BRIDGING THE GAP

Sep 1, 2002 12:00 PM

This fall, a U.S. Navy base in Guam is expected to start testing a biometric smart card system from Cansec Systems Ltd., Mississauga, Ont., which allows military staffers to use a single card for both PC and building access. Several other vendors are now working on systems with dual functionality, including HID, Maxell and Giesecke & Devrient.

Biometric systems use algorithmic technologies to help identify people through fingerprint, hand geometry, facial, or iris recognition. Most biometric identifiers are meant to provide a second or third level of verification for added security.

Unlike a smart card, something you have, or a PIN or password, something you know, biometric information is something you are.

Although biometrics have been around for at least three decades, adoption rates have varied widely among industries. The University of Georgia, for instance, started using Recognition Systems' hand geometry technology as early as the 1970s.

“The University of Georgia was very innovative. If you have 3,000 or 4,000 [students] living in a dorm, it can be problematic to security officers when residents lose their keys. Dining hall access can also be an issue. If a student wants to bring a friend to dinner, the friend has to pay. Sometimes other students will let people from off-campus use their cards,” says Steve Elliott, an assistant professor at Purdue University.

With the current thrust toward anti-terrorism, airports and government facilities are also turning to biometrics to beef up physical access control.

At Schiphol Airport in the Netherlands, for example, citizens of European economic area countries can join a voluntary iris-scanning program. Aside from improving security, the system helps keep travelers from standing in long immigration lines, says Inna Steinmetz-Ratieva, vice president of Schiphol North American Holding, New York. Developed by Joh, a Netherlands-based security provider, the airport system uses Iridian's biometric technology and cameras from Panasonic.

Also this fall, Canada is expected to deploy iris scanning for border crossings at airports. Iridian's technology is already being used at Heathrow Airport in London, as well as along the Swiss/Italian border. “Furthermore, Singapore is doing a border crossing test using multiple lanes of motorocyclists,” says Iridian CEO and president Bill Voltmer.

In the banking industry, on the other hand, the most noteworthy implementations thus far involve internal access to computer systems, says Christine Barry, an analyst with Celent Communications, New York. “Almost all major financial institutions are now at least piloting some type of biometric technology for internal use,” Barry says. “Many of the implementations, however, have remained confidential.”

Some banks however, are forthcoming about biometric deployment. California Commerce Bank, Barry says, “improved employee productivity” by replacing multiple passwords with finger scanning technology for network access.

Indonesia's Bank of Central Asia is using 3,000 finger-scanning units from Identix Inc. to secure high-value electronic fund transfer. Bank tellers and managers enrolled in the system are assigned specific levels of approval for funds transfers. The Indonesian bank recently placed a $400,000 order for an additional 500 finger scanning units.

Enforcement of regulations by organizations such as HIPAA are predicted to act as another driver. In the health care industry however, biometric smart cards aren't really happening yet, according to Gregory Francis, president and CEO of consulting firm Korchek Technologies, Trumbull, Conn.

Environmental factors seem to play a part. “Nurses and doctors often get substances like blood and grease on their hands. So I think it could be tough for fingerprint recognition to work in a health care setting,” says Dr. Steven M. Erde, director, Office of Academic Computing at Cornell University.

Says Francis: “There are a lot of areas in health care, though, where fingerprint recognition could work, such as clinical processing.”

Security managers also cite concerns over costs, user resistance, accuracy, standardization and lost cards.

Although the cost of iris-scanning cameras and access card readers has dropped, high “hidden costs” for systems integration and user training are often present, says Gillian Glaser, a senior analyst at the International Biometrics Group, a biometrics consulting and product testing firm based in New York.

Glaser suggests accuracy and costs are intertwined. Iris scanning, the most accurate biometric technology, tends to be pricier than approaches such as fingerprint and hand geometry, he says.

User resistance also can become an issue. Some end-users oppose fingerprinting, associating it with “the criminal element,” Glaser says. Users can also “feel invaded” by the cameras needed in iris scanning. Some people find biometric registration, or “enrollment,” a tedious process.

“We haven't had any problems with user resistance, that I know of,” says Steinmetz-Ratieva. “But then again, the airport smart card system is voluntary.”

When it comes to accuracy, a big concern is “false rejects,” Voltmer says. “The system doesn't recognize you, because maybe you've tilted your head the wrong way.” Voltmer pinpoints Iridian's false rejection rate at somewhere between two percent and 10 percent.

Not long ago, Japanese cryptographer Tsutomo Matsumoto tried to poke holes in the accuracy of fingerprint recognition by making gelatin molds from live fingers. Matusmoto claims that his “gummy fingers” are able to fool commercial fingerprint readers about 80 percent of the time.

Yet biometric companies keep developing countermeasures to thwart potential spoofers, Voltmer says. “We enjoy staying ahead of people who like to try to break things.”

