Biometrics uses personal characteristics to identify users. When it comes to security, mapping unique patterns and traits in fingerprints, irises or voices is considered light years ahead of forcing employees to memorize combinations of letters and numbers — which are easily compromised and easily forgotten. The technology works by taking measurements — whether it is the weight and length of bones in the hand or the pattern of blood vessels inside the eye or the pattern of fingerprints — and then storing the specifics, often called minutiae, in a database.
When a user scans a hand or retina, the new mapping is compared with the stored data. Access is either granted or denied based on matching patterns that are unique to each individual. It’s that ability to identify someone based on unique physical traits that is driving biometrics into the corporate enterprise. As more high-priced transactions are conducted over the Internet, businesses increasingly need ironclad authentication of someone’s identity.
Add to that the increasing amount of in house security breaches and corporate espionage, and you’ll find network and security administrators rappling for a better way to secure information from unauthorized eyes. Until recently, the problem with biometrics has been its staggering cost. But prices have dropped by 80% to 90% in the past two to three years. A boom in research and development has produced quality improvements and price reductions. A stand-alone fingerprint reader might have cost anywhere from $2,000 to $3,000 two years ago, but now it can sell for less than $100.
Analysts say fingerprint scanning is the top biometric in terms of mind and market share, with hand geometry coming in second, followed by face and iris canning. There’s a growing crop of biometrics vendors expanding the market and pushing what was once technology solely aimed at forensics and government security into the enterprise market. Companies such as Identix of Sunnyvale, Calif. , Veridicom of Santa Clara and Key Tronic in Spokane, Wash. , are taking biometrics corporate. And they’re catching the eye of industry giants like Compaq, which is embedding fingerprint scanners into keyboards and laptops.
The city of Oceanside, Calif. , is well beyond the initial testing phase when it comes to using fingerprinting to authenticate users. With 90% deployment, Michael Sherwood, director of the city’s IT department, says the city is already saving $30,000 to $40,000 per year, and the IT department has been unshackled from password torments. “Password-related calls made up about 25% of the calls coming into our help desk,” says Sherwood, who started using fingerprinting technologies from Identix about a year and a half ago. And we figure each one of those calls cost us $20 to $50, factoring in that a field technician has to be dispatched to make sure the password is delivered to the right person, not someone posing as that person. Then there’s the call to check back with the user to make sure everything is OK, plus the user’s downtime while he is waiting for help. “We have so many different systems, and each system has its own security,” Sherwood says. “You need a password to log on in the morning and another password to get to certain files and then another password for financial applications, for example.
And then you figure that people have to remember their ATM PIN number, their home security PIN, the security code for their cars and their cell phones. It’s just all too much. We had to simplify hat. ” And looking at Oceanside’s help desk statistics, it seems they’ve succeeded. Sherwood says the IS department has only received 10 calls for assistance with the fingerprint scanners since Oceanside started using them in 1998, and most of the problems can be traced to dry skin or small abrasions that inhibit the scanner’s reading. Our security administrator isn’t spending his whole day patrolling passwords now. He’s looking at bigger security issues,” Sherwood says. “We spent about $170,000 on the system, and we figure we’ll recoup all of our investment in two years. ” Analysts support Sherwood’s numbers, citing that calls about forgotten and changing passwords are a major drain on most help desks. They say it shouldn’t come as a surprise, because the average user has to remember four to eight different strings of characters, and is supposed to change them every 30 to 60 days.
Just getting employees not to use their own names, nicknames or birthdays as their passwords is a major IS headache. An issue of privacy While biometrics offers tighter security than passwords, industry watchers warn that the technology poses its own set of threats (see Face-off on the issue of biometrics and privacy). The ugly truth is if you’re storing people’s fingerprints in a database, that database is searchable,” DataQuest’s Reynolds says. “Say you have a large company and somebody steals the CEO’s cigar box.
They find a fingerprint and compare it to what’s in the database. Or say the police come asking for a copy of someone’s fingerprint. That all amounts to an unlawful search. ” And that is bound to make some users uneasy or even unwilling to hand over their fingerprints. Grant Evans, vice president of Identix, calls it a small problem. “The fact is Big Brother has all the information he needs on you without your ingerprints,” he says. Gail Koehler, vice president of technology for Purdue Employees Credit Union in West Lafayette, Ind. was worried that members would be upset when she first deployed fingerprint scanners in her automated branch kiosks. Koehler says 12,000 members have registered their fingerprints with the credit union. “We spent the majority of our marketing dollars preparing ourselves to convince members that this was secure and not an invasion of their privacy,” she says. “It was wasted dollars. We’ve basically had no objections. Members prefer the security. “