Biometrics Baffler

Jan 1, 2007 12:00 PM, By MICHAEL FICKES

Sales of biometric technologies are growing by 200 percent per year, according to Walter Hamilton, vice president of Kirkland, Wash.-based Saflink Corp., and chair of the International Biometric Industry Association in Washington, D.C. “But the category hasn't reached critical mass yet. In the commercial markets, research suggests that only 5 percent of companies have installed biometrics.”

Just 5 percent? It is difficult to understand why the commercial market for biometric security systems remains small. According to research conducted by London-based consulting firm Deloitte and Touche, 68 percent of companies consider the corporate use of biometrics to be a justified security measure. Fifty-five percent of firms are currently considering either iris or fingerprint biometric systems. So businesses like biometric technology but don't use it. Why?

No fewer than five concerns seem to have held back the widespread commercial adoption of biometric security systems:

• Businesses like biometrics, but they are not sure the systems will work. “The chief technology officer of the corporation gets fired if he or she implements systems that don't work. CTOs need proof of performance,” says Conor White, chief technology officer of Daon Inc.,a Reston, Va.-based middleware vendor that helps integrate biometric devices with the algorithms that compare and identify biometric templates.

• Interoperability of various makes of biometric systems is an unknown, according to a 2005 “Biometric Market and Industry Overview,” published by the New York City-based International Biometric Group (IBG), a research and consulting firm.

• Vendors attack competitor's products so viciously that prospective customers are not sure anything works.

• Businesses want to see proof of the return on investment provided by biometric technologies.

• Businesses do not want to anger employees by installing security technologies that create privacy issues.

The biometric industry is currently addressing each of these concerns.

Proving performance

White says that CIOs require biometric technology with open standards that enable the deployment of technology with a known and measurable baseline. “Lack of standards has been a barrier to biometric adoption,” he says. “But standards are emerging today. In the areas of finger image, pattern and minutiae, national and international standards are now available.”

Images (or photographs), minutiae templates and pattern templates are the three varieties of fingerprints in use today. The American National Standards Institute (ANSI) now has standards for each. ANSI 377 covers pattern templates, while ANSI 378 deals with minutiae templates. Finally, ANSI 381 dictates the standards for fingerprint images.

A single International Standards Organization (ISO) covers the varieties of fingerprints as well as iris and face biometrics.

“These open standards provide CIOs with certainty that biometric sensors and readers can plug and play with existing access control systems,” White says. “Of course, companies will implement these standards with slight differences. One vendor might focus on one point in a fingerprint image, while another vendor will choose another point. Some vendors will have stronger algorithms than others. But all of those that fit within these standards will provide commercial users with a level of predictability that has not been available before now.”

Interoperating

Open standards also promote interoperability, say industry observers.

Interoperability refers to the ability of a reader manufactured by one firm to read a fingerprint as well as the reader from another firm, says Matthew Bogart, director of corporate development with Bioscrypt Inc., a Toronto-based biometric company that focuses on fingerprinting systems.

“In a Bioscrypt system, a person enrolls by creating a template or a digital representation of a fingerprint in a Bioscrypt reader,” Bogart says. “That template will work with Bioscrypt readers. But up until now it would not interoperate. You couldn't match that template against templates created by other companies' readers.”

This problem is being resolved, continues Bogart, by ANSI standards 377 and 378 that aim to make fingerprint templates created by biometric sensors interoperable.

Ensuring true interoperability, however, requires going beyond the ANSI standards.

A standard developed by the U.S. government has gone beyond ANSI. Called the Federal Information Processing Standard 201 (FIPS 201), this standard was developed in response to Homeland Security Presidential Directive 12 (HSPD-12), which calls for development of a government-wide access control system that uses interoperable smart cards embedded with biometric identifiers.

By the end of 2006, all agencies of the U.S. government were required to have installed a means to issue FIPS 201-compliant smart cards to employees. By the end of 2007, all agencies must complete the implementation of their systems.

When the ANSI standards were developed — with an eye toward FIPS 201 compliance — the government feared that companies would be able to meet the standards without actually building systems capable of interoperating. Bogart says that the government told the National Institute of Standards and Technology (NIST) to create a test that would verify that vendors claiming to comply with ANSI standards 377 and 378 produced biometric equipment that actually could interoperate.

“The NIST test found that of 14 vendors with standards based technology, only six could interoperate with each other,” Bogart says. “Today, if all of your company's offices buy technology from the FIPS 201 list of approved vendors managed by NIST, then biometric access control systems at multiple corporate offices can interoperate using equipment from different vendors.”

In other words, employees will be able to travel from their Denver office to their Boston office and sign in using a biometric authentication system. Even if the systems use hardware from different vendors, they will interoperate.

A public-private partnership has already begun to implement FIPS 201 concepts in the commercial world. Called Registered Traveler (RT), it is marketed by private entities to air travelers as a way to avoid long security lines at airports. The private company attracts air travelers who agree to submit to a background check conducted by the Transportation Security Administration (TSA). If the traveler is approved, his or her name and personal data are entered into a federated database available to all registered traveler companies. To date, about a half dozen of these firms have formed.

Each company issues smart cards with fingerprint and iris biometric data to its registered travelers. Each company sets up kiosks in airports where it works. All readers in the system will interoperate or understand the biometric data on all of the cards in the system, no matter which company issued the cards or installed the equipment.

