Getting a Handle on Biometrics

What is it?
In today’s usage, technology that uses unique biological attributes, such as fingerprints or iris patterns, to identify a person.

PDF Download

How does it work?
A system consists of an input or reader device, stored biometric data on known users and software that performs matches. Rather than storing a complete picture for each person, a system uses an algorithm to create a template based on data points gathered from an initial reading. In simple configurations, the data is matched against a local database or a token, such as a smart card; more complex systems match against a central database. An open (one to many) matchidentifies who the user is, and a closed (one to one) match verifies that the user is who he claims to be. Various application programming interfaces, now being standardized, let companies customize and integrate biometrics into their networks.

What about privacy?
Many people fear that identifying information will be shared without their consent or used to track their movements. Most systems are benign, however; the algorithms used to create a user template are generally proprietary, so templates don’t match across systems. Law enforcement agencies are starting to use facial features to track movements, but these systems aren’t practical for commercial use. In the workplace, biometrics is more about increasing convenience than invading privacy. Most companies already enforce password authentication, and many use security badges. Biometrics can make these controls more transparent to users.

What other issues are there?
Cost, and reliability. Fingerprint scanners, though much cheaper than they were two years ago, still run at least $50 per unit—too expensive for widespread corporate use. Reliability is also an issue. Some systems are prone to environmental variables, such as lighting or whether the user has a cold. Facial recognition is particularly susceptible: A recent government study showed that rejections rise precipitously as time passes since a template was created. Other techniques, like iris scans, can be hard to use, causing problems with template-creation or subsequent matching. And some people simply don’t generate a unique template. These variables result in the discrepancies in reported error rates for false acceptances and false rejections.

Who’s using it?
State and federal agencies are the early adopters. California, for example, scans fingerprints to prevent benefits fraud. Most commercial efforts are pilot projects, with financial services and health care leading the way. Companies planning for biometrics are still reluctant to draw attention to the fact—notable exceptions include Home Shopping Network (voice recognition), Bank of America (palm scanning) and McDonald’s (fingerprint-authentication pilot).

What’s next?
Better interoperability with other authentication systems, and widespread use in business and consumer devices. Windows XP includes a standard programming interface for biometric devices, Dell and Acer offer laptops with biometric devices built in, and USB fingerprint-scanning mice are now on the market.

Background Reading: is a good starting point; a Department of Defense study on facial biometrics is at