Identification parade
Biometric technologies are starting to take off, but none of them are entirely foolproof, as David Stott finds out.
One of the biggest challenges facing the security industry today is confirming the true identity of a person.
Whether it is to provide access to an online banking service or simply to allow users to log-on to a network to collect their email messages, there is a growing need to confirm accurately whether a user is who they say they are.
Many vendors are promoting the use of biometrics as a potential solution. Biometrics is the automatic identification of people using unique, measurable human characteristics. This can be achieved in several different ways.
Fingerprints, palm prints, iris scanning, retinal scanning, facial recognition scanning, voiceprint and signature dynamics can all be used, with varying degrees of accuracy and reliability, to determine identity.
Perhaps the most obvious, and certainly one of the oldest, methods of identifying a person is by using their fingerprints. It is used by law enforcement agencies throughout the world, and offers a fairly simple and quick way to confirm someone's identity.
There are several vendors selling products based on fingerprint recognition techniques, and the scanning devices are relatively cheap and easy to use.
As a result, advances during the past two or three years have made fingerprint-based identification practical for tasks such as electronic payments, passports and verifying drivers' licences.
However, fingerprint scanning is not completely foolproof, and many security consultants recommend the use of palm prints for greater reliability.
Palm print scanning relies more on the geometry of the hand and uses, for example, the length of the fingers and the width across the knuckles to determine a match. Therefore palm prints are harder to fake and systems using this technology are less likely to fail.
The eyes have it
Along with fingerprints, the other most common unique identifiers we have are the eyes. Two separate aspects can be used to determine identity. The oldest and most controversial is the scanning of the retina.
Researchers way back in the 1800s suggested that the patterns of blood vessels at the back of the human eye are unique. Retinal patterns remain the same throughout one's life, except in cases of severe head trauma or degenerative eye diseases.
Retinal scanning uses a laser to read the pattern of tiny veins at the back of the eye, but the fact that it scans the most sensitive part of the organ raises some concerns.
Jackie Groves, managing director of Utimaco Safeware UK, a developer and distributor of IT security solutions, said: "It is important to realise that biometrics suffers from social acceptance problems.
"Most people are not going to allow a device to scan their retina as they somewhat unjustly fear that it will make them go blind."
More recently iris scanning has proved far less controversial. This technique uses a special camera to photograph a person's iris, which is much less invasive.
The system then uses the unique patterns and colours of the iris to identify the person. This scanning is easier and cheaper to implement, with the added benefit that the lack of lasers reduces health concerns.
According to Ian Pearson, technical manager at SchlumbergerSema, iris scanning is becoming much more popular and widespread.
"There is a definite growth in iris scanning technology because it is much more reliable and provides higher levels of security," he explained.
"Iris scanning machines have been installed at Heathrow Airport. If passengers who fly frequently provide an iris scan to the passport control they can avoid queuing.
"When they look into a camera as they pass through passport control, and the iris scan matches the one stored on the database, they simply walk through."
While fingerprints and iris characteristics can be used to determine a person's identity they are not what people use to identify one another.
Let's face it
The human face is generally regarded as the quickest and most consistent way that people are recognised by other people, and several systems have been developed to perform the same task automatically.
Stephen Smith, criminal justice manager at IT services company Steria, firmly believes that facial recognition is the way forward for biometric security.
"Face recognition works by capturing a square-on image of the face with a camera or video," he said. "The image is then encoded based on skull geometry. The encoding tends to ignore facial hair and skin. However, it is important to capture the iris and the tip of the nose.
"The encoding translates the face into a mathematical description of typically 300 characters [bytes] so that it can be sent over a range of devices. This is vital if it is a case of national security."
Unfortunately, the ability of technology to recognise a person's face is not completely infallible. Just look at all the cases of mistaken identity highlighted in criminal proceedings, or the fact that it can be extremely difficult to distinguish between identical twins.
Another technique currently being explored is voice recognition. Most voice biometric solutions create a voice print of the user: a template of the person's unique voice characteristics created when the user enrols with the system.
All subsequent attempts to access the system require the user to speak so that their live voice sample can be compared against the pre-recorded template. Many solutions also require the user to speak a password when attempting to gain access, for added security.
Talking volumes
Some vendors, such as Nuance, are convinced that voice recognition is an excellent method for the authentication of users.
Nick Applegarth, the company's managing director for Europe, Middle East and Africa, believes that the technology has some distinct advantages over other systems.
"Nuance's biometric [solution] relies on voice recognition," he explained. "This system takes a voiceprint of the speaker's vocal tract that is as unique to the individual as a fingerprint or iris pattern.
"This primary identification can then be combined with the integrated software that recognises the words spoken. The password could be random numbers from a Pin or personal information such as date of birth.
"These multiple checks make the system secure enough for confidential financial transactions or personal data to be exchanged. It can be as much as 99.9 per cent accurate.
"While other biometrics require complex bits of kit, such as fingerprint or retina scanners, voice recognition doesn't require anything special and can work over a simple fixed telephone or a mobile with a PC at the other end of the connection."
The final biometric technology that can be used for identification is signature dynamics. This is not the same as handwriting recognition because the object is not to exactly determine what is written, but how it is written. After all, many signatures are quite hard to decipher.
