Forget your password -- fingerprint scans more and more common

[InfoSec News <isn () C4I ORG>]

http://www.techserver.com/noframes/story/0,2294,500281551-500442563-502858611-0,00.html

By BRIAN BERGSTEIN, Associated Press

(November 20, 2000 7:09 a.m. EST http://www.nandotimes.com) - City
workers in Oceanside, Calif., were drowning in passwords. One password
for e-mail, another to see water billing records or police reports,
all on top of the codes and PIN numbers they had to keep straight off
the job.

Time and money were wasted answering up to 30 calls a day from workers
who forgot or lost passwords.

Now, those calls are down to one or two a week.

Two years ago, Oceanside began installing mouse-sized fingerprint
scanners at city computers. So instead of fumbling for a password,
city workers now need only place finger to scanner to get onto the
network.

"It's been a big success," said Michael Sherwood, the city's
information technology director. "The only thing we're wondering is,
why hasn't the rest of the world caught on?"

Biometric devices that identify people by physical characteristics -
such as eye patterns, voice tones and handprints - have been the stuff
of cinema for decades.

In the real world, prohibitive costs have restricted their use mainly
to government offices and military bases.

Until now, that is.

As sensitive and important business are increasingly conducted online,
biometrics' day may finally have come. Within the next year, mobile
phones and personal computers will have fingerprint scanners as
optional equipment, providing convenience as well as increased
security.

Passwords can be easily stolen. Fingerprints can't.

That's why government benefits such as welfare payments are
increasingly being secured with biometrics, and why the U.S.
Immigration and Naturalization Service relies on handprint scans to
help some 45,000 frequent international travelers re-enter the country
speedily at six major airports without a passport check.

At the huge Comdex high-tech trade show earlier this month in Las
Vegas, dozens of biometrics companies competed for attention, pushing
everything from voice-recognition software to programs that can
purportedly distinguish computer users by how they type their
password.

"Before it was this James Bond kind of stuff, with retina scans, that
kind of thing," said Sean Berg, security segment manager at Dell
Computer Corp., which will offer fingerprint scanners on cards that
plug into laptops. "Now it's much more prevalent, much easier to use
and much more affordable for the consumer."

The scanners on Dell laptops, designed to restrict access, will cost
more than $100. That's about what Oceanside paid for the devices it
bought - which Sherwood says easily paid for themselves in saved labor
costs.

Sales of biometric-related hardware and software amounted to only $60
million last year, but that figure is expected to reach the hundreds
of millions by 2002 or 2003, said Arabella Hallawell, a Gartner Group
analyst.

Biometric devices are also expected to get a boost because they can be
used to initiate digital signatures, which last month became a legally
legitimate means of making online transactions in the United States.

"With e-business, as you get much more deeper, richer types of
services offered, you're going to need to know with some level of
precision that the people on the other end of the computer,
Web-enabled phone or kiosk - you have to make sure they are who they
say they are," Hallawell said.

Some devices seek to replicate the real-world signing process with an
electronic pad and pen-like instrument - which supposedly can detect a
forgery by measuring the speed, pressure and motion of how someone
signs their name.

Other systems use a combination of biometrics for increased security,
such as the BioID from Germany's Dialog Communication Systems Inc.,
which identifies a person by their face, voice and lip movement. Such
a system could be employed to restrict access to high-end servers and
networks.

Consolidation in the industry is expected to lead to similar
combination products, and bring prices down further.

Biometrics "is clearly a hot emerging technology category, because it
solves a real-world problem people keep pointing to," said Grant
Evans, executive vice president of Sunnyvale-based Identix Inc., which
makes fingerprint scanners and has partnerships with Compaq Corp.,
Motorola Inc. and Dell.

This year, Bank United of Texas placed ATMs in Houston, Dallas and
Fort Worth that can recognize customers by patterns in their irises -
no cards or PIN numbers necessary - using technology developed by
Sensar Inc., which has since merged with Iridian Technologies Inc.

The iris-scanning machines, which cost $5,000 more than a standard
ATM, were popular with customers who chose to use them, said Bank
United spokesman Vern Stockton. The experiment is unlikely to go any
further for now, he said, because the bank is being acquired by a
bigger outfit, Washington Mutual.

Biometrics still has some big hurdles to overcome, however.

First, the industry must define standards so software can be written
to work with various kinds of biometric devices.

Biometrics got a big boost in that direction in May, when Microsoft
Corp. said software that will enable biometric devices to work with
PCs would be embedded in future versions of its Windows operating
system.

Second, biometrics companies must deal with privacy concerns, assuring
potential users that their devices do not catalog personal
information.

"I think people are a little bit suspicious that there will be some
national database that will be put together and people will be
tracked. I think that's a false fear," said James L. Wayman, an
engineering professor at San Jose State University and former director
of the U.S. National Biometric Test Center.

For example, fingerprint scanners do not keep the prints themselves on
file, but merely record where patterns on the fingers end or change
directions. That template of "minutiae points" cannot be used to
re-create the original fingerprint, only to confirm that the print
belongs to the right person, someone allowed to gain access.

Also, biometrics companies will have to prove their solutions are
better and more practical - or at least an enhancement - to "smart
cards," plastic cards embedded with computer chips that can be easily
encoded with security-related information and could soon be widely
embraced as digital keys for the Information Age.

Biometrics could also be foiled by phenomena as power failures and
computer glitches - especially in the developing world.

Even so, the biggest reason why biometrics could be on the verge of
exploding is that there's nothing for a user to forget.

"You always bring your credential with you," said Manny Novoa, a
security architect and biometrics expert at Compaq. "You bring your
fingers with you everywhere you go."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".