Security via biometrics

Biometrics is gaining momentum as a result of the 9/11 attacks and heightened security awareness. Government agencies and corporations in the Middle East are deploying biometrics technologies to safeguard their assets and keep track of their employees. Will the technology will become commonplace?

  • E-Mail
By  Sarah Gain Published  May 26, 2005

|~|3.-Sun-MAIN.jpg|~|"Around 80% of biometric analysis technology focuses on the fingerprints. They have become one of the most widely recognised means of identification," says Sun Microsystems’ Chris Saul. |~|As incoming passengers walk through the Dubai International Airport, the queues for passport control are bypassed by a select few. For US$41, residents of Dubai are taking advantage of biometric-based security to sidestep long waits and continue their journey unimpeded. Since its introduction in 2001, the e-gate system has proved an effective way for Dubai authorities to introduce self check-ins without compromising security.

As Dubai readies itself to comply with stringent passport control regulations to manage 30 million visitors by 2010, biometrics will play a significant role in strengthening national security.

The e-gate card displays personal details such as the user’s name, alongside a photograph and a digital record of the cardholder’s fingerprint. “Every person’s fingerprint is unique. It cannot be duplicated. The e-gate will only allow those passengers into the area whose fingerprints match the enrolled identifications. We are a small department, however we manage over 15 million passengers annually. This means automation is the way forward,” says Lt. Colonel Khalid Bin Lootah, IT section chief of Dubai Naturalisation and Residency Department (DNRD).

The residency department introduced the system to reduce its workload that resulted from the Emirate’s growing number of business visitors and tourists. “The e-gate has been incredibly successful from a business point of view, as well as from the perspective of travellers. There is less frustration,” says Chris Saul, desktop and mobility practice manager for Sun Microsystems.

Biometrics is the study of measurable biological characteristics, and in the field of computer security, the term refers to authentication techniques that rely on measurable physical characteristics, which can be automatically checked. There are several types of biometric identifications, which include the analysis of facial characteristics, the geometry of the hand and fingers, the retina, signature and the pattern of veins on hands and wrists. The most common areas of analysis, however, are voice, fingerprint and iris.

While eye scans offer the highest level of security, the process is complex; hence finger printing remains the popular option. “I would estimate that around 80% of biometric analysis technology available focuses on the fingerprints — since the New Scotland Yard uncovered the advantages of fingerprints, they have become one of the most widely-recognised means of identification, and the technology that surround this is simple, reliable and advanced,” adds Saul.

Although biometric is still in its infancy, the political volatility in the Middle East has had a profound impact on the security industry, exposing the limitations of traditional methods of identity verification. While this has given a worldwide boost to biometrics, especially in the US, where authorities have created the Department of Homeland Security in the wake of the 9/11 attacks, security vendors say there are other factors besides the obvious, which have helped boost the uptake of biometrics solutions.

“Biometrics is primarily making inroads due to convenience. We believe the market breaks down to about 15% for security and 85% for convenience,” claims Rainer Erdmann, managing director of SimonsVoss Technologies.

Enterprises are gradually accepting these solutions as a method for combating careless user practises and eliminating the costly process of re-issuing passwords and usernames to employees. With end users having to remember up to eight individual user names and passwords, the possibility to replace these with biometrics is becoming more attractive.

Usernames and passwords can also end up in wrong hands. “Security is critical in today’s world. If a password is insecure then a company’s entire data is also going to be insecure. Biometric is certainly a definitive way of ensuring that an individual’s identity is not used by others,” Erdmann says.||**|||~|4.-Kassem-MAIN.jpg|~|The ROI from biometrics implementation is instant, Abbas Kassem from CompuEx. |~|According to an IDC report, corporations spend approximately US$300 per password-reset incident, which means between 20%-25% calls to help desks are password-reset related. By implementing a biometrics system, these incidents can be avoided.

Tony O’Connor, head of security risk at the National Bank of Dubai (NBD), says biometric-based solutions may not be all that cost-effective at this stage, but the benefits are enormous. “While it is true that biometric devices are expensive, security issue aside, the cost-saving benefits of streamlining the password and physical key procedures outweigh the cost of the technology,” O’Connor adds.

Furthermore, biometrics is also beginning to prove its worth in the human resources (HR) departments of many organisations, contributing to improved punctuality and weeding out ghost workers. The technology acts as an alternative to proximity cards for punctuality and attendance.

Abbas Kassem, sales manager at CompuEx, says such high-levels of security provide a long-term roadmap for enterprises. It brings in the much-needed checks and balances throughout the organisation. “This type of technology is an excellent move for any company and a very well-placed investment, enabling full control over human resources procedures. The return-on- investment (ROI) can be doubled within the first five months of the implementation,” he states.

One enterprise that recognises the real world value of biometrics at the HR level is Team/Young and Rubicam, an international advertising agency with operations in Europe, the Middle East, and Africa (EMEA) regions. The company uses a combination of both finger scanning and magnetic card solutions to ensure that only authorised people have access to its offices, and to track what time they enter and exit.

The advertising firm has also chosen to use the applications to restrict access to areas it considers to be at risk, such as the small store, where petty theft is a potential problem in many organisations. “While some employees find the system a little complicated compared to solutions like punch cards for time keeping and attendance and security guards manning the doors, biometrics is doing well in terms of efficiency and cost. While we may start to see things such as facial recognition a few years down the line, fingerprinting is secure enough for our purposes,” says Osama ChamsiPasha, regional CIO of Team/Young and Rubicam.

The company is just one of many businesses around the world that are turning to biometric-based security solutions. As part of a pilot scheme, Oracle has deployed a biometric solution at its main data centres in Texas, USA. At the company’s outsourcing data centre, visitors are subject to round-the-clock armed guards, iris scanning, closed circuit television, weight measurement security — in which guests' weight is measured entering and leaving the building — hand geometry scanning, vehicle proofing and metal detectors.

The system may sound futuristic, but Oracle believes the technology will soon become a cost-effective reality on a broad scale. “This type of system is still uncommon among data centers, but it is becoming popular gradually. We can expect to see many more of this type of implementation in the future,” says Tarek Shahawy, technology solutions and sales consulting manager at Oracle Middle East.

The findings of the International Biometric Group (IBG), an independent integration and consulting firm, support Oracle’s optimism. The organisation predicts the global revenue from biometrics products and services will grow to US$2.6 billion by 2006 and US$4.6 billion by 2008. There is reason to be cautious about these estimates though; as the IBG estimated in 2002 the total biometrics revenue would be worth US$927 million by 2003.

The fact that this projection fell short by US$200 million should serve as warning for the industry. Private enterprises in the Middle East are cautious of the technology, however the demand is high in government and financial sectors.

IDC’s software programme manager in the Middle East and Africa, Heini Booysen, comments that, “As far as the Middle East is concerned, smart cards are becoming more prevalent. When it comes to technologies such as the [biometrics], one of the biggest spenders in the region is the UAE government, with its national identity card scheme, e-gate and retina scans at the airport. Some regional banks have also opted for hardware authentication. However, the absolute size in terms of revenue remains low for now.” ||**|||~|5.-Tarek-Shahawy-MAIN.jpg|~|"Using multiple biometrics increases the amount of data that has to be processed and stored," says Oracle’s Tarek Shahawy. |~|The GCC governments are exploring the possibilities of using biometric-based security solutions. The Kingdom of Saudi Arabia (KSA), for example, wants to introduce an e-gate that will use all three main biometric identifiers: facial, iris and finger scans. The Gulf States have been quick to realise the importance of biometric identity assurance in border and transportation control.

In a project to enable travelers to use e-gate systems at any airport in the GCC, each country plans to issue its residents with an identity card that is integrated into e-gate solutions at border check- points and airports. Oman has issued cards that are based on smart card technology and embedded with a thumbprint biometric. The UAE intends to provide a similar system in the near future. Bahrain, Qatar and Kuwait are working on similar projects.

The move will help these governments to manage the planning of resources, benefits and services, providing core databases, which can be used in conjunction with e-government initiatives. “The ability to quickly and positively identify known individuals allows a country’s limited security resources to be focused on other potential threats, while at the same time enabling efficient travel and trade,” says Tony Murphy, chief operating officer of Daon.

The Middle East has one of the highest adoption rates of biometrics technology in the world, and the technologies are being deployed in interesting ways, such as the iris recognition that was piloted in the Kingdom of Saudi Arabia to track Haj pilgrims, according to Murphy.

However, the private sector is lagging behind in their adoption of biometrics. NBD’s O’Connor hopes that in the wake of banks issuing smart cards, financial institutions may begin to adopt biometrics.

“It would be possible to implement biometrics into credit or debit cards and this would certainly be a major step towards [managing] credit card frauds. In a few years time, there could be fingerprint readers on ATMs and even point of sales (POS) terminals, which will prevent offline unauthorised card use,” he says.

While card security would undoubtedly be greatly enhanced by the move, Paul Meadowcroft, head of transaction security at Thales UK, disputes the claim this will happen soon. “What we are seeing with the upgrade to smart cards will be a huge improvement in its own right, and it has taken a long time to get to this point. The financial sector is by nature very traditional in its business practices, so if biometrics ever becomes an issue in banking, it certainly will not happen overnight. I would not expect to see this type of solution being used for many years.” ||**|||~|7.Thales-MAIN.jpg|~|"The technology is still too volatile for more general use," states Thales’ Paul Meadowcroft.|~|Sun Microsystem’s Saul believes that businesses in general are justified in their reservation to adopt biometric-based solutions. He attributes this hesitancy not to a lack of awareness of the technology, but to an acute awareness of their immediate business needs. The state of IT infrastructures of most businesses, even at the enterprise level, is such that there are more pressing issues that need to be dealt with.

“It is not really a lack of understanding that is an issue here — the technology is intrinsically interesting and has generated a lot of press coverage, which raises awareness. Most organisations do not choose to adopt these solutions because firstly, the cost is too high and secondly, their needs simply do not justify it. More basic infrastructure needs have to be addressed to even begin to support such a sophisticated technology.”

