Biometrics may not be a catch-all solution

27.06.2005
Von Samantha Perry

Biometric solutions and smart cards are both extremely effective for particular applications. Trying to implement either, or both, as a catch-all, however, is a recipe for disaster.

In the access control space, for example, biometric solutions are only really feasible in areas with a limited number of entrants, a server room, rather than the front door to the head office, for example. For said front door, a smart card is a far more practical solution.

Personal matters

According to Gartner: ?Biometric systems use measurements of physiological or behavioral data to identify people. Recognition of these systems? suitability for some government applications has grown, but organizations in other sectors rarely consider them to be a viable authentication method. Though a biometric can be the single most telling factor when authenticating a user?s identity, concerns about the various systems? accuracy, cost and suitability, combined with a lack of widely accepted technological standards, are preventing mainstream adoption in the corporate sector.?

Chubb Integrated Systems MD, Steven Barry, concurs, adding that biometric readers also take some time to reference an individual signature back to the database and then verify it, making the use of these systems practical only in low-traffic areas.

Further, says Xantium Digital Card Systems director, Anthony Roux, price is a major inhibiting factor. ?Ultimately it is a solutions-driven sector,? he notes. ?You need to understand the customer business case, and how technology can address the problem, if it can address the problem.?

Intelleca MD, Mike Renzon, says that voice biometric solutions are proving valuable in the local market. ?Voice biometric implementations are proving to be particularly successful, because of the level of additional authentication they offer, which results in a solution that not only automates business processes, but also enhances security by introducing an additional authentication level. Compare this to a human agent in a call center, who is able to grant a caller access on the basis of a soft authentication Q&A session based on content knowledge only. In a country like SA, where identity fraud is on the rise, speaker verification is a formidable weapon in the anti-fraud arsenal,? he states.

Close proximity

Smart cards are already commonly used by many corporates for access control and time and attendance applications. That is not the end of the line, however.

Says Gartner: ?The ability to include multiple applications can improve the business case for smart cards. Different applications can be streamlined and made more efficient with their use. The cost of implementation can be defrayed from several cost centers, and, once the physical access control system is in place, the extra cost of adding new applications is lower.?

Smart cards can act as virtual wallets, allowing employees to buy lunch at the canteen, for example. ?If you are going to implement a smart card solution, use it for a number of things,? says Roux. ?Door access, network access, canteen meals and so on - make it worthwhile - you will see real value that way.?

This, obviously, only works in a closed system, and, while the government has plans for a multipurpose smart card in terms of its Hanis system, it is unlikely that it will ?rent? space on these cards to external organizations. In other words - you are not likely to get rid of the myriad access control, banking, loyalty, medical aid, ID and driver?s licence cards, to which we have all become accustomed.

At best, when Hanis eventually arrives, ID and the like will be integrated into one card, and we will just have to keep space in our wallets for the rest.

Something else to remember, says Roux, is that smart cards are not USB sticks, and, beyond carrying small 1KB Java applets, for, example, a wallet application, they cannot carry a large amount of data.

Back to security

In terms of access control and user authentication, biometrics and smart cards work well together. You can, for example, store a user?s biometric signature on a card, so, when the system is asked to authorize it, it does not need to refer back to the database, but can compare the user?s physical trait with the template stored on the card.

Gartner, however, adds a cautionary note, stating that: ?Smart cards within the corporate sector remain niche. Critically, they are held back by the lack of integrated readers as standard within PCs, which forces companies to consider the cost and inconvenience of stand-alone readers. The price of readers has fallen dramatically in recent years -- in many cases they are available for as little as US$10 -- but a standalone reader is inconvenient to users, particularly remote ones.?

Ultimately, as Roux says, it is a solutions game. Make sure that you have a sound business case, and a clear goal in mind, if a smart card or biometric solution can remedy that pain point, go for it, if not...

The biometrics puzzle

Biometric technologies -- including fingerprint recognition, hand geometry, iris recognition, face recognition, signature verification and voice biometrics -- identify and verify people through their physiological or behavioral characteristics. They can be used for a variety of applications, such as access control, time and attendance, transaction authentication, and criminal and civil identification.

Voice biometrics, like all other biometric technologies, uses the authentication process flow of sample capture, feature extraction, template comparison, and matching. Users must first be entered onto the database by creating a reference template of their biometric features. During the authentication process, the live biometric is matched against the stored template, and a match that meets or exceeds a predetermined security threshold allows the person access to the application.