Shana Smith (Editor: Veronique Autphenne)

In a world that gets smaller and smaller every day, with technology that gets more and more advanced, it is little wonder that protection is emerging as a major consumer market. People want to protect their homes, their bank accounts, their Internet correspondence, even the right to sit in front of their own computers. Businesses desperately want to beef up both internal and external security. Social services want to insure that government benefits are going to the proper recipients, and parole officers want a break from time-consuming duties as their clients' personal monitor. What can fulfill these and other security requirements? The answer lies in personal authentication devices.

The two primary technologies that will help business and individuals alike are authentication tokens and biometrics. Tokens augment network security by requiring users to possess something in addition to knowledge of a password (Broderick 1997). The most talked about type of token on the market is the so-called smart card. These are credit card-size tokens with embedded microprocessors and memory that can potentially provide more secure access to network resources than software-based methods. Such cards are already frequently used in Europe and in other countries for automatically paying tolls, making telephone calls, authorizing access to pay-TV or restricted facilities, carrying medical data, and performing bank transactions (Peterson 1997).

Biometrics involves using an actual physical feature of the user to authenticate access to a network. These features range from handwriting to voice to fingerprints and eye pattern recognition. Biometrics can be used instead of or in conjunction with authentication tokens to improve security. The first commercial biometric was a handreader, introduced in 1974. Used by a Wall Street firm, this handreader monitored employee attendance. Already, more than 10,000 facilities -- including prisons, day care centers, corporations, and sperm banks -- monitor people’s fingerprints, retinas, or other physical traits to insure identity verification.

The most widely deployed biometric device, supported by twenty years of law enforcement use, is the fingerprint scanner (Anonymous 1997). Fingerprint-scanning uses a digital camera to capture the image of fingerprints, then stores this information on servers that have imaging software. Iris scanners have the same notion behind them; they simply use a different part of the body (Violino 1997b). Probably the most widely used commercial biometric system is the Handkey, which reads the unique shape, size, and irregularities of the human hand (Anonymous 1997). Because of our unique genetic make-up, biometrics could be the best way to authenticate users.

Smart cards and the microcontrollers that read them are on the market and continue to be tested for combined use with other applications, as well as for security problems. Makers of these devices include SGSThomson Microelectronics, Siemens, Philips, NEC, Motorola, Fischer International, and SCM Microsystems. In February of last year, Fischer introduced Smarty, a plug-in device for disk drives with a slot that accepts smart cards. SCM’s SwapSmart is a PC card, compatible with standard PC slots, and can accept and read smart cards. SCM’s SwapSmart Developer’s Kit was priced at $499 and allows the user to create applications in electronic commerce authentication, authorization, and access control (Jones 1997).

Some biometric systems don’t run at this expensive range. Identix Corporation of Sunnyvale, California sells its finger scanner for $200 each. Connecticut’s Department of Social Services, by using a fingerprint-ID system to catch cheats, has saved $9 million dollars since January 1996. Welfare recipients simply show their fingerpads when picking up their checks. The head of this program, David Mintie, plans on purchasing more of the scanners when the prices drop, which he says they do drastically every six months (Violino 1997b). Verdicom’s fingerprint sensor, which can be used with public and private keys and digital signatures, was priced at $300 at the end of 1997, and the company’s CEO predicts that the cost will eventually drop to about $100. This stamp-sized reader represents a huge boon for the market, because the reader-on-a-chip can be built into a computer keyboard or a mouse, allowing verified users to gain access to a PC or notebook (Violino 1997b).

Another type of biometric security, though a much more costly type, is the iris scan. Sensar’s IrisIdent, which includes the optical camera and processing platform, as well as a Pentium processor and platform, comes to a total of about $6,500. CEO of the company, Thomas Drury, predicts that lower-cost systems will be rolling out in about eighteen months, but in the meantime he expects price to become less of a factor as companies leverage investments they are already making in videoconferencing cameras (Violino 1997b).

Face recognition technology systems start at $300 with Vision Corp. (Metuchen, NJ), whose system includes a video camera, video board, and face-recognition software, and runs on Windows NT and Windows 95 PCs (Violino 1997b). One-on-One, made by Identification Technologies International (Coral Gables, Florida) sells for $2,000 to $3,000 a unit, includes software, and is PC compatible (Davis 1997).

