The New Biology of Biometrics

To a lot of computer users, the concept of biometric authentication is limited to thumb drive reader devices, eye scanners and voice pattern recognition. Such technologies still face stiff competition in most enterprise circles, where passwords and user tokens seemingly work well enough and are quicker and cheaper to deploy.

Existing security strategies that grant access only after the presentation of a user’s recognized physical traits are changing. Updated versions of fingerprint, voice and eye scanners are gaining popularity with IT managers. Newer biometric authentication layers are tightening the security blanket for computer and data access. These innovative devices are making it more difficult for impostors to spoof their way into data they shouldn’t be able to access.

Historically, authentication security involved a combination of passwords, PINs, signatures and keys. First-generation biometric authentication devices added more choices to the mix. Now these choices are again changing. New strategies for personal identification are providing stronger security to computers and sensitive data.

For instance, next-gen fingerprint readers can detect the presence of blood coursing through the tissues to eliminate the threat of a severed finger passing muster. Fujitsu Computer Products of America announced on Sept. 9 a mouse with a built-in palm reader that it claims cannot be duped.

“I expect to see even better speed and imaging performance from future [fingerprint] readers. In addition, newer technologies such as IR [infrared] imagers are able to detect thermal signatures of either finger veins, palm or hand veins as well as facial prints. These technologies are starting to appear, but their price points are not where fingerprint sensors are so they are still early in the development cycle. Whether these will become as mainstream as fingerprint biometrics is still unknown, but these technologies look promising,” David Ting, CTO of Imprivata, told TechNewsWorld.

Worth the Upgrade?

Next-gen of biometric authentication devices may offer greater security, but that may not be the most pressing issue for potential enterprise adopters. Are enterprises better off upgrading to the newest versions of biometric solutions? Perhaps they would be better off taking a hands-off approach to these newer biometric-based security strategies.

Basic fingerprint readers are becoming so reliable and inexpensive that the level of improved access control they offer is already better. Introducing more costly devices may not be cost effective, Ting suggested.

From a technology perspective, enterprises are starting to see widespread adoption of fingerprint biometrics. A driving factor for this acceptance is the device’s long history of sensor development, image processing and a large population statistics, he said.

“The devices on mobile devices are starting to benefit from evolution rather than revolutionary changes as they become more usable (to fingerprint and environmental conditions), durable and faster. This, coupled with the reduction in footprint, power consumption and cost, have resulted rapid adoption for mobile and desktop users, as evidenced by the number of users today who are buying them for their notebooks,” he explained.

Lagging Desire

For a variety of reasons, the security industry has not seen widespread requests for voice or facial recognition, even as microphones and digital cameras become standard equipment on notebooks. Factors like variables in the operating environment and how they affect the recognition rates certainly play a large role in this.

“We see companies using technology from the business space and applying it to their own partners. There is no silver bullet with getting security from biometrics. Companies that use biometrics in isolation are finding out that they are getting spoofed. They have to use multiple strategies in concert,” Matt Shanahan, SVP of AdmitOne Security, told TechNewsWorld.

When deciding whether to buy into new biometric security devices, IT managers should consider the risk factor they face, he said. They should ask themselves, what are the most concerning threats and what should they do about them?

Two Possibilities

Collusion and corporate social engineering are two typical ploys hackers use to break through security barriers. Biometric devices need to identify the right user, not just a user that appears to be right. However, the devices don’t always reach this goal.

“The rise of new threats is causing people to rethink biometrics. Then they have to decide if they should rely on physical, which is more intrusive, or behavioral, which is less intrusive,” said Shanahan.

In many cases, advancements made in software-based behavioral biometrics can be 95 percent effective, he added. With physical biometrics, users need new hardware on their PCs, and the upgrades can be expensive.

Behavioral Biometrics

With behavioral biometrics in place on the network end, no external devices are needed. AdmitOne’s biometric product captures the typing cadence of the approved users, so whatever keyboard they use, their typing behavior will not change.

In addition, behavioral biometrics provides for multiple levels. For instance, banks using behavioral biometrics first require customers to get the password right. For that same customer to do a transaction online, he or she will have to re-enter the password or answer pre-set security questions.