Although successful government projects such as DNRD’s e-gate illustrate the benefits of biometrics when deployed for the right reasons, for the technology to gain greater momentum in the regional enterprise market, end users need to incorporate these devices into a larger solution and extend their capabilities beyond access control. “People tend to forget that biometrics is just a technology and to make that technology effective you need to have software,” says Saul.

To run biometrics solutions effectively, an extensive management and storage architecture must be in place to allow the applications’ potential to be leveraged. While storing biometrics as raw images helps with accuracy rates, it takes up a lot of space, limiting the number of users who can be scanned by each machine.

In addition, the accuracy of biometric scanning is open to debate. Despite the progress made in the area of research and development, the fact remains that biometric devices have failed or have proven to have limitations. Voice recognition, for example, continues to be hampered by the variability of both transducers and local acoustics.

Retinal scanning has a number of problems with user acceptance, presenting issues of inconvenience for spectacle wearers, as well as being objectionable to people with concerns over intimate contact with a reading device. Iris scanning seems to have overcome some of these issues, however from a technical point of view, ease of use and systems integration are still areas of weakness with biometrics technology.

Even the commonly used fingerprinting can have errors, especially when deployed over a large user base. Fingerprint scanning still has error rates of anywhere from 0.5% to 2% depending upon the technology option used, according to the Meta Group.

Vendors claim the errors were due to the fact that some biometrics companies went to market with immature and flawed products. According to SimonsVoss Technologies’ Erdmann, this had a negative impact on the market: “Smaller companies took longer and developed better solutions, however they have to overcome the bad press,” he explains.

Furthermore, there are other natural inhibiters to the accuracy of biometrics. For instance, a small minority of any population will have an ill-defined fingerprint. “An estimated 1% of the UAE population has a fingerprint that is too faint to be captured or recognised. In large projects such as the UAE’s national ID card scheme, that equates to some 50,000 people falling through the cracks,” points out NBD’s O’Connor.

Biometrics advocates are backing up fingerprints identification with another biometric or other security solution such as passwords, pin numbers or smart cards. Dual identification is particularly beneficial in large-scale deployments, where verification of a finger, hand or face against a large user database can be a time-consuming process. However, this resolution can be counter productive.

Instead of simplifying users’ security responsibilities, biometrics can add more complexity with additional pieces of information to remember or carry. In addition, the cost of deploying two solutions instead of one makes biometrics even less attractive to end users. “Although vendors are working towards simplifying the system and lowering the overall cost of this type of system, using multiple biometrics increases the amount of data that has to be processed and stored. This means the process of verifying identity is not only expensive, but also quite time consuming,” says Oracle’s Shahawy.

As well as using multiple biometrics to boost accuracy, biometric solution providers are trying their best to improve the performance of their products.

To enhance fingerprinting, vendors are working on touch less technology, which uses light to reflect finger ridges, generating an image of the skin’s surface, reducing wear and tear of equipment. Sensors that can scan below the surface of the finger are also being developed so that even people with faint or blemished fingerprints can be scanned with more reliability.

“Touch sensors typically have to be cleaned every 15 minutes to remain accurate — this is one of the major disadvantages to large scale implementations such as POS. Also, when people are inexperienced with the technology, it is possible to position a finger incorrectly or press too hard and create a false rejection. The technology is still too volatile for more general use,” states Thales’ Meadowcroft.

Another flaw associated with fingerprint detection sensors is their inability to differentiate between a real finger and a fake. Hollywood has got the measure of biometrics, according to Saul. “In movies they show how the sensors can be fooled with contact lenses or fake fingerprints. With optic solutions, if a fingerprint was to be been taken off a glass and superimposed into silicon gel, a sensor would give verification. With a silicon-based device this is not possible, but it does illustrate an important point: No matter how advanced the technology may be, people will always try to find a way around it.”

In the Western world, it is taking the IT industry a long time to allay fears of invasion of privacy and the ‘Big Brother’ surveillance tactics. Users are only starting to overcome their fears about having such personal information stored on databases. Vendors are adapting technology to negate this issue by developing products that use a pattern file rather than a raw image, which can not be used for anything other than verifying that particular person on that specific device, which means there will be less biometric data stored for unscrupulous people to misuse.

However, the invasion of privacy issues is less pertinent in the Middle East. People are willing to compromise on privacy to benefit from greater convenience, according to O’Connor. “We already have no privacy. All our personal details are on file somewhere. Banks know where you shop or where you withdraw money, cell phone calls can be intercepted and traced. This technology is just an electronic version of the paper trail always followed us,” he adds.

Despite the challenges, biometrics is making headway in the Middle East. The technology is improving and end user satisfaction is growing. However, vendors’ ambitions to make the technology more mainstream by replacing PIN numbers on credit cards require the technology to mature at a great pace to overcome the issues of cost, accuracy and reliability.

Once again, opinions differ over whether such goals are realistic, but Erdmann remains adamant that biometrics has a major part to play in the future: “It is a matter of acceptance. Once people get used to biometrics it will take off just the way mobile phones did. It will be everywhere and we’ll wonder how we ever lived without it,” he enthuses.

Only time will tell whether this prediction becomes reality.||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code