Businesses weigh biometric benefits

Many people may harbour doubts about the technical and ethical viability of government plans for national biometric identity (ID) cards, but increasing numbers of firms are finding that corporate ID cards and biometric technology can deliver tangible benefits.

That was the view of experts at last month's European conference on electronic ID cards, organised by e-business lobby group Eema. They claimed firms are increasingly relying on internally-issued ID cards to tighten physical and network security, aid compliance efforts, and improve staff productivity.

The most obvious benefit of corporate ID cards is that they can tighten the physical security of offices and, when deployed alongside card readers attached to PCs, can ensure network access is confined to authorised personnel. Mike Davies, product manager at security specialist VeriSign, said this capability could help tackle employee fraud, which accounts for 70 percent of all corporate fraud.

While dual-factor authentication using a card and a PIN code is more secure than a single password, security can be tightened further by biometrically scanning staff and checking the results against a central database or against information held on their ID card's chip, according to Lisa White of Deloitte. She claimed biometrics offer the only true identification method, arguing that passwords and access tokens can be lost, stolen or delegated.

Such certainty can also help encourage greater uptake of mobile working, according to Alistair Loe of IT services giant Capgemini. Speaking prior to the Eema conference, he argued that firms will be more comfortable allowing staff to work from home if they know that the workstation is only being accessed by the employee.

But with biometrics proving more expensive than traditional electronic identity cards, experts warned firms deploying the technology should ensure it is a proportionate measure. "There is no one size fits all [with secure access ], " said Tommy Petrogiannis, president of digital signature specialist Silanis Technology. "What technology you choose must depend on the risk profile of what you are trying to authenticate."

For example, it may be advisable for IT directors at a nuclear power plant to deploy biometric scanners for fingerprints and irises, while for most offices a simple electronic swipe card would be more appropriate.

Firms deploying biometric technology also need to develop stringent privacy policies to protect and reassure users, according to Matthew Howell of Capgemini. "As a CIO you need a clear statement about what the information will and won't be used for, where it is stored and how it is secured," he said. "And you need to carry out audits to check the policies are kept to."

He added that many people are suspicious of biometric technology, so any failure to clearly articulate the uses of the technology, and the benefits that staff can gain, could result in internal opposition to any project.

The ability to better verify that a user is who they claim to be, whether it is through electronic identity cards or biometric scans, can also aid firms' regulatory compliance efforts. IT services firm LogicaCMG is currently undertaking a pilot in this area with one investment bank where employees on the trading floor swipe their fingerprint on a scanner before authorising a deal.