Biometrics – Tamper proof?

Since the mid-to-late 1980s, experts have heralded biometric technology, which is used to identify people using fingerprints, voice recognition and other personal characteristics, as an optimal solution to combat security breaches. And for good reason: The technology is convenient, easy-to-use and offers a more accurate authentication process than traditional systems. As a result, biometric technology is being used with greater frequency across a multitude of public and private sector environments to prohibit unauthorized access to data, buildings, maritime ports and other highly sensitive areas. Even the American public, which typically lags behind other regions of the world when adopting new technologies, is getting on board. In August 2007, the bi-annual Unisys Security Index, which surveys approximately 13,000 people from 14 different countries on consumer sentiment surrounding security issues, found that three-fourths of U.S. consumers say they would support the deployment of new technologies such as biometrics to provide better security of physical and logical assets. Despite a willingness from consumers to adopt biometric technology, however, challenges abound for the deployment of biometric systems across various security scenarios. Many organizations, even those at the forefront of biometric use, are not communicating proper usage and key benefits of biometrics to the constituents they are trying to protect. For consumers who choose not to use biometrics, the top reason is suspicion about how these technologies work. Uncertainty about biometrics can be overcome when enrollment procedures are easy to understand, identity verification is convenient and proper training is provided at the onset of the program. In the broader context, it is imperative to have a privacy policy foundation and notice of usage and controls, limits on sharing information and educational information for participating individuals. Only through adoption of an approach that tackles privacy issues head on, can organizations expect to build the necessary level of trust. Storing the biometrics enrollment data on an encrypted smart card provides a high degree of protection of private personal information because of electronic features for tamper protection and tamper detection. Biometrics are not secrets; they are properties of our bodies that we expose throughout the day. Fingerprints can be found anywhere from water glasses to car doors, faces are obviously visible, and voices get recorded. Today it is even possible to capture iris images unobtrusively at a distance of 10 feet while the subject is moving at a walking pace. Because of this exposure, it is not impossible for someone to lift, copy and ‘spoof’ the biometric data for malicious purposes. Fingerprints, for example, have been spoofed before with fake fingers made of gelatine (one famous case involves Gummy bears) and facial recognition systems have been tricked with photos and videos. ‘Liveness tests’ are key to ensuring that the biometric samples being presented are actual measurements from an authorized live person who is present at the time of data capture. Some scanners, for example, have additional capabilities to verify that the finger is alive, rather than a mold or dismembered digit. Another way to ensure that a system cannot be spoofed is to vary the verification scenario (e.g., utilize different biometric data such as requiring a different fingerprint and/or respond with a different spoken pass phrase) each time a person’s identity needs to be verified and authenticated by the same system. The demand for increased security is omnipresent. Consumers want more of it, government is demanding it and business has a responsibility to its stakeholders to protect its assets. But public and private enterprises must take consumer concerns seriously and find ways to address the challenges. Mark Cohn is vice president, integrated security programs, for Unisys. He can be reached at mark.cohn@unisys.com.