Blogs >> Technology >>
Physical Security: Biometrics
Biometrics are the wave of the future for access control. Everything you’ve seen about placing your eye up to a scanner to read the blood vessel configuration, to finger prints and palm prints—it’s all being used today, and becoming more widespread. (I suppose someday we’ll have to worry about people of bad intent chopping off the limbs of employees to gain access by placing their severed hands on the monitors. I can’t imagine what we’ll put in the security manual to cover that….)
If you’re dying for a complete explanation of passwords—and password cracking—you’ll find fulfillment in an upcoming blog on passwords. For now, the important point is that the forces of evil are getting better at cracking longer and more complex passwords. I could point to numbers crunched by a bunch of really smart guys which irrefutably demonstrate that a complex password—that is, one comprised of a long string of seemingly random letters and numbers—would take a whole bunch of years to crack using today’s technology. The bottom line is that passwords remain vulnerable. First of all, passwords that are longer, more complex, and forced to expire more often tend to get written down, thereby diluting their effectiveness. Further, the key phrase above is “today’s technology.” Once the forces of evil start using tomorrow’s technology, the password as we know it may become obsolete.
There are various kinds of biometric technologies for which a given bodily or behavioral characteristic is recorded, digitized, and stored. They fall into two main categories – physiological and behavioral. Physiological factors include the face, fingerprints, hand, iris, and even DNA. Behavioral factors include keystroke speed, signatures and voice. In reality, the entire hand, face, or whatever is not entered into the database. Only specific data points are recorded. Then, when a user needs access, he presents his hand, face, whatever to a reader, and the relevant data points are gathered and compared to the stored data. Close enough match? You’re in! Which raises another interesting point: how close does the match have to be, and can these systems be fooled by tape recording someone’s voice, or lifting the fingerprint off of a used wine glass?
A by-no-means-comprehensive overview of common biometric techniques includes:
For users, otherwise known as people or human beings, acceptance usually hinges on how “intrusive” the technology feels.
Most people see fingerprints as fairly innocuous. Retinal / iris scanners, which require you to put your face into a contraption, are less well received.
While acceptance by users is key for adoption, even more critical for the organization is reliability. Face and voice recognition tend to have a lot of false rejections, that is denying access to someone who is authorized. Keystroke recording, on the other hand, has a higher rate of false acceptance. While false rejections are an irritating inconvenience, false acceptances undermine the integrity of the system.
If you’re dying for a complete explanation of passwords—and password cracking—you’ll find fulfillment in an upcoming blog on passwords. For now, the important point is that the forces of evil are getting better at cracking longer and more complex passwords. I could point to numbers crunched by a bunch of really smart guys which irrefutably demonstrate that a complex password—that is, one comprised of a long string of seemingly random letters and numbers—would take a whole bunch of years to crack using today’s technology. The bottom line is that passwords remain vulnerable. First of all, passwords that are longer, more complex, and forced to expire more often tend to get written down, thereby diluting their effectiveness. Further, the key phrase above is “today’s technology.” Once the forces of evil start using tomorrow’s technology, the password as we know it may become obsolete.
There are various kinds of biometric technologies for which a given bodily or behavioral characteristic is recorded, digitized, and stored. They fall into two main categories – physiological and behavioral. Physiological factors include the face, fingerprints, hand, iris, and even DNA. Behavioral factors include keystroke speed, signatures and voice. In reality, the entire hand, face, or whatever is not entered into the database. Only specific data points are recorded. Then, when a user needs access, he presents his hand, face, whatever to a reader, and the relevant data points are gathered and compared to the stored data. Close enough match? You’re in! Which raises another interesting point: how close does the match have to be, and can these systems be fooled by tape recording someone’s voice, or lifting the fingerprint off of a used wine glass?
A by-no-means-comprehensive overview of common biometric techniques includes:
- Fingerprints: Familiar to anyone with fingers; also, one of the most data-intensive since in this case the entire fingerprint is recorded. Some laptops now come with a fingerprint scanner as standard. While you might forget your screensaver password, you probably will never forget to bring your fingers with you when you’re using your PC.
- Hand geometry: A measure of the size and shape of your hand and fingers. Although hand geometry works well in conjunction with another method—such as swiping an access card—it is not suitable as a standalone authentication method, as the shape of one’s hand is not as unique as one’s fingerprints, nor extremely stable as our hands swell and shrink throughout the course of the day.
- Retinal scan: A recording of the blood vessels on the back of your eyeball. In spite of the popularity of this technique in a wide range of spy movies, this biometric is not one of the more reliable, as changes in your blood pressure (which occur throughout the day) can alter the pattern.
- Facial scan: Employs a technology which records either the physical characteristics (your bone structure) or the pattern of blood vessels beneath your face. Even inexpensive cameras now can automatically recognize that there are faces in a picture about to be snapped.
- Keystroke dynamics: Each of us has a reasonably consistent style—speed and force—when typing. These differences are measured and catalogued. Among the specific measurements recorded are overall typing speed, the time needed to find the letters in the test phrase, and the time each key is held down.
For users, otherwise known as people or human beings, acceptance usually hinges on how “intrusive” the technology feels.
Most people see fingerprints as fairly innocuous. Retinal / iris scanners, which require you to put your face into a contraption, are less well received.
While acceptance by users is key for adoption, even more critical for the organization is reliability. Face and voice recognition tend to have a lot of false rejections, that is denying access to someone who is authorized. Keystroke recording, on the other hand, has a higher rate of false acceptance. While false rejections are an irritating inconvenience, false acceptances undermine the integrity of the system.
|