In a little-known but fast-growing industry, all of these technologies follow the recognized pattern of most other technologies; they start out at an expensive sum and eventually become affordable if the market allows them to survive. And it seems that many of these companies may, indeed, do just that. Last year, sixty biometric companies worldwide grossed at least $22 million, according to studies at CardTech/SecureTech (Anonymous 1997).

APPLICATION

According to a survey of 563 businesses conducted by the Computer Security Institute, security breaches amounted to a loss of $100 million dollars in 1996 (Violino 1997a). Another survey of IT and security managers, conducted by Information Week and Ernst & Young, found that, of 1,320 North American companies, nearly 80 per cent realized a financial loss due to ‘information security and disaster recovery’ during the previous two years. Twenty-five per cent of those companies who incurred a loss said that it was up to $250,000 (Violino 1997a). It is little wonder that perhaps the largest demand for authentication devices comes from corporations. In Tokyo, a leading supplier of ATMs (OKI Electric Industry Company) recently contracted with Sensar Inc. for $41 million to use Iris Scan’s (Mt. Laurel, New Jersey) patented iris identification system to protect banks around Japan (Davis 1997). Mastercard is already running commercials featuring Indicator’s (fingerprint) scanning devices. Government agencies are also contracting authentication systems to monitor correctional facilities, parole programs, and social programs.

Personal authentication systems are, to a certain extent, a technologically driven development. Ever-evolving developments in technology make it necessary for large businesses, organizations, and even private individuals to seek out ways to protect access to their private information. Beyond this, however, authentication systems fulfill an already existing need in society to improve efficiency. Take, for instance, the revenue saved in Connecticut’s welfare programs. As these applications become more affordable and widespread, that need will trickle down to the average consumer.

Both authentication tokens and biometrics have their inherent problems. Smart cards can be lost or ‘broken into.’ There is also the problem that PC Card slots, while standard on laptop computers, remain an anomaly on desktops. The industry continues to work on the blips, and interest is growing, despite these security concerns. Some companies, like Siemens, foresee the combination of smart cards with biometrics: ‘We will use fingerprint sensing to match a smart card user to his smart card,’ says a Siemens representative (Gale 1997:18).

Commercial outlooks for biometric technology are sunny. Industry revenues are expected to triple from 1996 levels of $16 million to $50 million by 1999. It is estimated that the number of biometric devices in use will rise from 8,550 to 50,000 in that time (Davis 1997). There is a problem, however, with standards. About 100 vendors sell patented biometric systems that cannot communicate with each other. It is expected, however, that standardization will win out as the technology infiltrates the market (Davis 1997).

There is also the issue of privacy. Public concern has arisen over the potential for improper use of such information distribution. For instance, an insurance company could access a user’s purchasing patterns, and raise that person’s premiums if it observes too much alcohol or tobacco consumption. One answer to this lies with one-to-one. With this system, a smart card -- not a database -- holds the sensitive information. When identification is required, a biometric reader simply matches the appropriate body part with the card’s data (Davis 1997). Hence, all of the information remains in the user’s control.

And, finally, there is the problem of body part standardization. ‘With any device, some portion of the population - 1 to 3 per cent – doesn’t have that biometric,’ as one expert notes (Davis 1997). The only real answer to this seems to be with DNA testing. ‘Everyone seems to have DNA,’ but for now such testing requires a time lapse and is considered intrusive. Such anatomical standardization is down the road, when biometrics works out the other kinks in the system. And by then, it is anyone’s guess the route that personal authentication will have taken.

Anonymous (1997) ‘The keyless society’, Maclean’s, v110n34, 25 August.

Broderick, J. (1997) ‘Who knows who you are?’ Infoworld, v19n24, 16 June.

Davis, A. (1997) ‘The body as password’, Wired, Issue 5.07, July.

Gale, B. (1997) ‘Bold designs for global market shown’, Electronic News, v43n2169, 26 May.

Jones, C. (1997) ‘Latest smart cards get friendlier with PCs’, Infoworld, v19n7, 17 February.

Peterson, I. (1997) ‘Chinks in digital armor’, Science News, v151n5, 1 February.

Violino, B. (1997a) ‘Collapsing the fortress walls -- data insecurity still plagues distributed systems’, Information Age, Issue 946, 24 March.

Violino, B. (1997b) ‘Biometrics -- body language -- fingerprints, faces, even eyes are the new keys to protecting secure systems’, Information Age, Issue 644, 18 August.

BACK TO HOME PAGE