Identity crisis
While biometrics technology has always promised great benefits, recent developments show it still has much to prove
Biometrics is widely touted as the Holy Grail of security. But like the legendary cup, it promises much while remaining impossible to attain.
The idea of security based on the person is a popular, and its value cannot be discounted. However, its reliability, costs and usefulness to the private sector are a lot more questionable.
The idea of using aspects of someone's physiological make-up, from fingerprints to DNA, to assure identity is not new. In fact, it's so old that it can be traced back thousands of years to the time when the Egyptians built the pyramids.
From the early days of ink fingerprinting to today's high-tech iris scanners and DNA-based solutions, biometrics has always had a role to play in identifying the so-called 'bad guys'. Watch any number of modern-day thrillers or sci-fi movies and it won't be long before fingers and eyes are being chopped and popped for someone to bypass a biometric security system.
Historically, biometrics in the form of fingerprinting has been used by police forces to catalogue and identify criminals, while maintaining DNA databases have been the preserve of the medical and research communities.
More recently though, biometrics has been touted as the latest weapon in the so-called War Against Terror. Global terrorism has been good for the IT security sector overall, but it is proving to be the main reason for the boost in interest in biometrics. As a result, the public sector has gone potty over new biometrics initiatives to protect the nation's borders - not just from terrorists, but also unwanted asylum seekers.
From passports to ID cards, biometrics solutions are being scrutinised and tested across many government departments. No matter how excited the public sector gets though, what is the current state of biometrics in the private sector? And, more importantly, is there anything in this for the channel?
The market research figures put forward are hardly earth-shattering at the moment. Analyst IDC puts the market at $887m in 2005, with Frost & Sullivan claiming the market will rocket to just over $2bn by 2006. Not surprisingly, the International Biometrics Group is predicting growth of $4bn by the end of 2007.
The overall lack of agreement at how much cash biometrics might generate is not surprising, since the vast bulk of its current high profile is based on global fear of terrorism. This is hardly the most common, or reliable, foundation for a technology attempting to go mainstream. In reality, the future of biometrics is far less assured thanks to lack of demand and expense.
"The biometrics market is patchy, at best," says Clive Longbottom, service director at analyst Quocirca. "Companies have not yet got to terms with corporate security as it stands and for many, biometrics is seen as too advanced.
"Until businesses sort out the state of their existing data security set-up, biometrics will remain a solution for the few, not the many.
"That said, in the long run, biometrics is the only way forward. As long current 'challenge and response' security measures are used, people will write down whatever they need to remember somewhere. Even chip and PIN solutions are not the most secure."
Tony Larks, business development manager at security VAR Peapod, agrees that biometrics in the private sector has failed to take off.
"The reality is that organisations are struggling with two-factor security, never mind the third factor that biometrics represents," he says.
"We have specialised in security since 1991 and were actually a big proponent of biometrics back in the mid-1990s. We are no longer involved in the market because it failed to take any foothold back then and the market hasn't changed much since."
A more optimistic view of the sector comes from those promoting biometrics solutions. Until recently, Derek McDermott was managing director of UK biometrics software company ISL, which went into administration in October before being snapped up by BMS Biometrics for an undisclosed sum.
McDermott, who now runs his own security consultancy, Cornerstone IT Partnership, remains upbeat about biometrics, despite his former company having lost its venture capitalist backing.
"At the moment, there's lot of interest being generated thanks to announcements by the UK government for border controls and the knowledge that we can no longer go to the US without fingerprints and photographs," he says.
"The fact that the government is endorsing it has proved a boost and there is a greater acceptability from corporates, which are now putting pilots into place. As long as biometrics can prove a solid business case, its fortunes will improve."
Philippe Robin, R&D director with security and biometrics company Thales, admits terrorism has been good for business.
"Clearly, terrorism has boosted the demand for biometrics, with countries delaying previous projects to evaluate solutions. Just look at passports where certain countries have had to postpone introducing new passports in order to include some biometric technology in them," he says.
In the UK the government has gone a step further, linking the need for biometric passports with the need for national ID cards.
In the recent Queen's speech, the government's biometrics intentions were hammered home: passports and ID cards containing biometrics information, ranging from a fingerprint to a facial or iris scan, will start being rolled out in 2005 and 2007 respectively. It's expected to add up to about £3.1bn - and that's before considering problems.
The passport side of things has caused a few ripples, since the US is demanding that its 'allies' conform to the new biometrics approach to access control. But the ID card side of things has been lashed from all quarters.
