PC Magazine

Analysis
 
By Sally Wiener Grotta
May 21, 2001  

In the 1968 sci-fi movie classic 2001: A Space Odyssey, the spaceship's omniscient, all-powerful computer, HAL-9000, uses cameras and artificial intelligence to identify Dave, the ship's commander, and determine what access rights he has on the ship. Well, it's now 2001, and we don't have commercial shuttles to settlements on the moon or manned exploration of the solar system. But we do have computers that recognize people based on physical characterisics and either grant or deny access accordingly. 

Slowly but steadily, more and more standalone PCs, laptops, and all types of network components are being equipped with biometric devices. These combination hardware-and-software bundles record fingerprints, faces, voices, irises, retinas, signatures, and other physical attributes and serve as gatekeepers to let you in or bar the door, depending on whether there's a match between the attribute and the database. Think of it as a layer of security based on something you can't forget, lose, or leave unattended. 

A World of Uses

The uses for biometric security are varied and growing. The technology is used to verify attendance (a foolproof time clock for manufacturing facilities, for instance) or control physical access. At Walt Disney World, for example, yearly passes are keyed to people's fingerprints to ensure that passes aren't shared. Look for biometrics to figure more prominently in everyday life. To thwart unauthorized online access to bank accounts or stock portfolios, financial institutions are providing fingerprint scanners free to clients to better verify their clients' identities for Internet stock and banking transactions. Beginning in 2002, some companies will begin issuing smart credit cards, with customers' fingerprint information embedded. Beyond that, ATMs and other kiosks will have face or voice scanners. Once the technology proves itself, we'll see biometrics on PDAs, cell phones, and other wireless devices. 

But perhaps the biggest growth area for biometrics is in replacing or complementing password security for corporate networks. Why? "It's fairly easy to break or guess passwords, because there are only about 80,000 common English words used by most people," explains Bill Bozman of Secure Computing, a San Jose, California-based firm specializing in security systems for e-business. 

Most passwords have personal meaning (a pet's name, a favorite food, a child's nickname) which makes them easier to remember--and also easier to guess by others. If they aren't easy to remember, people write them down and keep the paper somewhere near their computer--pretty much defeating the purpose. 

Passwords are also high-maintenance, since they should be changed periodically to conform to proper security procedures. What's more, the inconvenience of network passwords actually costs large businesses money. A Forrester Research survey found that if corporations change to a system that does not require passwords, they would save up to $200 in personnel costs. 

Smart cards--credit card-size ID tags that grant access to the network--are an alternative to passwords, but they also have their drawbacks. Tags can be lost or left at home, in which case your employee is locked out of the network until an IT staff member can gain access. A lost or stolen card is also a network key that could fall into the wrong hands. Biometrics ensures that only authorized employees have access. 

That's the approach of Los Angeles-based California Commerce Bank. CCB recently added DigitalPersona fingerprint scanners to its employees' workstations. "We have an open-space office," says Salvador Villar, CCB's CEO. "When employees step away from their desks, we need to be sure that no one can get to their information." Biometrics is especially useful for fighting computer crime, which any large corporation can expect to experience at least once every few years. A 1999 American Society of Industrial Security survey found that Fortune 1000 companies sustained losses of more than $45 billion from thefts of their proprietary information. And now the Internet has opened the floodgates to hacker susceptibility. 

By the end of 2005, there will be one or more biometric technologies shipped as part of every new PC system, according to a study by the International Biometric Group (IBG), a biometrics test lab and consulting group based in New York City. Acer is already selling a notebook PC with a fingerprint reader built in, and all the major PC providers offer biometric devices as options for their corporate PC lines. 

In this review

For this story, we gathered 11 biometric packages designed to grant or deny access to workstations and LANs. Since fingerprint scanning is by far the most popular method for this--it's unobtrusive, reliable, and relatively affordable (starting at $129 per user for the required software and hardware)--we concentrated on those models from the leading providers. We cover the other biometric technologies for the PC (facial recognition, voice recognition, and iris scanning) in sidebars to the main story. 

