The term 'biometrics' applies to a broad range of electronic techniques that use the unique physical characteristics of human beings as a means of authentication. Optical scanning and voice pattern analysis are usually considered the domain of James Bond films or ultra-sensitive military installations. However, with more and more organisations doing business over the Internet, the need for positive identification of end users is growing quickly.
This article will outline the current range of biometrics technologies and applications to date, and review the market's dynamic future growth prospects. As the world's leading IT security company, RSA Security is well positioned to help shape the commercial biometrics industry by introducing best of breed enterprise and e-commerce authentication solutions.
The biometrics market has existed for approximately 15 years, and according to a recent IDC report the worldwide market size was approximately US$166 million in 1999 and is expected to expand rapidly to $1,8 billion by 2004. The vast majority of this revenue falls into two main categories: law enforcement (government, border control and police forces) and building access. To date, there have been very few enterprise-wide or computer security applications using biometrics for authentication purposes - the small number of exceptions being in healthcare and financial services, where convenience and password replacement have been the strongest drivers.
There are five principal types of biometric technologies on the market today:
* Hand/finger scanning.
* Optical (retina/iris) scanning.
* Facial scanning.
* Voice pattern recognition.
* Signature verification.
The pros, cons and application types for each category are summarised in Table 1.
While all types of biometrics are likely to grow as costs are reduced, technology improves and demand increases, fingerprint scanning will continue to hold the largest market share and offers the best trade-off between cost and reliability/user-friendliness. There are currently more than 80 vendors in the automatic fingerprint identification systems (AFIS) market, most of which started in biometrics hardware and algorithms, but have been forced into developing more robust software in order to offer the customer a total solution.
However, the market is unlikely to sustain this many fledgling companies and therefore is ripe for consolidation, with mergers and acquisitions inevitable within the biometrics sub-markets. Larger IT and technologies companies are also expected to make a move into the biometrics arena, with PC, mobile phone and PDA manufacturers embedding readers into their devices. Microsoft's licensing of I/O Software's Biometric API (BAPI) technology, and plans to incorporate it into future versions of Windows, also means that biometrics capabilities could become ubiquitous overnight.
However, this development has also created some confusion over industry standards (see pros and cons section below), which may delay wider adoption. Even Sony is moving into this space with their introduction of biometrics with the Sony 'Puppy' and the Memory Stick. The fact that one of the world's most successful consumer electronics firms has entered the biometrics market is a significant event that could ultimately threaten the survival of today's fledgling biometrics hardware suppliers.
Widespread adoption still 12-36 months away
Pundits have been predicting an explosion of the biometrics market for some time, but we believe that widespread adoption is still 12-36 months away and will not happen until fundamental technology, security, privacy and cultural issues are addressed. In the extended enterprise and B2B arena, fingerprint scanning is expected to dominate due to its accuracy and affordability, with voice having an eventual impact.
In B2C applications, voice is more likely to lead, given that phones are such a standard interface and transactions are generally lower in value, with fingerprint following closely behind. In government-to-government (G2G) and government-to-consumer (G2C) applications, fingerprint is promising to be the dominant choice as it can be used in conjunction with smart card technologies (which are being widely adopted by governments around the world).
Pros and cons of biometrics
One of the primary drivers for biometrics is its ability to provide a viable alternative to the ubiquitous password. Passwords are now widely recognised as an extremely weak form of authentication. In fact, up to 50% of costly help desk calls are from users who have forgotten or misplaced their passwords. However, passwords have a high convenience and portability factor, not to mention they are the most common form of authentication in the world.
Other widely used forms of authentication - such as RSA Security's SecurID hardware token - offer a more secure solution than passwords. Hardware tokens provide a two-factor authentication solution that generates a one-time, pseudo-random number for authenticating a user rather that a static password. However, the promise of biometrics combines both security and convenience because the user does not have to carry any additional device or remember a static PIN.