Experts and analysts have been queueing up to warn, rubbish and point out the many problems of taking on something so huge, with such a tight timescale and using technologies that have not yet had any very large-scale roll-outs.
As of yet, no roll-out comes within a million miles of what will be needed to host the biometric data of 48 million passport holders and 60 million ID card carriers.
"The National ID Card project has all the hallmarks of technology looking for a purpose," says Graham Titterington, principal analyst and IT security expert at Ovum.
"There is a danger of it becoming implementation-led, and technology projects that are run in this bottom-up direction invariably fail. The more extensive the information is, the more complex the requirements will be to manage it, control access to it and to keep it accurate. The current set of objectives is unrealistic."
Longbottom says: "The government is not known for running IT projects well so it will go wrong."
Despite the warnings and red flags being waved, the government is intent on spending a lot of cash to make biometrics part of the national security set-up. Does this translate into business opportunities for VARs? Yes and no, but mainly no. The bottom line is that unless you are already operating in the public sector, forget it.
"If you are a reseller already in the government sector, there are a hell of a lot of opportunities in the biometrics sector," Longbottom claims.
"However, I would advise any reseller not already operating in the public sector to not bother attempting to swap over because trying to get into the government's catalogue [GCat] of approved IT partners is expensive."
McDermott adds: "The government and public sector are seeing the need for biometrics first, along with some banks and finance houses. Other than that, it's too early for distributors yet because the market is not there in big enough numbers.
"Biometrics vendors have to do most of the legwork themselves and pick their resellers carefully. Now they are only really looking for VARs that have been cleared by the government for work in the public sector."
Larks says: "We are not not seeing anything at our level. Business from the government on its various large projects has not filtered down to the channel yet. The biggest projects will go to the major system integrators and so many in the channel will not see very much business."
On its own, biometrics is a difficult sell, unless your client is a bank with lots to spend on bleeding-edge technology. Since those clients are restricted to a chosen few, the best way to include biometrics in your portfolio is as a security option alongside your main security offerings.
For the most part, security is a higher priority for most businesses than it used to be, but the solutions they want have to be proven. For all their technical wizardry, biometrics solutions might work very well, but there are not enough major companies praising them from the rooftops.
"You really are looking at a market only for the security specialist, because for everyone else the cost of sale is too high," Longbottom says.
"Even then, security resellers would be best off wrapping up biometrics with another, overall security solution. There is no market for going in and selling 10,000 seats of a biometrics-enabled notebooks for instance, but a small proportion of those users might need it. Here, the bigger solution pays for it.
"Also, to be able to say that you can do biometrics is part of the value proposition."
This is where the hardware vendors come in. If biometrics is not the easiest thing to sell to businesses, then don't sell it. Instead, sell them something with biometrics already built in.
A small but growing number of notebook, hand-held and peripheral device manufacturers are now building fingerprint scanners into their offerings. IBM has one in a ThinkPad notebook while Samsung has been at it for a few years, offering fingerprint scanners across its high-end and business notebook ranges.
Hewlett-Packard has built one into its iPAQ hand-held, while Microsoft recently unveiled a keyboard and mouse with scanners built in. Others are doing the same thing. Biometrics might not be setting the business world alight by itself, but others see it as a way of differentiating - something that is getting harder to do in the PC sector.
"We have six notebook models with fingerprint security," says Peter Lunn, marketing manager at Samsung's PC division. "From a technology perspective there have been big advances in the quality of biometrics scanners. The fingerprint sensors are virtually impossible to fool."
McDermott says: "Microsoft has now entered the game with a biometrics-enabled keyboard and mouse. It is just testing the market now for user acceptability, but it knows that once users accept the technology they will not go back to passwords. Biometrics support is also going to be embedded into the next version of Windows.
"Once Microsoft decides users will buy it, it will move quickly."
Biometrics vendors have a way to go to convince everyone that their technology is up to the job of identifying an entire nation on a regular basis. The public sector might be leading the way, but the private sector has yet to be convinced by the hype.
The more lucrative opportunities exist for specialist security VARs - with public-sector clearance - but the rest of the reseller community may have to settle for flogging biometrics via the backdoor on the back of other technologies.
CONTACTS
Cornerstone IT Partnership (01562) 883 065
Ovum (020) 7551 9000
www.ovum.com
Peapod (020) 8606 7171
www.peapod.co.uk
Quocirca (01753) 754 838
www.quocirca.com
Samsung (01932) 455 000
www.samsung.co.uk
Thales (01932) 824 800
www.thalesgroup.co.uk