Biometrics Go Mainstream

With the blink of an eye, the touch of a finger, or the uttering of a pass-phrase, colleges and schools can now get deadly serious about physical security.

WHAT’S NEW IN AUTHENTICATION? After years of hype, biometrics may be going mainstream! Witness these two recent news release statements, both from Washington Technology, January 2006:

“By Oct. 27, all federal agencies must be ready to issue new identity cards that will be rich in biometrics and other security features.”

“Homeland Security is expected to set specifications and standards for biometric features that will be required as part of a federal mandate to improve driver’s license security.” As you may recall from “Security: It’s Not All About Hackers,” Campus Technology, September 2005, authentication is based on something you know (e.g., a password), something you have (e.g., a driver’s license), or something you are (e.g., a fingerprint). The last of these refers to the use of biometrics for authentication. Common examples are based on eye (iris and retinal) scans, fingerprints, keystroke dynamics, voice analysis, facial scans, hand geometry, and DNA analysis.

Retinal and Iris Scans

Eye scans are the gold standard of commonly available biometric identification techniques. Retinal scans are performed by shining a low-intensity beam of infrared light into the eyeball and recording the pattern of blood vessels in the back of the eye. The process is somewhat invasive (the eyeball needs to be held very close to the device, held still, and focused for 10 to 15 seconds) and is typically only used in high-security facilities.

Iris scans are executed by observing the pattern of ridges on the colored part of the eye; they can be carried out at distances of up to several feet, and through eyeglasses, as well. As the cost of iris scanners falls, the devices are starting to be used in medium-security facilities such as airport security checkpoints, as well as education and corporate environments. Panasonic, for one, markets several iris scanners with prices ranging from several hundred dollars all the way up to the $10,000 mark.

Still, there have been reports of “reading” problems in a small percentage of cases because of eye malformations, watery eyes, and even long eyelashes. High-resolution photographs of an iris have also fooled some of the scanners. These limitations not withstanding, iris recognition systems from Eyemetric Identity Systems have been adopted by one New Jersey school district to control adult access into elementary school buildings.

BiometricsThough glitches with such technologies still persist, iris recognition systems have been adopted by one New Jersey school district to control adult access into elementary school buildings.
Fingerprints

Fingerprint recognition has gone from Hollywood (remember Will Smith and Gene Hackman in the 1998 thriller Enemy of the State?) to college-campus and school-district dining halls and cafeterias. Most schemes work by capturing an image of the ridges and furrows of a fingertip with an optical scanner and then comparing the details—for example where ridges end or fork—against a database of fingerprint information.

Food Service Solutions sells fingerprint-scanning systems to K-12 schools to speed kids through lunch lines. The system was recently adopted as well by Campbell University (NC) for 1,200 voluntary users in the university’s dining halls. Administrators at the institution claim that identification by fingerprint scan takes 1.6 seconds, compared to 3.5 seconds to swipe a student’s ID card. A digital picture of the individual is also taken, which is displayed on an attendant’s screen as verification of the food service program enrollee.

The good news: The cost of fingerprint scanning systems has dropped to the point where they’re now practical for controlling access to individual computers. For example, Digital Persona sells a compact standalone scanner and associated software that connects to a PC via its USB port.

On the plus side, according to the FBI, electronic fingerprint scans make the right match 95 to 98 percent of the time. (Detractors point to the inverse.) On the down side, the accuracy varies depending on gender, race, and the condition of the finger being scanned (dry, cracked skin can degrade accuracy).

HOW TO FAKE A FINGERPRINT

BiometricsTsutomu Matsumoto, a Japanese mathematician, has figured out a cheap way to fool a fingerprint scanner. First, he uses free-molding plastic from a hobby shop to make a plastic mold of a thumb or finger. Then he pours gelatin obtained from a grocery store into the mold and lets it harden. The gelatin “fake” fools fingerprint detectors about 80 percent of the time. To read more about this, go HERE.