Examples from specific vertical markets have shown significant demand for biometrics to date provide perfect illustrations. In financial services, it is faster and simpler for traders on a hectic trading floor to log into the network with a fingerprint scanner than having to remember or enter a 6-digit password. In healthcare, the primary objective is to enable clinicians to quickly access electronic patient records in campus-type environments. The quicker they are in and out of the network, the sooner they can care for patients. Both of these examples also show how organisation can justify an investment in biometric solutions if users can execute more transactions per day or visit with more patients per day. Subsequently, the ROI calculations used to justify a purchase can be very powerful. Fingerprint scanning again offers an acceptable compromise between convenience and security, while facilitating adherence to growing data protection legislation.
Historical inhibitors such as cost and user acceptance are all improving rapidly. Enhancements in form factors are making readers more mobile and usable, and scanners are increasingly being incorporated into other devices such as PCs, laptops, keyboards, mobile phones and PDAs. Accuracy can still be an issue, as matching between a user's registered set of measurements and the reading on any given occasion is an approximation, not a guaranteed match.
Plus, most solutions are vulnerable to hacking. For instance, fingerprint readers have no built-in means of determining whether or not a subject is alive. Even though the technology is advancing all the time, currently an inanimate object such as a rubber stamp in the shape of a fingerprint can pose a potential threat to the security of such a solution.
The lack of accepted industry standards is another hindrance, with ongoing confusion between BIOAPI and BAPI standards. BIOAPI enjoys broad industry support, but Microsoft's decision to standardise on the BAPI standard has introduced some uncertainty on the standards front. The result has been a heavily fragmented industry, with vendors touting their own unique, proprietary solutions. Purchasing organisations are understandably reluctant to be locked into buying entire hardware, algorithm and software solutions from one vendor, with only limited options for plug-and-play.
The biggest challenge
The single biggest technology challenge for the biometrics market is secure storage of the biometric template. The template is the term used to describe any digital/electronic representation of an individual's physical characteristics. Once a user has been 'enrolled' his or her template is passed to the server for authentication on each usage. It is therefore susceptible to interception and vulnerable to replay attacks.
The situation is analogous to the protection of a private key being fundamental to the security and value of a public key infrastructure (PKI). The issue of compromise is perhaps more critical for a biometric solution because the user's template is a part of their physical or behavioural makeup. Unlike a private key or hardware token that could be stolen and easily replaced, there is no easy way to revoke and re-issue a biometric template. Moreover, that template is tied to a user's finger, which is not a dynamic variable data element (and limited to a maximum to 10 digits). This is part of a broader issue of privacy protection, which is beyond the scope of this paper.
The most pressing technical challenge for biometrics is the inevitable trade-off between security and convenience. Many people continue to believe the initial promise of biometric technology as a single-factor authentication solution. But the ability to provide both a highly accurate and secure authentication based on a person's biometric identifier alone has proven problematic for biometric vendors, who make security trade-offs to increase usability and the overall usefulness of the system.
In practice, it has proven very difficult to set the sensitivity of fingerprint reader, for example, to the point where it is not an easy target for attacks that produce 'false positives' and let unwanted users gain access to a system or information, or does not erroneously lock out a valid user with a 'false negative' because that person has newsprint or dirt on his or her hands.
The result is that adequate security remains an elusive goal when biometrics are used alone. We believe the best approach is a multi-factor authentication solution that incorporates biometrics as a component used with another method, such as a hardware token or smartcard. One such example is a biometric solution that replaces the 'PIN' on the smartcard, providing the security of a smartcard with the convenience of biometrics.
Biometrics continue to offer significant promise as an 'ease of use' differentiator for leading-edge authentication solutions, but current technological hurdles in the form of false positives and false negatives will limit the use of biometrics as a single-factor authentication panacea for applications that require higher levels of security. Biometrics are likely to gain widespread adoption in the B2B, B2C and extended enterprise markets only when combined with other, proven authentication solutions such as hardware tokens and smartcards.
1 IDC #23260, Nov 2000, 'Biometrics Market and Forecast: The future of Hardware Authentication'.
2 IDC #23260, Nov 2000, 'Biometrics Market and Forecast: The future of Hardware Authentication'.
3 Provided by Biometric Digest.