The contours of the finger, the patterns of the iris and the shape of the hand can all be used to provide strong authentication, but are these – and other – biometric technologies sufficient to provide good security while also ensuring the privacy and trust of end users?
Biometric technology, which is now being deployed in a number of application areas including immigration and national identification, has the security advantage of not being able to be borrowed, lost or stolen. It is also reaching a state of maturity, with accuracy levels improving, costs falling and template sizes shrinking.
To the average media pundit in the immediate aftermath of September 11 2001, biometrics became the panacea for a host of security problems. Today, much of the hype has gone, and people are more realistic about the strengths and weaknesses of the technology.
Numerous decisions need to be made when considering the deployment of biometrics. First, which type of biometric should you adopt? Do you opt for a biometric that examines your target’s physical characteristics, such as face, fingerprint, iris, hand or retina? Or do you adopt a behavioural biometric such as dynamic signature, keystroke or voice? Your decision will be determined by a number of factors, including how important accuracy is to you. Some situations – such as access to highly secure government areas – may require the highest levels of security regardless of cost. In other situations, a few individuals being falsely rejected from, or falsely accepted to, a system may be acceptable. If accuracy is a key priority, iris technology may be the most suitable.
Second, what’s your budget? Typically, fingerprint technology is cheaper than iris or face biometrics in a small-scale rollout. However, it’s worth bearing in mind that cost differences between biometrics depend largely on where they are deployed. In a border control setting, cost differences are not always significant because other infrastructure costs will be larger than that of the biometric technology.
Third, who will be using your system? Ease of use is particularly important, especially if a large percentage of users aren’t technically savvy. Added to this, how does your target audience perceive the technology? Do they see some biometrics as more dangerous or invasive than others?
Fourth, what are your throughput demands? If the biometric system is being deployed in an airport environment, it should be robust, quick and easy to use.
Finally, what are your data storage requirements? Does the owner of the biometric maintain ownership of his or her template? Or is it held in a central database elsewhere? For some systems, a central database may be considered sufficient. However, this raises questions about privacy – who has access to the database? – as well as security – how do they gain access to the database? In addition, is it sufficient for a person to present him/herself to a system to be authenticated purely by their biometric? Here, smart card technology really comes into play. With falling costs and increasing memory sizes, smart cards have a lot to offer the biometrics industry. They can be used in conjunction with the biometric and a PIN to provide three-factor authentication: something you have – the card; something you know – the PIN and something you are – the biometric, thus guaranteeing the highest level of security.
By storing a template directly on a smart card, organisations can also overcome the potential privacy and portability problems of a centrally stored database of templates. Although memory requirements vary between biometric technology vendors, typical template rates are currently 4-20Kb for face recognition, 2-4 Kb for fingerprint, 9 bytes for hand and 512 bytes for iris; all sizes that are easily managed on a smart card.
Furthermore, storing the template in the smart card allows strong authentication in off-line mode. This reduces the needs of a permanent connection to a centralised repository of templates.
Taking the privacy discussion a step further, matching algorithms can be implemented on the smart card. This means that instead of reading the template off the card, the biometric is read and given to the card to do the matching in a process known as on-card matching. This technique ensures there has been no tampering with the matching process and also means that the enrolled biometric data never leaves the card. The portability of the biometric enables the card owner to have control of his or her template, while also supporting offline processing.
National ID – a big market
With many governments now considering – or upgrading – their identity cards, biometrics and smart cards are coming of age in a variety of countries. Malaysia, Brunei, Oman and the United Arab Emirates are just a selection of countries that have recently adopted national ID smart cards using fingerprint technology.
In the Sultanate of Oman, a smart card-based citizen ID programme has been deployed using the “ResIDent” smart ID card system from Gemplus, and fingerprint technology by biometrics vendor Sagem. The new system provides advantages to government and citizens alike. The government is able to enhance its identification processes, improve its infrastructure, modernise its national registry system, increase homeland security and provide better quality services to citizens. Cardholders, meanwhile, can identify themselves electronically. And, as time progresses, these cards will be used for a host of government applications, including driving licences, passports, work permits, PKI authentication and digital signatures, domestic e-purse, healthcare cards and electronic voting. Approximately 1.5 million smart cards will be issued to Oman’s citizens and expatriates above the age of 15 between 2004 and 2007.
In neighbouring United Arab Emirates, a nationwide ID programme using Java Card-based technology from Gemplus and Sagem’s AFIS technology has been launched. The scheme, which goes live this year, will see over 2 million cards rolled out for personal identification purposes. Using the power of multi-application smart cards backed up by biometrics, this card will also eventually combine identification with driving licence, border control and emergency medical data.
Public opinion shift
Even in the UK, where public opinion has typically seen identity cards as an infringement of civil liberties, there now seems to be something of a sea change. In April 2004, a Mori poll of 1,000 people indicated that 80% backed a national ID card scheme. With public opinion growing, the UK government is now drawing up plans for a compulsory ID card combining biometrics with a smart card in an effort to tackle the identity fraud which costs the country UK£1.3bn each year. Trials involving 10,000 volunteers have been launched from the passport office in London and three other centres around Britain. The government is expected to publish draft legislation and a bill paving the way for the scheme before the next general election.
With the number of biometric and smart card schemes for national ID increasing, media and analysts are beginning to realise that biometric technology is a good tool in the fight for security and authentication. However, with the combination of biometrics and smart cards, organisations have access to a great tool that enables even higher levels of security while promoting privacy, portability and user convenience.
Gemplus are exhibiting at Infosecurity Europe 2006. Held on the 25th – 27th April 2006 in the Grand Hall, Olympia, this is a must attend event for all IT professionals involved in Information Security.