When biometric security devices began appearing nearly a decade ago,they were often touted as the final word in security technology. Afterall, stealing your password is one thing — stealing a thumb, a retinaor a voice print is a bit more of a chore.
Hackers, however, developed techniques to fool biometrics scanners, much like they’ve found ways around spam filters and firewalls. Biometric devicevendors, in turn, learned how to improve early scanners andalgorithms to develop more ironclad security products.
Still, there still exists a degree of hype surrounding the reliability of biometrics to keep the badguys out of your computer or physical entrance way, and early-generation device failures continue to hold potential users at bay.
“A few years ago, many people viewed biometrics as a silver bullet forsecurity. So far, the technology is not living up to that expectation.Biometrics is not good enough yet. It needs the right balance betweenrejecting legitimate users and allowing unauthorized ones to log on,”Amit Klein, CTO and chief researcher for browser security vendorTrusteer, told TechNewsWorld.
One way in which biometric security technology can improve is in the ability to detect a user’s stress level. Ideally, a vendor should create a system in which it’s impossible for the bad guys to force users to cooperate or alter thebiometric data to gain access, according to Klein.
Pessimistic assessments aside, some developers have indeed made inroads in getting more reliability from their devices. Old misconceptions about what biometrics can and cannot do are giving way to better realities.
“I hear much more discussion of biometric devices and the recognitionthat the spoofing prevalent years ago is no longer valid. Still, thetechnology is never 100 percent secure. But today’s solutions arefixing what was wrong with early generations of biometrics,” BrianContos, chief security strategist for data security vendor Imperva,told TechNewsWorld.
The security industry is seeing a convergence of physical and virtualdevices. Biometric access is becoming integrated with access todatabases, computer applications, computer networks and physicallocations. The process is more reliable, but the technology still hasa ways to go, he conceded.
“Overall, people see biometrics as more reliable,” said Contos. “Theindustry is still very much a cat and mouse game.”
Getting More Sophisticated
Typically, biometric security devices play gatekeepers by checkingphysical traits and recognizing approved users. In recent years, much research has been focused on improving established technologies rather than creating entirely new ones.
Take, for example, the fingerprint reader.Some computer makers such as Lenovo built fingerprint readers intotheir laptops to authenticate users. Other device makers providefingerprint readers in keyboards. Of course, those devices are only asgood as the owner’s ability to keep the keyboard tethered to the box.
Fujitsu has made a niche out of its proprietary palm print readers andmice with embedded palm print readers. Other device makers offerfingerprint readers that connect to a computer via USB connection. Inall cases, the user must already be established in an encrypteddatabase that matches the scan results.
Less Popular Modes
Biometric expertise has not developed as rapidly for other physical characteristics, such as voice, iris and facial recognition technology. Even asmicrophones and digital cameras become standard equipment on notebooksand netbooks, voice or facial recognition devices are few and farbetween.
That type of recognition is much more subjected to harsh image andnoise variations in the surrounding environment. For example, a legitimate user may be denied access if he or she tried to use a voiceprint security gateway in a noisy room. Similarly, a facial recognition program could conceivably register a false negative if the user got a haircut and shaved his beard — or a false positive if an unauthorized user simply bears an extremely strong resemblance to a legit one. These limitations may be holding these branches of biometrics back — biometric devices need to identify the right user, not just a userthat appears to be right.
“We will still see new technology, but by comparison, these will bevery few,” David Ting, CTO of security firm Imprivata, toldTechNewsWorld.
Biometrics is developing along two related lines: physical, which is oftenmore intrusive for the user, and behavioral, which is usually less intrusive. Fingerprintreaders are an example of a physical approach. The type of multi-layerresponses to personal questions beyond the initial password promptthat users encounter when doing online banking transactions representthe behavioral approach. Similarly, biometric products built intosecurity systems can capture the typing cadence of approved users, reading not just what they typed, but how they typed it.
Either way, the quality delivered by today’s biometric securitystrategies is generally much more reliable than earlier versions. Organizationsthat require more stringent access control would be best served by combining biometric,password and other layers of security.
“Considering the different options, such as facial imaging, retinascanning, fingerprint scanning and voice recognition, authenticationfailures are still in the 3 to 7 percent range, depending onthe type of environment,” said Ting.
More Sensible Sensors
Vendors are naturally working to refine the technologies. The standardization of sensing hardware, for example, has contributed significantly to growing the adoption rate of biometrics. Much of that credit goes tosensor-makers AuthenTec and Upek, said Ting. They deploy as many as 15 million sensors per year.
“They are the dominant form factor manufacturers today. They lead thefield based on the sheer numbers of the installed bases of theirproducts. The gross combined revenues of both companies is US$150million per year,” he said.
Fujitsu is one vendor currently attempting to grow popular biometrics technologies into new devices. Last year the company rolled out an early version of a palm reader device, and it’s now upgrading the system’s software.
“Fujitsu’s palm reader relies on the data-rich vein field pattern ofthe palm. It also works relatively well on the back of the hand andthe upper arm,” Jerry Byrnes, manager of biometrics and strategyplanning for Fujitsu, told TechNewsWorld.
Vein patterns are very complex. The more the complexity, the betterthe security, he said.
Fujitsu’s designers took into consideration some of the more gruesome scenarios an infiltrator might consider to try and beat the system. The palm reader detects the presence of live blood, whichnegates the abilities of bad guys using a victim’s dismemberedappendage to trick the database, Byrnes explained.
Spoofs and Gore
Biometric measurements have always been vulnerable to clever spoofingschemes. Fujitsu is counting on the success rates its palm scanner hashad so far in falling victim to spoofing.
“Other biometric measurements are not as reliable as vein patterns inthe palm,” said Byrnes.
For instance, even hi-resolution photos of a palm print willnot succeed in gaining access because the photo image can notreproduce the blood flow the sensor looks for, he explained.
Tales of Trickery
Though tales of how criminals may try to fool biometrics devices are legion, many of them draw only guffaws from those who know how the technology actually works. For example, Gummy Bears will not work with optical readers anymore, said Imprivata’s Ting.
Other tricks may have worked on older biometrics technologies. With previous generations of biometrics, a smudged fingerprint taken from something like a cell phone may have been enough to pass muster on certain systems. Also, chopped-offhands and fingers did happen, but now most devices can sense anelectro-magnetic pulse. Even hi-res pictures of faces or fingerprintsno longer fool scanners, according to Contos.
That’s not to say that modern biometrics are perfect — just improving.
“When it comes to picking any lock, you can always pick the tumblersif enough of them are loose. Temperature readings can be fooled. Youcan always find a substitute for the body part being scanned. Butoverall, the technology’s accuracy is getting better,” said Ting.”There are much easier ways such as social engineering to get intosomeone’s computer accounts.”
As biometric reliability improves, some vendors may make the leap from using the technology to secure computers to using it to lock down the structures that house them.
For instance, Fujitsu is working on a biometric device that controlsphysical access to doors. The company has it in prototype but not yetready for production; it’s currently working on reducing production cost.
Think of the old “Star Trek” sets where Capt. Kirk extended his palminto the air as he approached a door to open it — that’s what Fujitsuis working on now.
“What was James Bond 15 years ago is biometric reality today,” hequipped. “We will see more, not less, of biometric ID management.Biometrics has been a hot topic and will continue to be,” Byrnesconcluded.