The Registered Traveler companies have created their own interoperability standards, some of which have sprung from FIPS 201 standards. Daon's White chaired the Registered Traveler Interoperability Consortium, which was formed by five airports in 2005. Since then, 70 more airports have joined. “We hashed out standards with all the vendors, while leveraging as much as we could of FIPS 201 standards,” White says. “Certain Registered Traveler business procedures made it impractical to use FIPS 201 to the full extent.”

For example, FIPS 201 cards require the user to have a personal identification number or PIN. The Registered Traveler Consortium decided that people using their cards every day would have no trouble remembering PINs. On the other hand, Registered Travelers who might stay home for a month a couple times a year would forget PINs — or worse, write the PIN on the card.

“So we designed the system without a PIN,” White says. “We also included iris as a biometric in our system because travelers carrying lots of bags and packages might not have a free hand or finger. Looking into an iris camera is easier.

“Overall, the Registered Traveler program is groundbreaking. It is the first interoperable fingerprint and iris program that I'm aware of,” he adds.

Spiking the punch

In recent years, biometric suppliers regularly critiqued each other's systems harshly. In some cases they still do, say industry observers. “I think the way biometric vendors have talked about each other spikes the punch and scares the corporate market away from capable technology,” says Tom Brigham, a principal with Brigham Scully, a Woodland Hills, Calif., public relations firm that has developed a specialty in the biometric area. “Everyone is marketing their technology so hard, it is preventing the overall category from penetrating the market.”

Some industry players agree with this analysis. “There is a level of one ups-man-ship in the industry,” says a spokesperson for one manufacturer, who asked to remain anonymous. “Often in the process of one-upping others, companies will make it difficult to market to end-users.”

By creating a huge federal market requiring plug-and-play, interoperable technology that hews to specific standards, FIPS 201 has already begun to change the nature of marketing carried out by industry competitors. Instead of promoting the superiority of their technology at the expense of others, they are beginning to promote the fact that their technology will interoperate with other technologies.

Those who do indeed produce interoperable technology will get on the government's list of approved technologies. They will prosper, grow and likely begin to attract commercial business.

Proving return on investment

Proving the return on investment of biometric security systems has itself proven difficult to do, according to consultants at IBG. The installed biometric base remains so small that reliable studies do not exist. In the UK, Deloitte consultants are more optimistic and say that their own research shows that firms can expect systems to pay for themselves within a year of installation. After the payback, savings will create an attractive return on investment.

Still, proof remains hard to come by.

Privacy policies and procedures

Biometric technologies sometimes raise questions about privacy, and no corporation wants to be attacked for compromising the privacy of its employees or customers.

One objection points to the potential for abuse that exists when an organization collects fingerprints or other methods of identifying people into a large database. FIPS 201 gives government employees no choice about the matter: Either their biometric identifiers go into the government's database, or they are not eligible to work for the government.

On the other hand, procedures have been developed for private industry to help satisfy this privacy concern. Instead of consolidating biometric data into a company-wide database, companies can embed the biometric on the card and then match the card's biometric against the individual's actual biometric at the point of entry.

As satisfactory as that procedure has proven to many users, privacy advocates continue to lobby against the use of biometrics or at least for legal standards that set severe penalties for abuses.

Convenience vs. necessity

Biometric access control offers the ultimate in convenience to users, especially those with relatively low security needs. For companies that simply need to lock their doors, a biometric access control system will work as advertised, interoperate with other company locations (as long as the vendors meet appropriate ANSI standards), and provide a return on investment — no expenses for cards or replacement cards, lost keys or replaced locks.

For companies with higher security needs, however, the barriers to adoption require more complex solutions. Will this biometric system, for example, interoperate with an access control system that assigns permissions and zones to particular employees? Chances are, the two will interoperate, but it must be proven first. Proof is also necessary when it comes to claims about return on investment and about satisfying privacy issues.

The Biometric Market Today

The International Biometric Group (IBG), a New York City-based research and consulting firm, forecasts that the worldwide market for physical and logical biometric security systems will reach $3 billion during 2007, up from the low $2 billions last year and $1.5 billion in 2005. IBG estimates that the commercial share of the 2007 market will total about $1 billion.

The Global Market: The North American market is the largest market for biometrics, controlling 33.5 percent of the pie, continues IBG. Asia and Pacific Rim countries are the second largest market segment, with 23.8 percent. Then comes Europe with 16.5 percent; the Middle East and India with 11 percent; South and Central America with 9.1 percent; and Africa with 6.1 percent.

Industry Breakdown: The largest commercial user of biometrics is the transportation industry, including airports, which purchases 7 percent of the biometric systems sold today. The high technology and telecommunications markets rank second with 5.7 percent of the market. Third place goes to retail with 4.4 percent. Industrial manufacturing, financial services, and health care buy about 3 percent of the biometric systems. The gaming and hospitality industries buy 2 percent. The category of “other” takes up nearly 4 percent of the market and brings the total commercial biometrics sector up to 33.3 percent of the entire market.

Biometric Functions: In 2006, the IBG market study found that law enforcement uses including civil and criminal identification make up 60 percent of the biometric market. Access control and attendance accounts for the second largest biometric applications — 16.8 percent of the market. Logical access comes next with 16.5 percent of the market. Consumer identification accounts for just 3.9 percent of the market. Last place is held by the surveillance category and totals a mere 2.8 percent.

Technologies: More than half a dozen technologies perform biometric functions today. Of those, fingerprint is the overwhelming leader, with more than 43 percent of the existing market. Face recognition technology receives the call 19 percent of the time. Hand geometry, iris, voice, multiple-biometric and signature each control less than 10 percent of the market.

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue