August 10, 2007

Balancing Security and Usability: Biometrics

Biometrics: n. The measurement of physical characteristics, such as fingerprints, DNA, or retinal patterns, for use in verifying the identity of individuals.

In recent years the use of biometrics as a way to authenticate users has become more and more popular. Fingerprint scanners are now readily available at electronics stores and are becoming standard on laptops. The reason for this is because using fingerprint recognition is an easy and fairly accurate way of identifying a person without the need for them to remember a password. In addition to fingerprint recognition some building have begun using palm scanning and retinal scanner (to a much lesser extent) as a way to identify the person who is trying to get in.

Why Biometrics are gaining popularity:

  • Each person has unique characteristics (finger prints, palm prints, retinal patterns, etc) even identical twins. So both duplication and imitation are difficult

  • It is more convenient for a person to place their hand or finger on a scanner for 1 or 2 seconds than it is for them to type in a password

  • A person cant give out their fingerprint like they can a password, and it is much more difficult to steal a fingerprint than it is to intercept a password.

  • The cost of implementations is dropping

  • They are a relatively easy way to add another layer of security to your environment.

Biometrics, as well as most other forms of security, are best used in layers. So in many cases (especially those involving access to buildings, offices, or vaults) your fingerprint or palm scan is only part of the equation. Many times you must use your fingerprint, and once that is accepted enter a password or PIN. This type of set up is more secure than having a person use a username/password combination because it requires the person to both know something (their password) and physically have something (their fingerprint) so for an intruder to gain access it becomes very difficult.

There are downsides to using biometrics however. One major downfall of using finger prints or palm prints would be the fact that they can change with age or even with weather. if your hand are cold your skin will shrink some and change your finger print slightly, or if you have lotion on your hands, or your hands are damp in general the scanner will get an inaccurate reading. Or if you are in an environment where employees hand are prone to calluses or cuts (construction work for instance) the finger and palm prints may be altered temporarily because of it. The quality of both the equipment and software that you are using come into play here. Most software for fingerprint recognition can accommodate for the slight changes that occur due to weather or dampness, but none will identify the fingerprint if there is a large cut or callus over it.

Using retina scanners is also very expensive and many people are hesitant to let a laser shine into their eye. Also, contact lenses can cause the scanner to get an inaccurate reading and will cause problems.

However, the use of biometrics is not full proof. As any form of security becomes popular, there are people looking for way to get around it. Many people have found some simple ways to trick fingerprint readers into allowing them access. For instance, some were able to lift a previous fingerprint off of the reader using standard fingerprinting techniques used by police (i.e. dust to stick to the oils left behind and removal with tape) and then were able to replicate that print using latex and in a few cases using a gummy bear to hold the print temporarily. So, stealing a finger print may be harder, but its not impossible. Steal a palm print is even harder to do since palm shape is also taken into consideration so a simple glove wouldn't do the trick, but still they have been beaten.

Because of these flaws having a staff aware of the danger of intruders is crucial and will be the topic for the next part of the "Balancing Security and Usability" series.

Bookmark this post:
StumpleUpon DiggIt! Del.icio.us Yahoo Technorati Reddit Google