Though individual systems vary, most biometric devices work pretty much the same way. The biometric information is collected either via a scanner (for fingerprints), a camera (face, iris, or retina), a microphone (voice), or other input device. Software then converts this information into a mathematical template (not an actual image or recording) and encrypts it. This information is then compared with information on a database of registered individuals, in a one-to-one or one-to-many search. A one-to-one search, authentication, requires an additional identifier, such as a user iIDor smart card, and verifies that you are the person you claim to be. A one-to-many search, identification, compares the print to a database of all registered users, without requiring an ID. 

In our testing of the fingerprint readers, we set out to see first how easy it was to enroll new users and subsequently how reliably those registered users were able to log on to the PC. We also tested whether an unregistered user would be granted access to the system. Significantly, none of the packages allowed an unregistered user to get onto our test network. 

But we did find variations in how easy it was to enroll users. It sometimes took several tries before an individual's fingerprint was recorded, which could be a problem if you had to enroll hundreds of users. And some of the units proved more finicky in day-to-day use, requiring registered people to try repeatedly before accepting their IDs--a source of frustration when you're trying to log on to the network on a Monday morning. 

How secure is secure?

Biometric devices are not bulletproof. "Low-priced biometric systems are still immature," says John Donahue, assistant branch manager at the National Air and Space Administration's Goddard Space Flight Center in Greenbelt, Maryland. "They can be easily spoofed." NASA wants to let personnel work remotely, even on the control of ongoing space missions. So, Donahue feels that they will definitely be adding biometrics to their remote security within the next three to five years--as the technology gets more sophisticated--to keep unauthorized people from accessing mission control. 

Considering this, security experts say that the only way to protect any computer system effectively is with layers of complementary technologies. This includes not only different kinds of biometrics, such as face and fingerprint scanning, but also smart cards, encryption, and, yes, passwords too. 

Though the private sector is experimenting with biometrics, the government has embraced it. An IDC study found that in the 1999 biometric authentication market (which is only a portion of the total), commercial sales were $51.6 million and government sales were $115 million. In 2004, IDC projects that the total market will be worth $1.8 billion. 

Government agencies, such as the Connecticut Department of Social Services, are using fingerprint scanning to counter benefits fraud, such as registering for assistance under two names. Comparing the fingerprint to a database of welfare recipients identifies the two recorded names as qualifying for only one set of benefits. The Immigration and Naturalization Service (INS) has a pilot program in which registered frequent international travelers can scan their hand geometry at kiosks to bypass long lines. The INS also uses biometrics for surveillance to weed out known criminals. 

The flip side of security, of course, is privacy. At the Super Bowl this past January, attendees passed by security cameras as they came through the turnstiles. Using facial-recognition technology implemented by Graphco Technologies (Web site), a biometrics firm based in Newtown, Pennsylvania, the images gathered were then compared against a database of known criminals and terrorists. After the word spread about the system, many people wondered about the invasion-of-privacy issue it brings to light. 

Graphco's Barry Hodge defends such surveillance as necessary to ensure the public's safety at such high-profile events. "We, as a nation, need a serious discussion about how much personal privacy we are willing to give up for public security and safety," says Hodge. 

Remaining Anonymous

As Internet use increases, security and privacy become intertwined with issues of accessibility and trust. Last year, lawmakers passed the Electronic Signatures bill into law, which made digital contracts legally binding. All this has led to the proliferation of certificate organizations, such as VeriSign (Web site), and encryption schemes, such as Public Key Infrastructure (more commonly known as PKI) to increase users' confidence in Internet transactions. Such certificates establish systems and methodologies for identifying the source of online documents and data and confirming that they haven't been tampered with or otherwise changed enroute to the recipient. Biometrics provides the last necessary ingredient for doing business electronically--assurance that the other person is who he or she claims to be. One thing is certain: Remaining anonymous with so much biometric technology on the way will become increasingly difficult. But then again, you should have fewer identity crises.