Comment Article IT Analysis – A Turning Point for Biometrics? By Fran Howarth, Principal Analyst, Quocirca Ltd In an increasingly regulated world and with security risks ever more visible, companies are under greater pressure than ever before to lock down their businesses. Many are ramping up technology investments in areas that provide them with greater insight into who is doing what and when within their organisations. Among these, identity and access management technologies are becoming mainstream tools deployed in the majority of organisations so that actions taken can be tied to the identity of the individual who has performed them. The weak link in identity and access management technologies is the secure identification of the individual. Security passes can be stolen and used by others. User name and password combinations can be captured by keylogging technologies, not to mention how many users write down passwords and store them insecurely. On the face of it, biometrics hold great promise for effective secure identification of individuals. But take up of biometric technologies has been low, except in public safety and security applications, such as at airports and for new identification documents used by government agencies in the US. Some years ago, the prime reasons for lack of take up of biometrics centred on the inaccuracy of the technology and the high cost of the equipment required. In recent years, the technology has come a long way and accuracy rates have improved substantially, especially for fingerprint biometrics. However, cost does remain an issue. Other concerns holding up adoption include privacy issues. In most biometric technologies, the biometric identifier must be collected and is then stored in a database. But any quick scan of the press will throw to light numerous stories about databases being compromised and personal information stolen. Research done by the EU shows that the storage of biometric identifiers in databases is a key area of concern among European citizens.
© 2007 Quocirca Ltd
With biometrics, the database used must be secure enough so that enrolment biometric data cannot be easily reconstructed. But the stored data must also be informative enough so that the original biometric can be recovered when a person presents their fingerprint, or other biometric identifier, for verification. The particular problem here is that biometrics are subject to environmental conditions, such as dirt or dust, meaning that data must be very accurate to make a match. Various methods have been developed by security researchers for increasing the security of biometric storage systems, such as by using cryptographic constructs such as fuzzy vaults, but these all add to the complexity and cost of using biometrics— one of the key problems holding up wider adoption. To solve such problems, a new type of personal biometric authentication device is being developed by technology vendors. In these devices, the biometric identifier is stored on the device itself and verification is achieved by pressing the fingerprint on the pad on the device itself. In this way, the device becomes both the identification token and the biometric reader and the biometric credential is never transmitted electronically, nor is it stored in a database as the credentials never leave the device. This means that these devices not only solve the secure identification and privacy issues, but they can also be deployed at relatively low cost, without the need for investing in expensive databases other than the traditional records maintained in the corporate directory. Two vendors offering such technology are MXI Security and Privaris. The devices from MXI Security are USB-based and perform effective verification of an individual’s identity by use of their biometric identifier to gain access to corporate network resources. As well as providing highly secure login, they also provide security capabilities that include digital signing and email, disk, file and folder encryption. The personal biometric authentication device from Privaris offers similar functionality for secure identification to the corporate network.
http://www.quocirca.com
+44 118 948 3360
Comment Article For logical computer access, the device interfaces with Microsoft’s smart card technology so that users can log on without the need for additional software to be installed. But it has capabilities beyond this, combining logical authentication with physical access control as well. And it does this without the cost involved in ripping and replacing existing infrastructure. For physical access control, the device works by transmitting a signal using standard communications transmissions such as RFID or Bluetooth. To initiate identity verification, the user presses a finger on the pad on the device, which is then checked against the biometric template that is stored on the device. Cost reductions are achieved by using standard communications protocols that are used by existing access control systems, so that dedicated, expensive readers do not need to be purchased and affixed to doors.
© 2007 Quocirca Ltd
As well as combining logical and physical access control, future versions of the product will allow it to be used as a tool for proving identity in financial transactions, both online and in person—further reducing cost as just one identification tool is required for a whole range of uses. Also, because the device does not require contact with a reader for verification, it will also be able to be used in applications such as telematics and vehicle access control, even when the vehicle is being driven at speed. These products provide a new approach to the thorny problem of effective identity verification. It would also solve one of the issues many have with the new ID cards being proposed by many governments—namely a large nationwide database that could be compromised or, perhaps, even used for nefarious purposes by rogue government agencies.
http://www.quocirca.com
+44 118 948 3360
Comment Article
About Quocirca Quocirca is a primary research and analysis company specialising in the business impact of information technology and communications (ITC). With world-wide, native language reach, Quocirca provides in-depth insights into the views of buyers and influencers in large, mid-sized and small organisations. Its analyst team is made up of realworld practitioners with first hand experience of ITC delivery who continuously research and track the industry and its real usage in the markets. Through researching perceptions, Quocirca uncovers the real hurdles to technology adoption – the personal and political aspects of an organisation’s environment and the pressures of the need for demonstrable business value in any implementation. This capability to uncover and report back on the end-user perceptions in the market enables Quocirca to advise on the realities of technology adoption, not the promises. Quocirca research is always pragmatic, business orientated and conducted in the context of the bigger picture. ITC has the ability to transform businesses and the processes that drive them, but often fails to do so. Quocirca’s mission is to help organisations improve their success rate in process enablement through better levels of understanding and the adoption of the correct technologies at the correct time. Quocirca has a pro-active primary research programme, regularly surveying users, purchasers and resellers of ITC products and services on emerging, evolving and maturing technologies. Over time, Quocirca has built a picture of long term investment trends, providing invaluable information for the whole of the ITC community. Quocirca works with global and local providers of ITC products and services to help them deliver on the promise that ITC holds for business. Quocirca’s clients include Oracle, Microsoft, IBM, Dell, T-Mobile, Vodafone, EMC, Symantec and Cisco, along with other large and medium sized vendors, service providers and more specialist firms.
Details of Quocirca’s work and the services it offers can be found at http://www.quocirca.com
© 2007 Quocirca Ltd
http://www.quocirca.com
+44 118 948 3360