Biometrics: How and Now?

Esther Shein examines where and when biometrics are being deployed for identity and access management
Esther Shein examines where and when biometrics are being deployed for identity and access management

When Affinity Plus Federal Credit Union began focusing on how to serve its customers better, its technology footprint began to grow as more tools and applications were deployed to fulfill that mission. But the new focus soon became a double-edge sword. “We were increasingly having more difficulty having our member advisory staff log in to all the applications we have”, recalls Cary Tonne, vice president of IT at Affinity Plus in
St. Paul, Minn.

That led the credit union to take a step back, as management realized the member advisors were getting overwhelmed by all of the apps they were using to serve customers. Tonne was also seeing a significant increase in password reset requests. “We want to provide an extraordinary experience and individualize the experience – not just ticket-taking. We want it to be a relationship” with customers, Tonne says of the $2 billion credit union, which has 25 locations throughout Minnesota, and 140,000 members.

The IT department started thinking about what type of technology would alleviate those headaches and ‘zeroed in’ on biometrics “pretty quickly”, Tonne recalls. “We really needed something very straightforward and easy [so that] once you deployed it, there wouldn’t need to be a lot of handholding going forward.”

Affinity Plus’ IT group looked at scanner cards and badges, but wanted something that wouldn’t get lost, since member advisor employees move around to different credit union locations during the day. After testing some products from different biometric providers, the credit union chose a fingerprint technology from DigitalPersona in 2008. “We were quite surprised by how seamlessly it works”, Tonne admits.

Who You Are

Biometrics, which uses a person’s physical traits such as a fingerprint, facial recognition, palm or retina to uniquely identify them, is gaining greater acceptance in certain vertical industries. This may be a result of technological enhancements in the past few years, which have ensured higher levels of accuracy to prevent false positives, says Walter Hamilton, chairman of the International Biometrics & Identification Association, in Washington, DC. Law enforcement, for one, has applied biometric technology in “a very mature way” to identify criminals through the use of fingerprints and facial recognition. Fingerprint biometrics is the most common way to check against local and national databases to see if an individual has any outstanding warrants, but Hamilton says face recognition is used in some law enforcement jurisdictions for rapid identification, and iris recognition is being considered for use by the FBI.

Besides law enforcement, biometrics is being deployed at the border controls of many countries, including the US, the UK and Japan. Other countries are using biometrics in smartchip cards for national identification, and the government of India has embarked on a large-scale program to enroll fingerprint, iris and face biometrics for all of its citizens. This is part of a unique identity program to deliver services to people who may not have bank accounts or are illiterate, says Hamilton.

In the US, face recognition is being used on many states’ driver’s licenses to make sure new applicants or license renewals are unique and a person is not already holding a license under a different identity, Hamilton says. Health care is another huge vertical for vein recognition and other types of biometrics for patient safety and to prevent health care fraud.

Biometrics is also coming to smartphones, Hamilton adds, as consumers start using their phones for financial transactions. Notably, new devices from AT&T have a fingerprint sensor built into the phone. “You just sweep or drag your index finger over that little strip and it matches that against the one registered in the phone. You won’t be able to perform transactions without it”, Hamilton comments.

Widespread use of biometric identification, he says, is “absolutely inevitable”.

But the technology is fraught with privacy and civil liberties implications, as well as security concerns, says Lee Tien, senior staff attorney at the Electronic Frontier Foundation (EFF), a non-profit organization focused on protecting and defending privacy across a number of online consumer issues.

“All forms of monitoring and surveillance, all forms of ID checking raise civil liberties issues”, Tien says. “There’s nothing less problematic about biometrics; the only question is, how is it more dangerous?”

Face recognition as a security attribute cannot be considered accurate when “many people have pictures of themselves all over the web”, he adds. People want to use biometrics because they think the technology is hard to imitate, but Tien maintains it is not as secure a technique when a face or fingerprint is sent remotely “from one machine to the next”, thus making it “no different than the email that came” signed by someone, even if they have a password. “Once you get over the wire”, he asks, “how do you know it’s actually who it is?”

While Tien acknowledges that biometrics is used frequently, he believes there are still a lot of bugs that need to be fixed. The US, in particular, is a little slower to adopt “these shiny new technologies”, he says, since there is still a lot of concern about using biometrics as a form of tracking, identifying and monitoring. Additionally, since the US has a decentralized government structure, it doesn’t “put all its technology eggs in one basket”.

Avoiding Voice Fraud

The Australian government, on the other hand, is embracing the use of voice recognition, having deployed a system called Speakfreely from Nuance, to deliver a range of welfare and social services programs to citizens. The agency, Centrelink, receives 120,000 inbound calls a week, generating 1.8 million family claim payments through its family assistance line, says David Wright, director of the Connectivity Infrastructure Services Branch, Department of Human Services.

“With this volume of calls, we recognized the value in using automation to manage calls efficiently”, and to understand inquiries so they can be routed to the right person or department, says Wright. “We were finding that customers were having trouble remembering passwords.”

