Tom Olzak

Biometrics slipping as a viable access control technology?

In Biometrics on May 17, 2009 at 14:07

Looking for a way to implement a second factor of authentication, many organizations have boarded the good ship Biometrics, only to find the vessel adrift due to user, application, and functionality issues.  And this is before they try to integrate their solution into a single-sign on (SSO) environment.  So it’s no surprise that biometrics was given honorable mention in a list of the Top 10 Disappointing Technologies.

Biometrics was supposed to be the magic bullet that solved all our security needs. Look in any film where they are trying to be futuristic or high tech and you’ll see people getting their body scanned as a security measure.

However, the reality has proved less than we were promised. Fingerprint readers are in wide circulation but they are easily fooled these days with cheap materials, or by more direct means. Taiwanese robbers reportedly cut the finger of a man whose car had a fingerprint ignition, something that led scanner manufacturers to install a temperature sensor in future models to prevent a repeat.

Facial scanning was also touted as foolproof, and then quickly found to be anything but. Even DNA fingerprinting is now being questioned, either because the chemistry is defective or the lingering possibility that an individual’s DNA may not be unique. Hell, they still haven’t proved that fingerprints are even unique.

Maybe one day we’ll come up with the ultimate biometric solution but I have my doubts.

Source: Top 10 disappointing technologies, Iain Thomson and Shaun Nichols,, 16 May 2009

Most users will agree that biometrics doesn’t work all the time.  Logging in to a computer once a day with a troublesome biometric sensor isn’t a huge problem.  But when the problem sensor is attached to a shared device (e.g., a nurses station computer) or a time clock, user patience and business productivity both take a hit.

Moving beyond user issues, we arrive at problems integrating with applications.  The biggest problem I’ve found to date is getting a single solution that works across all business applications.  I don’t want multiple fingerprint hash repositories—created by multiple enrollment processes—scattered across the enterprise.

Another application problem is the failure of vendors to understand a fundamental requirement.  Biometrics isn’t just about security.  It’s also about making life easier for the  user population.  For example, shared workstations should allow for a network-level, generic login (with a password from Hades that only Security knows) to eliminate the need for user network logins.  Users should then be able to walk up to a workstation, scan a fingerprint, and access an application session unique to their account.  This should happen even if another user is logged in to the system.  There are products which support this.  However, they don’t always work across all applications, and they are very expensive for organizations with thousands of workstations to support.

Finally, there is the issue of getting the sensors to work without adjusting the sensitivity to the point at which false positives are so high only password access makes any sense.  Functionality is affected by the operating environment and the quality of the sensors used.  In many cases, the cost of getting the right sensor for the environment is too high.

So biometrics languishes, even while many managers rail against using smart cards and other token-based solutions—although most biometrics replacements aren’t too much better in solving functional issues.  The reason is usually the claim that users will forget their tokens.  They don’t want to be bothered with something else to remember.  This argument only stands up when users don’t already need a card to enter the building or other secure area.  Management is also often unwilling to sanction users for not remembering to bring their tokens to the office.

While biometrics promises to solve the world’s authentication and identity verification problems, the reality is that the technology tends to fall short of expectations.  I don’t believe, however, that it is a lost cause.  Reviving it will take vendor focus on value beyond security and a willingness to work with others to develop standards to meet business requirements for a fast, simple, user-acceptable, secure access method.  But it will take a lot of pushing by users to move this damaged ship to port.

%d bloggers like this: