Biometrics - more than meets the eye

Despite biometric technology making tremendous strides in recent years, biometrics remains something of a poor relation in the IT security industry, with a few well-established firms - and a number of other players - all vying for a share of what is a very finite slice of the revenue pie.

But where is the market headed? And will there be a killer application that breaks the mould and enters the mainstream?

According to Vance Harris, former chief technology officer of voice biometrics specialist Voicevault, and existing managing director of Miko Computers, an IVR (interactive voice response) and speech recognition company, the current economic climate is unlikely to foster any serious new investment in biometrics.

As a result, he says, the possibility of a new killer application appearing in the near future is relatively small.

Of course, he adds, there is nothing to stop an existing application hitting the mainstream, but Harris believes that the future for biometrics lies in a marriage with another more well-established technology, such as telecoms.

At his former employer, Voicevault, and with his own operation, Harris - who has an ex-military IT background of some standing - has pioneered the use of biometric voice recognition in a telecoms environment as a method of establishing a person's identity.

In a biometrics show demonstration late last year, for example, Voicevault was instrumental in working with Voicepay, the new company of Nick Ogden (of Worldpay fame), on a mobile phone callback system that confirmed a person's identity using a voice biometric.

The idea of that system, which Voicepay is developing at the moment, is that a person making a card payment, either online or in person, could be called on their mobile and their (previously verified) voice biometric used to authorise a transaction.

For this technology to work, however, Harris told Infosecurity that the telephony circuit needs to be the best available - known in telecoms circles as ‘tier 1’ - to ensure minimum false negatives, and consequently, aborted transactions.

Going for a tier-1 telephony service need not be more expensive than using a discount (tier-2 or below) telecoms carrier, says Harris, as it is now possible to use tier-1 internet telephony services for voice biometric use at sensible rates.

The key to the use of voice biometrics in the IT security industry, as with all forms of biometrics, says Harris, is getting a major bank customer to adopt the technology.

"It's only then that you'll see the biometrics levee break", he says, adding that once one bank comes on board in a big way, then others will undoubtedly follow.

According to Harris, the banking industry is very much a ‘follow-me’ market and, given the precarious state of banks generally at the moment, he predicts that biometrics is destined to remain on the banking sidelines for the near future.

An emotive issue

One veteran biometrics and communications expert who is working diligently to change this situation is Steve Howes, chief technology officer with GrIDsure, self-defined resettable biometrics company based in Eastern England. Although Gridsure can’t really be defined as either a biometric company or a security company, they fall somewhere on the fringe of behavioural-based biometrics.

GrIDsure's claim to fame is the development of a pictorial alternative to the ubiquitous alpha-numeric PINs and passwords we all use to authenticate ourselves with financial institutions, online and in a wide variety of allied environments.

What's interesting about GrIDsure is that Howes calls it a "resettable soft biometric option", which he says is infinitely more acceptable to users concerned about their privacy than conventional biometrics.

Users, he says, have become highly emotive about the possible storage and misuse of their fixed biometric data, such as an iris image, a fingerprint or similar.

"There's a growing belief that, with the growing number of reports of data getting lost by the government and its agencies, that government cannot be trusted to store users' biometric data securely," he says, adding that, as a result, the biometrics term has become a very emotive issue.

Howes also told Infosecurity that this situation isn't going to change overnight as the public are going to take a lot of convincing that their biometric data is safe before they will be happy for various UK governmental agencies to store that data on a centralised basis.

It's against this backdrop that Howes and his company have developed GrIDsure, which he says is highly acceptable to users owing to the fact that it's a soft biometric that can be changed; something you can't do, he notes, with something like a fingerprint or iris scan.

Interestingly, in the last 18 months or so since GrIDsure has been doing the rounds of financial institutions, Howes says that the precise term ‘biometrics' has not always been associated with security.

"This is almost certainly the result of the emotive link with biometrics and that's something that I don't think will change in the near future," he says.

Despite this potential stumbling block, Howes says he expects to see biometrics technology encapsulated within a smart card in a mainstream application before too long.

Interestingly, Howes does not predict that iris recognition – long-promulgated as the ideal low-cost, easy-to-use biometrics technology best placed for mainstream deployment - will take off.

The problem, he says, is that the accuracy of iris recognition starts to fall off in stressful situations, such as immigration checkpoints at airports and borders.

"People react badly to stress and so does their optical biometric. If an iris scan fails for any reason on the first time, it's well-known that the chances of a scan failing on the subsequent occasion are quite high. It's all down to stress changing the optical biometric," he says.