Another layer can be applied by using risk-based methods. Customers will have to answer different levels of challenges depending on their interactive behavior on line. With risk-based strategies, the degree of strength needed is determined by the amount of risk assessment the access requires, said Shanahan.

All Things Considered

AdmitOne’s behavior biometric software relies on multiple sets of factors. For instance, it determines if the log-on attempt comes fromthe same IP (Internet protocol) address as it usually comes from. A log-on attempt coming from a different geographic region is given special consideration.

“The assessment of risk combines the observable factors with the requested responses. This makes for a reliable pattern of use. Depending on the behavioral assessment, additional levels can be applied, such as calling out to the customer’s cell phone. Using these strategies, 99 percent of people won’t be challenged at higher levels,” Shanahan said.

Palm Science

One innovative physical biometrics device to come down the pike is Fujitsu’s mouse and palm reader duo. Its design places the user’s hand grip in direct contact with the palm reader embedded into the mouse.

“The palm of hand area is two inches by two inches and is an intricate, data-rich structure. We can capture, classify and identify patterns with infrared lights. This technology looks below the skin’s surface at vein patterns. It looks like a bunch of squiggly worms,” Jerry Byrnes, manager of biometrics and strategy planning for Fujitsu, told TechNewsWorld.

The technology produces a false rejection rate of 0.0007 percent. The falseacceptance rate is 0.01 percent, he said.

“We use a liveness test. It needs to sense flowing blood. The device can’t be spoofed,” Byrnes ventured.

Different Strokes

The use of different types of biometric devices is meant to address different needs. Some industries will be served better than others by these next-gen biometric technologies.

For instance, vascular biometrics using vein patterns may be an attractive option for some sectors, but the hardware deployment may not be conducive or even possible for all enterprises, noted Byrnes.

Fujitsu’s palm and mouse device is already well established in the Japanese banking industry, among others. But the market in the U.S. is much different. There’s generally less concern over security, in part because the insurance business in the U.S. covers damages from security breaches.

“One of the biggest and first adopters in the U.S. is the healthcare industry. Compliance rules are driving biometrics acceptance and development. Corporate officials literally have jail hanging over their heads. Our method is well accepted. Another area of adoption [for next-gen biometrics devices] is patient ID and authorization,” Byrnes said.

Third-Party Trend

Rather than looking for applications that provide all their own biometric capabilities, users are looking to external providers to support biometric verification for all applications, according to Imprivata’s Ting.For example, his company’s ProveID application programming interface, which accesses OneSign biometric authentication, is being used by multiple healthcare and financial applications to offload the responsibility for all the workflow,credential storage and device management necessary to supportbiometrics.

“We expect this trend to continue as more applications are required tocomply with having biometric support. This is a win/win for bothcustomers and application providers,” said Ting.

The end user doesn’t want multiple proprietary devices for individual applications or the need to individually learn to use and enroll with different systems. Similarly, app providers generally don’t want to constantly wrestle with the complexities of different authentication technologies, he added.

Most of the biometric technology provided by laptop computer vendors is based on device-centric methods. This means the reference biometric data sets are typically locally stored on the specific device used during enrollment, rather than stored and processed centrally as one would for enterprise use, Ting explained.

“Imprivata has long held the opinion that all reference biometric data need to be stored and managed centrally to offer the maximum flexibility and security for the end users,” said Ting.

The OneSign server securely stores the reference fingerprintbiometric for all users and supports fingerprint lookup across adistributed environment. This model is more operationally correctwithin healthcare, government, financial services and utilityapplications.

Nex-gen enterprise biometric solutions will evolve toward being ableto work both with centralized, distributed as well as mobile devices,such as smartcards or contractless smartcards, according to Ting.Another aspect for enterprise-based solutions is the ability to beinteroperable across different devices.

This will make it possible for the end user to work with different sensor technologies on different platforms without having to enroll with multiple systems. This need will become more significant as first-generation scanners get replaced by newer ones, predicted Ting.