Sci-fi security for the next generation

Imagine walking into your building and the security gates open in response to your spoken word. You sit down at your desktop and a fingerprint reader built into a mouse will provide instant and secure access to the corporate Lan.

No passwords to remember (or rather forget) and no users accidentally giving them out to the average cracker who employs the standard "this is systems, can you provide me with your user name and password for an essential upgrade" approach.

In theory, biometric security is the panacea to modern security. Short of some pretty gruesome dismemberment, it is a pretty much foolproof way of securing the weakest points on the company network.

Although the true back-end security will not be altered with the adoption of biometrics, weak passwords account for a frightening number of network security exploits.

Hands-on approach
There are several different biometric approaches to security (see box), with fingerprint recognition by far the most mature and widely adopted. It has been used for decades in the realm of the Ministry of Defence and other such high security government organisations.

Why this hasn't filtered down the evolutionary technology ladder and landed in the grateful hands of the network manager is due to a number of reasons. Not least cost.

"We have some token authentication technology at the moment and we were thinking of adopting some kind of biometric device too," said Alastair Williams, security analyst at Axent. "However, after extensive research we decided that the improvements in security, compared with the prices involved, are simply not enough."

As well as cost - although fingerprint technology has reduced in price significantly over the past 24 months so that the average home user will be able to take advantage - there is a stigma attached to the technology.

People still don't trust it very much. After all, facial scans could be affected by a couple of days stubble, and voice recognition could be hampered by a heavy bout of the flu.

And then there is iris scanning. Try telling your users that to log on for another day at the office they will have to have a laser shone into their eyes on a regular basis. There will be squeals of disapproval and a healthy amount of paranoia about going prematurely blind. Although there is no reason to worry, users are not always the most rational of people.

Facing the facts
This is one of the benefits that Frances Zelazny, director of corporate communications at Visionics, gave to its facial recognition software. It can be done passively with little or no input needed from the user.

She also went on to say that the mobile age will be the killer-app for biometric security. "What we are seeing in the next stage of notebooks, is in-built cameras. This takes away virtually all of the pricing issues, as well as complexity."

The eventual arrival of smart video phones will really see the company's technology take off, she adds. Will third-generation mobile telephony be the killer app for biometric security?

For now, however, the adoption of biometric security is down to the sheer number of problems that password and PIN access poses. Not only do your users have to remember them, they also - assuming that your company has a decent security policy - have to change them every month.

The number of passwords chosen because they are easy to remember - and hence easy to break - is a constant thorn in the network manager's side. What's even worse is the number of post-it notes stuck on to the side of the average workstation with a password in plain view for all to see.

Passwords are a pain - for both users and network managers alike. But, they are also free. Explaining to the bean-counters upstairs that they will have to pay to replace a free technology is not an easy task.

Security issues
What upgrading to biometric security does not do is strengthen the network as a whole. It improves desktop - and therefore a certain amount of network - security but it is important to remember that it is not the be-all-and-end-all. Simply installing a few fingerprint readers, and retiring to the pub for a pint and a game of pool, will not work.

Another problem with the adoption of the technology is the upheaval it will cause to the company. Not only do you have to install the hardware on each individual desktop, but you must also gather all the relevant biometric data. Additionally, because of the criminality aspect of fingerprinting, not many users will be too happy having their fingerprints taken in a darkened upstairs room.

People imagine biometric security to be foolproof, but this can never be the case. Nothing in life is perfect - and biometrics is no different. There is a certain risk involved, and with most scanning technology this is extremely apparent because you will have to set a threshold under which access will not be granted. This could range from 90 to 99 per cent accuracy.

The lower the threshold, the greater the chance of someone getting into a system they are not supposed to. Set the threshold too high and frustrated users, refused access nine times out of 10, will be breaking down your door. It's a compromise between security and usability.

Under attack
We have already hit upon the fact that biometrics will not improve the security of your back-end systems, but they can also add another potential vulnerability weakness. The physical link between the authentication point and the host system could be vulnerable to attack - however unlikely.

"There was a security demonstration in the US by this fingerprint recognition company that challenged people to break through its defences," says Axent's Williams.

"Hackers somehow managed to create a copy of the fingerprint. So the company went away and built-in heat detection; the hackers heated up the copy and got through again. The company still couldn't keep out the hackers even when it included a pulse detector, and so in the end gave up."

Ultimately, it is extremely difficult to determine exactly how secure biometric devices are. The actual scanning accuracy is dependent on the threshold that the administrator assigns to it, and more hardware and links equals more possible vulnerabilities. This may hold the technology back.

Until vendors can come up with some kind of methodology that outlines the true security advantages and disadvantages, administrators will be unlikely to take the plunge.

What's right for you?
As we have mentioned there are many different methods of biometric authentication, not all of which will be suitable to your needs. However, because of the range of products there will always be a solution to your needs.

"There are many things that you will need to consider when implementing biometric security that will influence your decision about what particular devices to go for," comments Visionics' Zelazny. "For example, do you want users to know that they are being checked? If not, then facial recognition is a good option because all you need is a camera hidden away somewhere.

"Because of this a lot of our customers tend to be banks, large financial organisations and government agencies."

If, however, you need to give users simple and intuitive access to a corporate Lan then fingerprint recognition, or maybe voice recognition, could be the way forward.

The new mobile age is a difficult kettle of fish. Feasibly all the different systems can be used on a mobile device - assuming that they are sophisticated enough. However, voice recognition would probably put the least amount of money on top of what already promises to be an expensive device.

"I would agree with that," says Williams. "I have already seen phones with these types of cameras in them, so cost will not be an issue. It will simply be a case of improving the reliability of them."

Things to remember
When looking to implement a biometric security system, there are a number of factors to consider. First, identify the business and operational requirements clearly, as well as any problems with your current system. Ask yourself what real benefits you are likely to see.

If the benefits are significant enough, then develop a suitable methodology for the roll-out and adoption of such technology. You should also clearly quantify logistics such as the number of users, price, target transaction time and so on.

Ensure you analyse your existing situation to identify legacy requirements and system interaction - it will be necessary to maintain compatibility with many existing processes. Equally, you should design a system architecture that accounts for all of the above while still remaining open for future development.

Ultimately, choose the right front-end technology for your needs, and ensure you thoroughly test and document the system before going live.

Biometric security for the corporate Lan is still not there. In specialist areas - namely high security - the technology is being adopted and rolled out, as price is not such an issue. Until this the prices start to tumble, then we need to start burning the Post-it notes, and sending users on an intensive memory improvement course.