Voice Recognition

Voice recognition is accomplished by comparing the vocal characteristics of a user speaking a pass-phrase, with the characteristics of an authorized user speaking the same pass-phrase. This technology is getting better, but its accuracy still lags behind other biometric techniques and can be affected by external factors such as background noise, as well as physiological factors such as a head cold, and psychological factors such as emotional state. Used alone, voice recognition systems that ask the individual to repeat a fixed phrase can be defeated by a simple audio recording. One advantage of voice recognition technology is user friendliness (“please say your pass-phrase”) and the ease with which voice recognition can be combined with other authentication techniques to provide two-factor identification. Another advantage is that virtually all computers have the appropriate hardware—a microphone—already built in. Then too, because voice recognition is a softwareonly solution, the cost is relatively low. Some popular voice authentication products are Nuance Verifier, Voice.Trust and VoiceVault. Vocent takes a somewhat different approach and offers a product that allows a user to remotely reset passwords, based on voice recognition.

Keystroke Dynamics

To identify users, keystroke dynamics technology typically uses measurements of the speed and pressure of typing, the total time taken to type particular words, and the time elapsed between hitting certain keys. (Experienced Morse code operators have long prided themselves in being able to identify a sender by his “fist,” or pattern of typing out dots and dashes on a telegraph key.) Surprisingly, this behavioral technology is relatively accurate, and since it can be entirely software-based and needn’t include additional hardware, its cost is quite low. Integrating keystroke dynamics with another authentication technology such as passwords provides very costeffective two-factor or even three-factor authentication.

One vendor, BioPassword, estimates that the cost of implementing that company’s keystroke dynamics solution is one-third the cost of physical biometric devices, and substantially less than tokens or smart cards. While a single-user version is available, the enterprise version is probably of more interest in higher education with its highly mobile user environment.

Facial Recognition

One of the most common facial recognition schemes is based on analyzing a facial image for certain “nodal points,” such as the width of the nose or distance between the eyes. A template is built based upon these measurements, and then compared against target templates. An independently administered technology evaluation of mature face recognition systems done in 2002 by the Defense Advanced Research Projects Agency (DARPA), the National Institute of Standards and Technology (NIST), and NAVSEA Crane Division found that the best of these systems achieve 80 to 90 percent accuracy in controlled conditions. (See “Face Recognition Vendor Test 2002: Overview and Summary”)

The accuracy of the results was very dependent upon lighting, picture angle, and the age and gender of the target. Is 80 to 90 percent good enough to be used in practice? If the objective is to scan casino patrons for professional gamblers, the answer may be yes. In fact, one company, Biometrica, has built a business around providing facial recognition systems to the casino industry. On the other hand, the use of facial recognition systems has not been particularly successful in identifying people in a crowd or for authentication. More than two dozen companies provide facial recognition systems.

Surprisingly, keystroke dynamics technology is relatively accurate, and since it can be entirely software-based and needn’t include additional hardware, its cost is quite low.
Hand Geometry

Authentication based on hand geometry analyzes two optical images of the hand—one of the palm and one of the side—to measure parameters such as finger width and height, the length and distances between joints, and knuckle shapes. These parameters are then compared to a previously established template. Because the geometry of our hands isn’t highly distinctive, the system isn’t well suited for identifying one individual out of many. The system’s ease of use, however, makes it attractive for matching a token or smart card to a user. In the late 1990s, the Immigration and Naturalization Service (now part of Homeland Security) began experimenting with automated hand geometry authentication for frequent business travelers (INS Passenger Accelerated Service System or INSPASS), but a March 2000 audit concluded that the system wasn’t particularly cost-effective, and additionally, created security risks. In January 2006, the program was transitioned into the Registered Traveler program, which is based on iris scans and fingerprint recognition.

DNA

DNA is the ultimate biometric identifier. The odds of two people who aren’t identical twins having the same DNA are 6 billion to one. The downside of DNA analysis is that it currently requires both a physical sample and extensive laboratory analysis. But changes are on the horizon. Scientists are starting to use “DNA chips” or “DNA microarrays” to map out the small variations in DNA that characterize our uniqueness. (Read more on this HERE) As this technology matures, it may be possible to use it for authentication. But even DNA authentication might not be foolproof: As has been pointed out in science fiction movies, all it takes is a strand of hair to mimic someone

