Biometric technology, which is now being deployed in a number of application areas including immigration and national identification, has the security advantage of not being able to be borrowed, lost or stolen. It is also reaching a state of maturity, with accuracy levels improving, costs falling and template sizes shrinking.
To the average media pundit in the immediate aftermath of September 11 2001, biometrics became the panacea for a host of security problems. Today, much of the hype has gone, and people are more realistic about the strengths and weaknesses of the technology.
Numerous decisions need to be made when considering the deployment of biometrics. First, which type of biometric should you adopt? Do you opt for a biometric that examines your target’s physical characteristics, such as face, fingerprint, iris, hand or retina? Or do you adopt a behavioural biometric such as dynamic signature, keystroke or voice? Your decision will be determined by a number of factors, including how important accuracy is to you. Some situations – such as access to highly secure government areas – may require the highest levels of security regardless of cost. In other situations, a few individuals being falsely rejected from, or falsely accepted to, a system may be acceptable. If accuracy is a key priority, iris technology may be the most suitable.
Second, what’s your budget? Typically, fingerprint technology is cheaper than iris or face biometrics in a small-scale rollout. However, it’s worth bearing in mind that cost differences between biometrics depend largely on where they are deployed. In a border control setting, cost differences are not always significant because other infrastructure costs will be larger than that of the biometric technology.
Third, who will be using your system? Ease of use is particularly important, especially if a large percentage of users aren’t technically savvy. Added to this, how does your target audience perceive the technology? Do they see some biometrics as more dangerous or invasive than others?
Fourth, what are your throughput demands? If the biometric system is being deployed in an airport environment, it should be robust, quick and easy to use.
Finally, what are your data storage requirements? Does the owner of the biometric maintain ownership of his or her template? Or is it held in a central database elsewhere? For some systems, a central database may be considered sufficient. However, this raises questions about privacy – who has access to the database? – as well as security – how do they gain access to the database? In addition, is it sufficient for a person to present him/herself to a system to be authenticated purely by their biometric? Here, smart card technology really comes into play. With falling costs and increasing memory sizes, smart cards have a lot to offer the biometrics industry. They can be used in conjunction with the biometric and a PIN to provide three-factor authentication: something you have – the card; something you know – the PIN and something you are – the biometric, thus guaranteeing the highest level of security.
By storing a template directly on a smart card, organisations can also overcome the potential privacy and portability problems of a centrally stored database of templates. Although memory requirements vary between biometric technology vendors, typical template rates are currently 4-20Kb for face recognition, 2-4 Kb for fingerprint, 9 bytes for hand and 512 bytes for iris; all sizes that are easily managed on a smart card.