reliability.

EyeCU's potential notwithstanding, fingerprint recognition is leading the way in enterprise biometric use; it's available now at a price point and reliability level that makes it practical for business, according to Chris Christiansen, a security analyst at Framingham, Mass.-based International Data Corp. (IDC).

To take just one example, AuthenTec Inc. in Melbourne, Fla., recently unveiled EntrePad AES3500, a fingerprint sensor for use with laptops, cell phones and PDAs. The device is only 6.5 mm square and costs less than $10 in large orders. Anil Jain, a biometrics researcher at Michigan State University in East Lansing, says the cost of such sensors "will drop to about a dollar in three or four years."

Small wonder, then, that of the $729 million expected to be spent on biometrics this year, fingerprint readers will account for half, according to the International Biometric Group, an industry association.

While the price of fingerprint-reading sensors is falling fast, it's difficult to pinpoint the overall cost—and therefore cost-effectiveness—of an enterprise-grade biometric security system, according to IDC's Christiansen. "The cost is all over the place," he says. "And the cost of back-end systems goes up dramatically as volume [of identities checked] goes up."

Nevertheless, IDC foresees the biometrics market growing at 50% per year for the next five years, spurred by the need for a faster, more secure, more convenient way to access both data and physical space.