Comparing Biometric Technologies

Two criteria commonly used to compare biometric technologies are False Acceptance Rate (FAR) and False Rejection Rate (FRR). FAR determines how often an imposter can bypass the biometric authentication. Thus, an FAR of 1 percent indicates a one in a hundred chance of fooling the system. In general, FAR increases (becomes less accurate) as we move from iris scans through fingerprint scans, keystroke dynamics, facial recognition and, finally, voice recognition. FRR determines how often a valid user will not be successfully authenticated. Thus, an FRR of 3 percent means that three times out of a hundred, a user will incorrectly be denied access and forced to try again. As with FAR, FRR increases (real users rejected) as we move from iris scans through fingerprint scans, keystroke dynamics, facial recognition and, finally, voice recognition.

With the exception of iris scans, which have a very small FAR, biometric identification techniques generally involve a tradeoff between FAR and FRR. If we reduce the chance of someone fooling the system, we increase the chance of denying access to a valid user. Most biometric systems let the system administrator adjust the acceptance threshold of the FAR and FRR settings. For example, the FRR might be decreased to make the system more user friendly at the expense of making it easier to fool the system.

Biometric identification isn’t absolute— it’s probabilistic. In 2005, a crime lab considered by many to be the finest in the world misidentified a fingerprint linked to the Madrid bombing case. Bottom line: A healthy dose of skepticism is advisable when evaluating vendor claims.

6 Items to Keep in Mind When Using Biometrics

From Who G'es There? Authentication Through the Lens of Privacy, National Research Council:

  1. Never design or use a biometric system that allows either remote enrollment or re-enrollment. Such systems have no good way of connecting a user with the enrolled biometric record other than additional authentication, so the advantage of using biometrics is lost.
  2. Biometric measures can reveal your identity if they are linked at enrollment or at subsequent usage to your name, Social Security number, or other identifying information.
  3. Remember that biometric measures cannot be reissued if stolen or sold. Consequently, your biometric measures will be only as secure as the most insecure site that uses them. Do not enroll in a system that d'es not seek to preserve anonymity, unless you have complete trust in the system administration.
  4. All biometric access-control systems must have exception-handling mechanisms for those individuals who either cannot enroll or cannot reliably use the system for whatever reason. If you are uncomfortable with enrolling in a biometric system for positive identification, insist on routinely using the exception-handling mechanism instead.
  5. The most secure and most privacy-sensitive biometric systems are those in which each user controls his own template. However, simply controlling one’s own biometric template, say by holding it on a token, d'es not guarantee either privacy or security.
  6. People tracking? Because biometric measures are not perfectly repeatable, are not completely distinctive, and require specialized data collection hardware, biometric systems are not useful for tracking people. Anyone who wants to physically track you will use your credit card purchases, phone records, or cell phone emanations instead. Anyone wanting to track your Internet transactions will do so with cookies,Web logs, or other technologies.
Privacy Issues

In its comprehensive report, Who G'es There? Authentication Through the Lens of Privacy, the National Research Council points out that biometrics can pose serious privacy and security concerns, particularly if samples are compared against templates stored on a remote authentication server that, potentially, can be hacked. (A stolen password can be reset, but a fingerprint is forever.) The report recommends that biometric technologies not be used to authenticate users via remote authentication servers and suggests that biometrics is more appropriate for local authentication, such as access to a private key or smart card. This advice is often ignored, in which case the system should encrypt all templates transmitted over the network to ensure that the central server is as secure as possible. (See the box above for common sense guidelines.)

Caveats

Biometrics can be particularly powerful as part of a two-factor authentication scheme. If the false acceptance rate or FAR of one system is 0.03 (3 percent) and the FAR of a second system is 0.02 (2 percent), the FAR of the combined system is 0.0006 (0.06 percent)—if the systems are truly independent. Sadly, however, that is usually not the case. If a hardware token is used in conjunction with a fingerprint reader, a copy of the fingerprint just might appear on a stolen token. Okay, biometrics may not yet be a silver bullet, but the technology d'es force the bad guy to get a bigger hammer.

DON’T MISS THIS WORKSHOP! Doug Gale will present July 31 on “Cybersecurity: What Every CIO Needs to Know” at the Campus Technology 2006 conference in Boston.

Featured