By Cynthia Flash
BioPay makes fingerprint security systems for retailers that cash checks. Some 200 merchants use the Herndon, Va., company’s biometrics fingerprint scanners to verify a check casher’s identity in an attempt to reduce fraud.
But just because BioPay sells biometrics systems doesn’t mean its employees use one. BioPay has neither an external biometrics system that secures building access nor an internal system to secure access to its computer network.
“We’re looking into using biometrics to open our front door,” says communications manager Robyn Porter. “It’s in the development stage to make sure (the) biometrics device can handle different weather. We don’t use them in our office. Access to our computer system is with user name and passwords.”
BioPay is not alone. Government institutions and national entry points like airports increasingly are using biometrics devices like fingerprint, iris, palm and face scanners as outside security devices that take the place of keys and key-cards. Yet few of these entities – and even fewer companies – are using such technology for network security.
Despite the hype, the technology just isn’t there yet.
Small Rollouts And Trials
“Biometrics is being used in physical access and covert surveillance, but we’re not seeing it translate into network security,” says Jackie Fenn, vice president and research fellow of emerging technologies with Gartner in Lowell, Mass. “In our client base, it’s mostly trials and small departmental rollouts. They’re not rolling it out to thousands of employees at this point.”
Case Study: Biometrics Eases City’s Network Access, Security Woes
Earl Perkins, senior program director, global networking strategies with META Group, Inc., in New Orleans, predicts biometrics as a network security system won’t catch on until 2005. And when it does, he expects fingerprint and iris scanning technology to dominate.
“Today user-IDs and passwords are common,” Perkins says. “Looking forward to the day where biometrics will be used routinely as an additional layer of security to supplement or replace passwords and user IDs is a ways away.”
Today, it’s still possible to fool the computers that are supposed to verify personal identification. A 2002 study by researchers at the Yokohama National University in Japan found that they could create fake fingers using materials bought at grocery or hobby stores and fool commercial fingerprint scanners. The researchers tested 11 scanners and found more than a 68% chance of acceptance of the fake fingers.
There are also cultural issues involving iris scanning. Some countries have religious or cultural prohibitions against people looking directly into the eye, Perkins says. Also unresolved is the issue of cleanliness and how close one can get to the scanner for it to work.
Perhaps most important is the issue of standards. There are no universal standards, leaving companies to wonder if the system they install today will work with tomorrow’s technology.
The industry is working on standards and software companies are pushing in that direction. Microsoft, for example, has integrated biometrics interfaces into its newest operating systems. But it will take large companies years before they deploy the new systems.
Obstacles To Overcome
Before biometrics catch on as a viable form of network security, several key things must occur. Computer makers must embed scanners directly into their devices. This is starting to happen, with Acer announcing in May that its TravelMate 740 laptop will include a fingerprint image sensor.
“A key indicator that biometrics is beginning to be considered seriously is what the key PC manufacturers like Dell, IBM, HP and Compaq are doing,” Perkins says.
Questions of privacy – not only in the United States but also abroad – must also be addressed.
“If you have a multinational company that wants to use biometrics as a strong authentication method in their company, you’ll have to examine privacy laws in countries to determine whether you can store biometrics information,” Perkins says. “There will have to be provisions made on a country by country basis and database by database basis to determine the rules.”
Then there’s the question of price. It currently costs $100 to $150 per scanner peripheral. Companies must determine if it’s worth the money or whether to wait for the price to come down.
Perkins sees biometrics as network security being used in conjunction with smart card technology rather than as a stand-alone system. Individuals could store all of their personal information on a smart card. Then they would need to scan their fingerprint into that card to access that information.
“If the card can be locked or unlocked with biometrics, not only would you have an encrypted key in the card that defined access, you would have a way to unlock that key through biometrics,” he says.
Look to the financial services – companies like BioPay and more traditional financial institutions – and health care industries to take the lead.
Any company considering jumping out front in this area should be aware of what they’re getting into, Fenn says.
“Make sure you know what your motivation is. It can work. There are certain advantages, but these are early days,” he says. “It’s changing. There are not huge established vendors in the fragmented marketplace. It’s high-risk, and you need a tactical reason for taking it. Make sure you know why you’re moving to that solution.”
Freelance writer Cynthia Flash covers business and technology from Bellevue, Wash. She can be reached at [email protected]