Beyond Biometrics: New Strategies for Security
Biometrics technology, despite its sluggish acceptance, might be on the edge of newfound popularity. Consumer fears for online identity theft and Internet merchants' demands for customer verification are starting to create a comfort zone for security devices that link access permissions to things like retinal scans and palm measurements.
Biometric security devices -- which authenticate a person's identity on the basis of physical characteristics, such as a fingerprint -- have been available in one form or another for 30 years. But biometrics technology for computer security and user authentication might never achieve widespread use, analysts told TechNewsWorld, because of the predominant perception that it is costly, inconvenient and intrusive.
Older authentication techniques -- such as keystroke pattern recognition -- could easily be replaced by a combination of new biometrics technologies, such as voice-recognition software, signature-verification systems and iris scanners.
But these newer technologies have not been well accepted because the security industry has not defused misconceptions about the need for and reliability of biometric security, said Jeffrey Z. Johnson, vice president at consulting firm AMS.
According to Roy Want, principal engineer at Intel Research, the biggest problem with biometric devices is the inconvenience factor. "Biometric security needs to be transparent," he told TechNewsWorld. "It isn't yet."
Want believes security companies have done a good job so far with the reliability of biometric devices. "Still, there needs to be another step," he said. "That's what we've all been waiting for." However, not all analysts agree that biometrics technology is well poised for mainstream adoption.
"The industry is doing a lousy job selling the biometrics concept and creating partnerships," complained AMS's Johnson. "[Popularizing biometrics] has to become part of the culture."
Despite what many corporate and home users believe, biometrics technology is not unproven. "In many ways it is as mature as it can get; in time we might see some innovations in using current technology," said Johnson. "Today's biometric devices aren't perfect. But they are much better [than they used to be]."
Consumer fear about compromised privacy has been responsible for biometrics' lackluster acceptance, noted Albert Decker, executive director for security and privacy sources at EDS.
"It is difficult to overcome user attitudes," he said, alluding to general concern in the computing population about having identifiable personal data -- like fingerprint records or voice patterns -- stored in a potentially unsecure database online.
However, Decker pointed out, there are several signs that consumer acceptance of biometrics is starting to change. Ten years ago, users complained about having to keep track of multiple passwords for different Web sites. Now consumers are seeing the need for inconvenience to protect their identities.
"Consumers are now worried about e-mail frauds that discover their passwords and then spoof their identities for malicious purposes," said Decker.
Industry Focus Changing
Another sign that things are changing for biometrics is that concerns about security violations seem to be shifting from the corporate world -- where security traditionally has been an important issue -- to the individual user level. "This [shift] will drive acceptance for biometrics onto the consumer level," said Decker.
Another factor that will push acceptance for biometrics is the growth of e-commerce. Concern about blocking unauthorized corporate network access seems to be taking a back seat to concerns about the security of online transactions.
"It's all about identity authentication," said AMS's Johnson. "What's going to drive the industry is all the online auctions and sales Web sites." He said he believes biometrics eventually will play an important role in online commerce. For example, Web sites that now require visitors to have registered passwords could end up requiring some sort of biometric device for trust verification.
Because of the issues associated with adoption of biometrics, security companies are working on ways to tap into the strengths of biometric authentication strategies while sidestepping the concerns associated with compromised privacy and reduced convenience.
For example, Intel is working on a new concept that could take consumers beyond the current uses of biometric security management. A new security process, called photographic authentication, relies on a user's ability to recognize personal photographs from a set of randomly displayed images. If the user correctly identifies the personal images, he or she is granted access.
This new technology won't be directly applicable to desktop computing as we now know it, and photographic authentication is not a variation on existing facial scanning software or image recognition technologies. "It is a means of protecting your identification from being stolen for use with someone else's wireless device," said Intel's Want. "It isn't focusing so much on biometrics as we know it today."
The photographic authentication system Intel is working on will rely on the user's cognitive recognition rather than identification of one of his or her key biological elements. Want said he thinks the strategy will be ready for commercial use in three to five years. Depending on which marketing and partnering decisions Intel makes, some form of photographic authentication could even be used with mobile phones.
For biometrics technology to make significant headway into the mainstream computing industry, the industry must be very successful at broadcasting the message that a user's biological data will not be used for any other purpose but secure access, warns Decker.
Decker sees iris-scanning devices as the most promising technology, because users need not touch any scanners to be verified. "From a technological standpoint," he said, "these devices are getting much more refined and sophisticated."
In his view, the next big step forward will be something nonintrusive, like palm measurement. The user would touch a hand-print scanner and receive a passing score if the minute measurements of finger length and palm dimensions matched the stored information in the database.
As to what lies beyond biometrics, that will depend to a large degree on what users will adopt, James Hurley, Aberdeen Group vice president for security, told TechNewsWorld. "There are always better things on the drawing board. Most of those products now won't make it because they focus on technology and not usability issues," he said.