“[Gummy fingers] have not been an issue for our customers whatsoever,” says Dr. Joseph Atick, president and CEO of Identix. At the CardTech/SecurTech trade show in April, Giesecke & Devrient demonstrated the use of its smart cards with fingerprint reading technology from Identix.

The risk of losing cards should be considered. “In hospital settings, I can easily foresee smart cards ending up in users' shirt pockets, and then going through the washing machine,” Korchek says.

“Card loss is always a hassle,” Voltmer adds. “With iris-scanning, though, it isn't a dangerous thing. After a card is lost, we have a way of transforming the code on the system to make it incompatible with the old card. There's enough data in the iris to let us do that.”

Although biometric data can also be kept on the main system, storage on the smart card gives the advantage of portability across multiple physical facilities and/or computer systems.

On the standardization side, the industry is making gradual improvements, experts say. Although some companies are now complying with ISO smart card standards, uniform biometric standards seem to be farther away.

Last year, Microsoft licensed one of the biometric standards, known as BAPI. Nobody can tell for sure when or if BAPI will appear in Microsoft's software, a reality that might eventually bump the competing BioAPI standard out of the running. “But we expect BAPI to be fully-included in the next version of Windows — after XP — probably in 2004,” says Rolf Boegli, director of marketing for I/O Software.

Other standards can come into play as well. HID, for example, will offer the DES and Triple-DES standards for data encryption. For RF wireless encryption however, the company is using proprietary technology instead of the much-criticized WEP protocol. HID's smart cards integrate fingerprint recognition from Bioscrypt.

Vendors face special issues in creating smart cards that will work across both access card readers and PCs. To operate with conventional card readers, smart cards must support Wiegand data. Cansec already offers a card reader for this description. This fall, the Canadian-based access control vendor will roll out a complementary device reader for PCs, outfitted with USB, or serial port interfaces. Cansec's partner in the biometric arena is fingerprint recognition specialist SecuGen Corp.

Likewise, HID will offer separate devices for physical access and PCs, according to sources. The company's biometric smart token will be available in several different forms, such as card, key and tag. Depending on their needs, customers will be able to add technologies, such as Wiegand, proximity, magnetic stripe, barcode and photo ID.

Maxell, on the other hand, is taking another approach. Maxell's smart card reader/writer can be used interchangeably for either physical or PC access, according to Elena Svab, marketing manager. “We can't use Wiegand data, though, because our system is proprietary,” Svab says.

Maxell's system will start to support biometric IDs in the middle of next year, when the company will bring out new cards offering 1K, 2K and 4K of memory. “Right now, we can't use biometric data, since our cards can only hold 108 bytes,” she says.

By and large, manufacturers plan to provide the new technology as contactless smart cards. “Contactless cards are the wave of the future. You don't get the wear on both the reader and the card that you get with mechanical readers. Also, orientation isn't a problem the way it is with mag cards, for instance. The card doesn't need to be ‘right side up,” says Cansec president Fred Dawber.

In the past, contactless technology was either too slow or too insecure to be used with biometrics. HID's iClass, however, has the security and data transfer rate to meet and exceed the expectations of most biometric integrators.

Despite barriers, many are convinced that biometric smart cards will bring significant benefits to security managers and end-users alike.

What's holding biometrics back on the mass market?

Here are three primary challenges holding back mass market adoption of biometrics for user authentication, as listed by Matthew Martin, vice president of security engineering at J.P. Morgan-Chase and Jonathan Gossels, president of SystemExperts Corp.

• The output of the biometric readers must become standardized so companies can buy any brand of reader and not be locked into a single source situation. The obvious endpoint on this path is that simple readers will be built into every keyboard, mouse or laptop.

• Biometric technology must be integrated with mainstream authentication systems. This would allow a single biometric authentication process to be used to log users directly into a full suite of applications and resources. Today, a two step process is usually needed. The biometrics technology is used to authenticate a user to a credential bank. Then, custom software performs the logins to the underlying applications and systems such as NT or Novell.

• The third challenge is enhancing the biometric software to offer necessary administrative services. For example, many of today's systems store the biometric information on the user's hard disk. What is needed is a way to store that data centrally and securely so it can be properly backed up and managed.

For the record

About the author

Jacqueline Emigh is a 12-year veteran of technology journalism and a freelance writer for iSecurity.

About the companies

Visit infoLink at www.securitysolutions.com for more information on companies featured in this article, or circle the card number.
Bioscrypt — 15
Cansec Systems Ltd. — 16
Giesecke&Devrient — 17
HID Corp. — 18
I/O Software — 19
Identix — 20
International Biometrics Group — 21
Iridian — 22
Joh — 23
Maxell — 24
Panasonic — 25
Recognition Systems — 26
SecuGen Corp. — 27

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue