have long used emblems, uniforms and tattoos to physically identify
themselves to their compatriots. Secret passwords were in use long
before the first person logged in at a keyboard. Today, the world of
is increasingly incorporating
identifiers as an additional weapon within the security arsenal.
International Biometric Group, a New York City-based consulting
firm, reports that the worldwide market for biometric devices grew
67 percent last year to reach $1.2 billion. And analysts there
estimate a further expansion to $4.6 billion by 2008.
The largest share of that money (48 percent) goes for fingerprint
recognition systems, followed by facial recognition (12 percent).
While these two are the most popular, there are other methods that
analyze a person's physical or dynamic characteristics. Physical
biometric methodologies also look at the following:
Examining the lines of the iris or the blood vessels in the
Taking a 3D image and measuring the height and width of bones
and joints, and
Analyzing surface texture and thickness of skin layers.
Key Terms To
Generally, the study of measurable biological characteristics. In
computer security, biometrics refers to authentication techniques
that rely on measurable physical characteristics that can be
In a biometric security system, the process of comparing a biometric
data sample against all of the system’s databased reference
templates in order to establish the identity of the person trying to
gain access to the system.
When looking at strong
authentication, you want two out of three factors something you have,
something you are and something you know. While, eyes, hands and skin are
commonly used as biometric identifiers, more dynamic methodologies also are
being introduced, such as the following:
vocal pitch and rhythm;
Analyzes the typing speed and rhythm when the user ID and password are
the signature to one on record, as well as analyzing the speed and
pressure used while writing, and
length of stride and its rhythm.
To keep performance high and
storage requirements manageable, today's biometric technologies don't have
to store or analyze a complete picture of the body part or the physical
feature being used. Imagine the processing power that would be needed to
store a high
resolution picture of someone's face and then compare it with a live
image pixel by
Instead, each method reduces the body part or activity to a few essential
parameters and then codes the data, typically as a series of hash marks. For
example, a facial recognition system may record only the shape of the nose
and the distance between the eyes. That's all the data that needs to be
recorded for an individual's passport, for example.
When that person comes through customs, the passport doesn't have to include
all the data required to reproduce a full-color picture of the person. Yet,
armed with a tiny dose of key biometric information, video equipment at the
airport can tell whether the person's eyes are closer together or if his
nose is slightly wider than the passport says they should be.
None of these biometric systems are infallible, of course. However, the rates
positives have markedly improved. One of the problems with fingerprint
readers, for instance, is that they couldn't distinguish between an actual
fingerprint and the image of one. In the recent movie National Treasure,
Nicholas Cage's character lifted someone's fingerprint off a champagne glass
and used it to gain access to a vault. That's not pure fiction.
Japanese cryptographer Tsutomu Matsumoto lifted a fingerprint off a sheet of
glass and, following a series of steps, created gelatin copies. He then
tested these on 11 fingerprint readers and each accepted the gelatin prints.
Outside the lab, Malaysian thieves chopped the fingertip off a businessman
and used it with the fingerprint reader on his Mercedes. But none of those
methods would work with higher-end fingerprint readers. The latest
fingerprint readers are incorporating more advanced features, such as making
sure the finger is a certain temperature. Everyone's hand is different, as
some are consistently warm or cold. In addition, they can also check if
there is a pulse and tell how much pressure is being applied.
Such sophistication, however, has its drawbacks. Authorized users may find
themselves locked out even when the devices are working properly. Why? Tiny
changes, due to accidents or injuries, can change a biometrics profile,
rendering it effectively obsolete. The thing to keep in mind with any
biometrics is that your ID does change over time. If you cut your finger,
your biometric may not be the same any more. Or your early morning voice is
different than after talking for eight hours.
Biometrics in the Enterprise
While biometric authentication certainly adds an extra layer of security, it
would be a mistake to implement a high-end system and then feel that
break-ins instantly would be consigned to the history books. It takes
back-end integration, constant vigilance and consistent user involvement to
keep an enterprise secure. Security is a user issue and must go all the way
to the desktop. You need to have a very layered architecture and assume that
any layer could fail some day.
The most popular biometric tool at the moment is the fingerprint reader.
Some even use USB drives. And some keyboards and laptops come with them
built in. These devices have come way down in price. As a standalone device,
the unit price has dropped below $100. But, in an enterprise setting, that
is just the start of the costs.
IT departments have to ensure, for example, that back-end security systems
can accommodate biometric authentication, and scale to the required number
of users. Plus, if fingerprint readers are not incorporated into the
desktop, it adds to the number of devices that need to be supported by
There is little point, then, in adopting a stand-alone biometrics system
that cannot easily be assimilated into the organization's existing security
Biometric authorization techniques are no longer so leading edge that they
are difficult to marry with traditional security safeguards. Today's systems
are well enough developed that they can be incorporated into enterprise
systems without too much effort. A strong authentication system is
what you want to focus on and biometrics can be part of it, but the user
should still have to memorize something or have a token, and you need to
make sure that polices and the management structure relating to it are
firmly in place.
Did You Know...
Personal USB Biometric Pods claim to allow secure fingerprint
identification which provides a secure way to remember
passwords. These gadgets are now available for under $30 USD.
~ By Drew Robb
Adapted from eSecurity Planet.com
Last updated: January 06, 2006
eSecurity Planet Online
eSecurity Planet is dedicated to providing enterprise security professionals
with the latest and most useful online security news, information and advice.
Webopedia's "Did You Know...How Fingerprint Scanners Work"
Today fingerprint devices are by far the most popular form of biometric security
used, with a variety of systems on the market intended for general and mass
market usage. Long gone are the huge bulky fingerprint scanners; now a
fingerprint scanning device can be small enough to be incorporated into a laptop
Article: Gait Advances in Emerging Biometrics
Recognition by the way someone walk (their gait), the shape of their ears, the
rhythm they make when they tap and the involuntary response of ears to sounds
all have the potential to raise the stock of biometric techniques.
Extensive collection of information pertaining to the research, development,
testing, evaluation, and application of biometric-based personal
identification/verification technology. The Biometric Consortium serves as the
U.S. Government's focal point for this technology.
Analysis of digital rights management technology.