Instead, signature dynamics is used to analyse precisely how a person signs their name. It looks at various parameters such as the pressure applied on the surface by the pen, the angle of the writing and even the speed at which the signature is written.
However, if a user is either tired or has been drinking alcohol then they may not be able to replicate their signature in a way that the system will recognise.
All of the biometric techniques outlined above have their own merits and benefits, but none are absolutely foolproof.
"No single biometric method is 100 per cent accurate," said Smith. "The best solution is to have a combination of methods depending on security needs. This will mean the integration of various biometric technologies and systems in order to increase identification success rates."
Overall security issues have meant that millions of pounds are being spent on biometric security and the market is starting to take off. However, the widespread use of biometric security for general authentication purposes, such as making purchases on the internet, is still some way off.
Fiona D'Arcy, marketing manager at identity management company Daon, predicts a fairly slow growth in the demand for biometric security on a personal security level.
"Analysts argue that the mass deployment of biometrics in the consumer space will not happen until at least 2008," she said. "Deployment will start with the enterprises and then move through the government and citizen space and eventually to large-scale consumer use.
"Privacy and security issues will be addressed as this progresses, but the more research that is done to demonstrate the accuracy of the technology, the more likely it is that fears will be alleviated."
Without doubt, the ultimate biometric for truly 100 per cent accurate identification is DNA. While this has been proved to be highly reliable, the actual task of conducting DNA identification is time consuming.
Scientists are working hard to develop faster techniques to conduct DNA tests with the ultimate goal of providing instant matching. Eventually we will see some form of DNA biometric security, but it is not likely to be in the next five to 10 years.
Sticky fingers
Despite the fact that fingerprints, by being unique, are an almost perfect method of identification, there has been some doubt cast on the ability of fingerprint recognition systems to perform reliably.
A Japanese cryptographer has demonstrated how fingerprint recognition devices can be fooled using a combination of cheap kitchen supplies and a digital camera.
First, Tsutomu Matsumoto used gelatine and a plastic mould to create a fake finger with his own fingerprint as an impression. Using this he discovered that many fingerprint detectors could be fooled four times out of five.
He then took latent fingerprints from a sheet of glass, which he enhanced with a cyanoacrylate adhesive (super-glue fumes) and photographed with a digital camera. Using some image enhancing software, he improved the contrast of the image and printed the fingerprint onto a transparency sheet.
Next, Matsumoto took a photo-sensitive printed circuit board (which can be bought in many electronics hobby shops) and used the fingerprint transparency to etch the fingerprint into the copper.
From this he made a gelatine finger using the print on the circuit board, using the same process as before. Again this fooled fingerprint detectors about 80 per cent of the time.
The equipment he used is neither hi-tech nor expensive and, while the first experiment using his own fingerprint is impressive, it is the second experiment which has far greater implications.
Using these techniques it is theoretically possible for someone to 'lift' another person's fingerprint and assume their identity. If Matsumoto can pull off the trick what would corporate espionage boffins be capable of?
Matsumoto tried these tricks on 11 commercially available fingerprint biometric systems, and was able to reliably fool all of them.
Obviously this is a worrying development as far as the use of fingerprint biometric security is concerned and many manufacturers will have to rethink their strategies.
One possible solution could be to incorporate a temperature sensor which may prevent fake fingers being used. But even this problem may not be insurmountable for the dedicated forger.
BIOMETRICS RESOURCES:
There are several organisations and industry associations involved in biometrics, and the following websites can provide a useful information on the topic:
www.biometrics-today.com/index.html
Identifying changes
According to IDC, hardware authentication, especially biometrics, is undergoing a metamorphosis.
Research released by the analyst indicates that two major trends are emerging within the hardware and biometric authentication markets since the events of 11 September.
"Software platforms that support a heterogeneous mix of biometrics, tokens and smart cards promise to boost security, reduce cost and improve convenience," according to Chris Christiansen, programme vice president of IDC's internet infrastructure and security software services.
"Simultaneously, physical security and surveillance technologies are coalescing with both hardware and software authentication technologies. The events of 11 September only served to accelerate these market trends."
The need to determine individuals and the functions they are permitted to perform has become paramount. According to IDC, the use of biometric technology will reinforce, not replace, current authentication methods such as passwords.
IDC predicts that companies will adopt multiple authentication methods, including biometric hardware and software solutions, to ensure higher confidence in an individual's identity.
Biometrics and other hardware authentication technologies will also bridge the gap between physical and network access. The ability to ensure that only authorised individuals can enter a building, visit restricted departments and use networked resources will be critical to reducing security threats.
The worldwide biometric technology market reached $118.8m in 2000 and is set to continue to increase over the next five years at a compound annual growth rate of 50 per cent.
IDC believes that the market has changed focus with the movement towards providing software-only solutions for authentication needs, which signifies the market's desire for convenient installation solutions.
In many cases, authentication vendors are de-emphasising hardware, partnering with consumer products manufacturers and building technology-agnostic authentication software platforms.
CONTACTS:
Utimaco Safeware UK (01442) 230 030
www.utimaco.com
SchlumbergerSema (020) 7830 4444
www.slb.com
Steria (01753) 790 700
www.steria.com
Nuance (01483) 246 580
www.nuance.com
Daon (00 353) 1611 7660
www.daon.com