Wright explains that voice biometrics works well for them because it combines two forms of authentication – a unique voice print that is hard to forge, and a personal question – such as date of birth or address – which provides greater protection from social engineering. It is easier for the caller because they don’t have to remember passwords or PIN numbers. It is also better for Centrelink, he says, “as it provides a high level of security; it frees up time for our staff to handle complex queries and avoids the common challenges of password resets”, Wright adds.

"For public and private sector organizations, voice biometrics is an effective way of reducing fraud"
Lee Tien, EFF

Each user is enrolled once on the voice authentication system, which creates a voiceprint for them in both Nuance’s Verifier system and another of its engines, he said. Enrollment takes about five minutes, and once the user goes through the set-up process and is authenticated, they then have access to all telephone self-service offerings. The $2 million system, deployed in 2009, is available on an ‘opt-in’ basis and Centrelink currently has 350,000 enrolled customers, Wright notes.

“For public and private sector organizations, voice biometrics is an effective way of reducing fraud, as voiceprints are hard to replicate and [it] offers two-factor authentication by asking users a question as part of the verification process”, Wright observes. “Voice recognition also reduces the time users spend waiting for an operator, as the system uses ‘natural language’ to process many common requests, which frees staff to focus on more complex inquiries.”

Conducting Research

Last April, the Global Strategic Information Group, based at the University of California at Francisco, began conducting a health survey in Ghana, looking at bio markers for HIV and other sexually transmitted infections and a sample of men who have sex with other men. To assure the validity of study results and maintain the privacy and confidentiality of research subjects, the school needed to guarantee that participants were counted only once. Because UCSF conducts its health studies anonymously, officials were concerned that prospective participants would register multiple times to collect the incentive, says Ellen Stein, UCSF academic coordinator. The registration method also had to be easy to use and cost-effective.

UCSF selected the PersonID fingerprint identification system from 360 Biometrics. “Our impression was that using a fingerprint was the least invasive way to collect” blood and urine samples from individuals, Stein says. “We really felt biometrics would be a more foolproof way to maintain participant anonymity, reduce the chances for dual enrollment, and avoid disclosure of results to non-participants.”

Previously, the school assigned a unique study ID number to survey participants. The drawback, says Stein, was that participants might forget their study number, give it to others to use, or still try to enroll multiple times in the same study, since people are paid for participating. “In a poverty setting, anything is possible [with] people taking advantage of the ability to make money.”

UCSF uses a small device called a ‘hamster’ that is plugged (via a USB port) into a laptop. Once a participant’s unique identity is verified, he touches his finger to the hamster. The system takes a digitalized imprint that is converted into a random set of numbers linked to an image of their fingerprint. The next time the person touches their finger, their number will come up on the computer.

The fingerprint biometric system enables researchers to “feel confident that test results are being disclosed [only] to the person from whom the specimen was drawn at a previous visit”, Stein says. “We are also confident that between geographic districts we do not have duplicate enrollments of individuals.”

The data resides on the laptop and is exported into an Excel spreadsheet and brought back to the US, since there is no internet connectivity in Ghana, Stein notes. Using the PersonID software, the school has already enrolled approximately 600 participants with virtually no incidents of multiple enrollments, she says.

Removing Barriers

Affinity Plus’ Tonne says their fingerprint ID system is also easy to use. When an employee walks up to a PC, he or she puts their finger on the DigitalPersona reader system next to it and a logon screen comes up. “You can put different fingers on either hand in their memory as your biometric signature”, he notes. The system checks the fingerprint in a main DigitalPersona server to confirm the employee’s identity. The software is tied into Microsoft Active Directory, “so the fingerprint is their password to log into Windows”, Tonne says.

“It gave us what we were looking for: removing those barriers for member advisors to serve [credit union] members”, Tonne reveals, and it reduced confusion for accessing all of their apps.

IT’s role in managing the software is “minimal at best”, he says. “It’s probably one of the few things we have in our corporate environment that requires very little care and feeding.”

Since the system was deployed, Tonne estimates they have eliminated about 800 calls a month on password-related issues. In the first year, the system saved so much time he says he was able to get back about two full-time IT staff to work on other IT initiatives. He also estimates a saving of about 1,000 hours of a member advisor’s time that they can now devote to working with the credit union’s members.

Tonne affirms that security has not been an issue, and he’s relieved that users are no longer taping their passwords underneath computers.

The IBIA’s Hamilton says aside from the convenience benefit of not having to remember passwords, it’s very difficult to steal a biometric characteristic. Like any other personally identifiable information, he says biometric data should be protected using standard techniques such as encryption – or stored in a secure place like a locked room or in the memory of a smartchip card.

“You never say never, but it is far less likely that someone could steal your biometric characteristic and be able to mount some kind of attack, either over the internet or some other purpose that would be harmful to you, for the simple reason that they are not you”, Hamilton concludes.

 

CONTEMPLATING BIOMETRICS?

When thinking about deploying a biometric ID system, here are some things to consider:

  • Make sure security is balanced with customer usability
  • Engage your stakeholders early in the process and involve them along the way
  • Prove the technology works and gain business confidence
  • Be ready to adapt, including improving call flows and/or business rules
  • Think about the future, including upgrades/new technology
  • Plan ahead for change (e.g., aging templates)
Source: Centrelink

 

What’s Hot on Infosecurity Magazine?