Skin-deep security

Biometric technologies are nothing new to moviegoers who watched James Bondundergo a retinal scan before entering a high-security facility. But inreal life, where they have a reputation for being expensive and unreliable,biometric devices have been relegated to niche applications. That's likelyto change — and soon.As the emphasis on network and systems security grows, people are turningtheir attention to biometrics for controlling access to buildings or computernetworks (known as physical and logical access, respectively).

According to the International Biometric Industry Association, the biometricsindustry has grown from 6,400 devices shipped in 1995 to an expected 400,000units this year, worth $168 million. By the end of the decade, IBIA predictsthat the manufacturing market alone will be worth at least $3.5 billion.

Adding vendor and consultant services, analysts say the total biometricsmarket could be worth $2 billion to $3 billion by 2005.

"The technology has matured in its usefulness, as far as reliabilityand robustness are concerned, and that, by itself, is prompting an increasein sales," said Richard Norton, executive director of IBIA. "But over thepast few years, there's been a vast expansion in the number of networksand, therefore, in the need to protect them. That will bring a very quickchange in the biometrics market."The government has had a major influence on the development of biometrics.The Defense Department has had wide-ranging initiatives in place since theearly 1990s to investigate the potential use of biometrics. The TreasuryDepartment is looking into how biometrics will figure in the Financial ManagementService's ongoing program to help federal agencies better handle cash managementactivities.

One of the better-known applications of biometrics is in the Immigrationand Naturalization Service's Passenger Accelerated Service System (INSPASS).Hand geometry is used to identify foreigners who visit the United Statesat least three times a year and enables them to bypass the usual personalinterview with an INS official when entering the country.

At the state and local levels, biometrics is used to combat fraud inentitlement programs, which the General Accounting Office says is a $10billion-a-year problem.

In July 1991, Los Angeles County installed the first Automated FingerprintImage Reporting and Match System, which compares digital fingerprint imagesof new benefit applicants against a database of prior claimants. The systemsaved the county about $5.4 million in the first six months of operation,officials said, and it was expanded statewide over the next several years.Other states, including Texas and Connecticut, have followed California'slead.

Fingerprint-scanning technology is also being used to reduce the numbersof duplicate or faked driver's licenses and identification cards.

A fledgling use of the technology is as a replacement for typed passwordswhen granting access to government networks. That's because password-basedsecurity has been undone by a decidedly low-tech product — the sticky note.

Outside analysts who audit government security practices often recommendthat network users change their passwords more frequently, but that createsits own problems, as the city of Glendale, Calif., found out.

"The requirement [from the auditors] was that we go from changing passwordsevery year to 8-bit alphanumeric passwords that change every 60 to 90 days,"said Scott Harmon, Glendale's information services administrator. "But ourtypical user just isn't that sophisticated. They are more used to havingpasswords such as "spot' that they never change."

Frequently changed passwords take a toll on agency help-desk workers,who spend a lot of time and effort helping employees who have forgottentheir passwords. And who hasn't passed the occasional workstation wherea sticky note with the user's password was stuck to the monitor? That'swhy Glendale recently chose a fingerprint-scanning system that will eventuallyreplace password access for all of its 2,100 government employees.

"There's nothing more frustrating for our users than having to dealwith passwords," Harmon said.

Glendale may be at the forefront of a trend. Beverly Dickerson, accountmanager with Spectrum Systems Inc., which develops network management andprotection solutions, said her company has been working with governmentagencies for past 15 years, "but it's only really been in the past yearthat we've gotten involved with biometric network access issues. But weare getting a lot more interest now, as are the biometric companies we workwith, so it's obviously an area that's ready to take off," she said.Not all technologies are equal in this burgeoning market. For example, devicesthat scan a person's iris or retina are considered the strongest at verifyingidentity, but they lack the utility of fingerprint scanners and voice-recognitiontechnology.

"From the reports we've seen from chief technology officers and others,utility definitely seems to be skewed toward fingerprint," said Jim Kawashima,director of strategic partnerships for SecuGen Corp., a manufacturer ofbiometric systems. "They think it's less intrusive than iris or retinalscan, and it's easier to use and less cumbersome than palm. There's alsoan idiomatic understanding among potential users that the fingerprint isa unique identifier. Other technologies don't have that same intuitive impact."Declining costs are also boosting interest in biometrics. A few years ago,a fingerprint scanner cost around $500; today, you can pick one up for $70or less. Scanner technology is also being incorporated into PC keyboardsand notebook computers, making it less cumbersome to use. And as more PCscome equipped with microphones and digital cameras as standard features,PC technology is on the verge of being "biometric ready."

It's still not at the stage where users can do most of the biometricsintegration themselves, at least not in the more sophisticated networksecurity environments, but commercial help is available.

BioNetrix Systems Corp., for example, one of the leading vendors of"personal authentication systems," has developed an open-platform solutionthat can be applied to policy-driven security schemes and managed from acentral console.

And it helps, said Missie Sergeant, director of corporate communicationsfor BioNetrix, that people are "generally much more educated about biometricsthan they were even a year ago."

Biometrics is in its infancy, conceded IBIA's Norton, but the industryis quickly moving through the "early adopter" stage. The next 12 to 18 monthswill see the growth of a sizable market, he predicted.

And some are looking beyond that. Research into integrating biometricand wireless technologies is already under way. In the not-too- distantfuture, simply touching the screen of a cellular phone or handheld devicewill verify your identity and grant you secure access to a network via awireless link.

Robinson is a freelance journalist based in Portland, Ore.