The Blood and Guts of Biometric Systems

When biometric security devices began appearing nearly a decade ago, they were often touted as the final word in security technology. After all, stealing your password is one thing -- stealing a thumb, a retina or a voice print is a bit more of a chore.

Hackers, however, developed techniques to fool biometrics scanners, much like they've found ways around spam filters and firewalls. Biometric device vendors, in turn, learned how to improve early scanners and algorithms to develop more ironclad security products.

Still, there still exists a degree of hype surrounding the reliability of biometrics to keep the bad guys out of your computer or physical entrance way, and early-generation device failures continue to hold potential users at bay.

"A few years ago, many people viewed biometrics as a silver bullet for security. So far, the technology is not living up to that expectation. Biometrics is not good enough yet. It needs the right balance between rejecting legitimate users and allowing unauthorized ones to log on," Amit Klein, CTO and chief researcher for browser security vendor Trusteer, told TechNewsWorld.

Changing Reputation

One way in which biometric security technology can improve is in the ability to detect a user's stress level. Ideally, a vendor should create a system in which it's impossible for the bad guys to force users to cooperate or alter the biometric data to gain access, according to Klein.

Pessimistic assessments aside, some developers have indeed made inroads in getting more reliability from their devices. Old misconceptions about what biometrics can and cannot do are giving way to better realities.

"I hear much more discussion of biometric devices and the recognition that the spoofing prevalent years ago is no longer valid. Still, the technology is never 100 percent secure. But today's solutions are fixing what was wrong with early generations of biometrics," Brian Contos, chief security strategist for data security vendor Imperva, told TechNewsWorld.

The security industry is seeing a convergence of physical and virtual devices. Biometric access is becoming integrated with access to databases, computer applications, computer networks and physical locations. The process is more reliable, but the technology still has a ways to go, he conceded.

"Overall, people see biometrics as more reliable," said Contos. "The industry is still very much a cat and mouse game."

Getting More Sophisticated

Typically, biometric security devices play gatekeepers by checking physical traits and recognizing approved users. In recent years, much research has been focused on improving established technologies rather than creating entirely new ones.

Take, for example, the fingerprint reader. Some computer makers such as Lenovo built fingerprint readers into their laptops to authenticate users. Other device makers provide fingerprint readers in keyboards. Of course, those devices are only as good as the owner's ability to keep the keyboard tethered to the box.

Fujitsu has made a niche out of its proprietary palm print readers and mice with embedded palm print readers. Other device makers offer fingerprint readers that connect to a computer via USB connection. In all cases, the user must already be established in an encrypted database that matches the scan results.

Less Popular Modes

Biometric expertise has not developed as rapidly for other physical characteristics, such as voice, iris and facial recognition technology. Even as microphones and digital cameras become standard equipment on notebooks and netbooks, voice or facial recognition devices are few and far between.

That type of recognition is much more subjected to harsh image and noise variations in the surrounding environment. For example, a legitimate user may be denied access if he or she tried to use a voiceprint security gateway in a noisy room. Similarly, a facial recognition program could conceivably register a false negative if the user got a haircut and shaved his beard -- or a false positive if an unauthorized user simply bears an extremely strong resemblance to a legit one. These limitations may be holding these branches of biometrics back -- biometric devices need to identify the right user, not just a user that appears to be right.

"We will still see new technology, but by comparison, these will be very few," David Ting, CTO of security firm Imprivata, told TechNewsWorld.

Two Flavors

Biometrics is developing along two related lines: physical, which is often more intrusive for the user, and behavioral, which is usually less intrusive. Fingerprint readers are an example of a physical approach. The type of multi-layer responses to personal questions beyond the initial password prompt that users encounter when doing online banking transactions represent the behavioral approach. Similarly, biometric products built into security systems can capture the typing cadence of approved users, reading not just what they typed, but how they typed it.

Either way, the quality delivered by today's biometric security strategies is generally much more reliable than earlier versions. Organizations that require more stringent access control would be best served by combining biometric, password and other layers of security.

"Considering the different options, such as facial imaging, retina scanning, fingerprint scanning and voice recognition, authentication failures are still in the 3 to 7 percent range, depending on the type of environment," said Ting.

More Sensible Sensors

Vendors are naturally working to refine the technologies. The standardization of sensing hardware, for example, has contributed significantly to growing the adoption rate of biometrics. Much of that credit goes to sensor-makers AuthenTec and Upek, said Ting. They deploy as many as 15 million sensors per year.

"They are the dominant form factor manufacturers today. They lead the field based on the sheer numbers of the installed bases of their products. The gross combined revenues of both companies is US$150 million per year," he said.

Fujitsu is one vendor currently attempting to grow popular biometrics technologies into new devices. Last year the company rolled out an early version of a palm reader device, and it's now upgrading the system's software.

"Fujitsu's palm reader relies on the data-rich vein field pattern of the palm. It also works relatively well on the back of the hand and the upper arm," Jerry Byrnes, manager of biometrics and strategy planning for Fujitsu, told TechNewsWorld.

Vein patterns are very complex. The more the complexity, the better the security, he said.

Fujitsu's designers took into consideration some of the more gruesome scenarios an infiltrator might consider to try and beat the system. The palm reader detects the presence of live blood, which negates the abilities of bad guys using a victim's dismembered appendage to trick the database, Byrnes explained.

Spoofs and Gore

Biometric measurements have always been vulnerable to clever spoofing schemes. Fujitsu is counting on the success rates its palm scanner has had so far in falling victim to spoofing.

"Other biometric measurements are not as reliable as vein patterns in the palm," said Byrnes.

For instance, even hi-resolution photos of a palm print will not succeed in gaining access because the photo image can not reproduce the blood flow the sensor looks for, he explained.

Tales of Trickery

Though tales of how criminals may try to fool biometrics devices are legion, many of them draw only guffaws from those who know how the technology actually works. For example, Gummy Bears will not work with optical readers anymore, said Imprivata's Ting.

Other tricks may have worked on older biometrics technologies. With previous generations of biometrics, a smudged fingerprint taken from something like a cell phone may have been enough to pass muster on certain systems. Also, chopped-off hands and fingers did happen, but now most devices can sense an electro-magnetic pulse. Even hi-res pictures of faces or fingerprints no longer fool scanners, according to Contos.

That's not to say that modern biometrics are perfect -- just improving.

"When it comes to picking any lock, you can always pick the tumblers if enough of them are loose. Temperature readings can be fooled. You can always find a substitute for the body part being scanned. But overall, the technology's accuracy is getting better," said Ting. "There are much easier ways such as social engineering to get into someone's computer accounts."

Next-Gen Devices

As biometric reliability improves, some vendors may make the leap from using the technology to secure computers to using it to lock down the structures that house them.

For instance, Fujitsu is working on a biometric device that controls physical access to doors. The company has it in prototype but not yet ready for production; it's currently working on reducing production cost.

Think of the old "Star Trek" sets where Capt. Kirk extended his palm into the air as he approached a door to open it -- that's what Fujitsu is working on now.

"What was James Bond 15 years ago is biometric reality today," he quipped. "We will see more, not less, of biometric ID management. Biometrics has been a hot topic and will continue to be," Byrnes concluded.