Convenience matters

The other big problem facing the biometrics industry in the near future, observes Howes, is the tremendous gulf between a closed biometrics system and an open system in terms of public acceptance.

"If your firm operates a biometrics security system for, say, charging up your canteen purchases, then there's a high likelihood of your accepting the system for convenience sakes. If a similar system were to be deployed publicly, such as the UK's planned national ID card system, for example, then less people will go for it", he says.

For this reason, says Howes, the use of biometrics in an open system is unlikely to gain widespread acceptance, no matter how much the government carries out its public relations exercises.

Over at VeCommerce, the Australian-headquartered biometrics specialist, Brett Feldon, the firm's general manager for EMEA, predicts facial biometrics to be the first to enter the mainstream, for the simple reason that [Australia and UK] governments are throwing money at the technology for reasons of national security.

"Facial biometrics also has significant potential when it comes to access security", he says, adding that he also sees good potential for voice biometrics, largely owing to the relatively low cost of deploying the technology.

In Australia, for example, VeCommerce has landed a major contract with Australian Health Management, a health insurer, which was keen to provide better levels of security to its members, as well as more convenience.

After investigating voice recognition systems for some time as a way to improve member services, AHM decided on a biometric voice verification system from VeCommerce.

VeSecure, says Feldon, allows AHM to verify a member's identity prior to transferring the call to a customer service agent.

"It's applications like this that help companies to cut costs and increase security, that the future of biometrics lies with," he says, adding that, like Vance Harris, he sees biometrics as starting to taking off once a major bank deploys the technology on a wide scale.

"Once you have a champion for biometrics, then other companies see what is happening and the technology enters the mainstream," he says.

Coming to a town near you

Nick Ogden, founder of online payments industry expert, WorldPay, and now attempting to repeat the process with VoicePay, a voice biometrics company, predicts that biometrics will enter the mainstream and sooner, rather than later.

Like so many company seniors we spoke to whilst researching this feature, Ogden sees voice biometrics as the crowd and revenue puller in the biometrics field, largely because of the low marginal cost of deployment, and the fact that the technology works remotely.

"Let's say you create a voice signature with the bank. Unlike a physical signature that you give the bank when you open the account, which then languishes in a drawer somewhere - only rarely used to verify your high-value cheques - a voice biometric can be used over and over again to verify and authorise your transactions", he says.

For the bank, says Ogden, this provides security comfort, whilst for the customer, it provides empowerment. Customers, he explains, can give a go/no-go on almost any interaction with the bank - quickly, easily and at low cost using a mobile phone.

VoicePay, says Ogden, is already talking to Visa and MasterCard about voice biometrics, and has established an open system for financial services companies in around 50 countries, that will allow them to establish a central voice biometrics registry.

And, he says, once a customer is registered centrally, that voice signature can be used globally.

"Banks love voice signatures. There's a lot of comment about people getting themselves into trouble after their bank has increased their credit card limit. If a voice signature were used, the bank could automatically call the customer up, offer them an increased credit limit, or loan, or whatever, and the customer then ‘signs' the request with a voice biometric", he says, adding that, as a result, the bank has irrefutable proof that the customer agreed to the change.

This, predicts Ogden, is where biometrics will enter the mainstream - in a simple, easy-to-use environment that adds value for both parties in a given interaction.

A creative future?

Neil Norman, CEO of Merseyside-based HRS - Human Recognition Systems - is a believer in a creative approach to biometrics.

He says that the reason why biometrics has not entered the mainsteam IT security market in the last decade, despite the technology being mature enough, is that it has been in the wrong hands.

"So far we've had a small number of firms developing leading-edge biometric technologies and seeking to make a rapid profit. And you can't blame them. But that has to change if biometrics is to enter the mainstream", he told Infosecurity.

With its 40-plus staff, HRS is involved in a number of biometric-enabled projects, including people recognition at Manchester Airport, biometric-based methadone dispensing for the Department of Health and securing the construction site for the London Olympics.

Against this backdrop, Norman says that companies need to take a creative - rather than a technology-led - approach to pushing biometrics into the mainstream.

"Biometrics is going to shift from a single modality, where it secures a given transaction or interaction, into a system that recognises humans using a combination of factors," he says.

"If you look at the way humans recognise each other, it's based on a whole series of factors, including location, context, as well as facial characteristics. That's why, if you see someone from work who usually doesn't smile, approaching you in a shopping mall, smiling, it takes longer to recognise them. Biometrics needs to adopt a similar approach if it's going to enter the mainstream in the future," he adds.

Using this approach will, he says, allow security staff at airports to only stop the 10% they are interested in, rather than the 100% they do at the moment.

"And that's where the future of biometrics lies", he says.