Biometrics help secure airports around the world, but the protection doesn’t stop there. Nathan Cummings explores the application of Biometrics further.
Travel to the United States, and chances are good that at the gate, you’ll be greeted by a machine rather than a person. Like a customs agent reading a passport, these machines use physical features to confirm that you really are who you claim to be – except that unlike a person, they can’t be fooled, bribed or cajoled.
That’s exactly the high level of security that today’s airports demand. It’s also why the United States isn’t alone in aggressively adopting biometrics. Hong Kong, for example, plans to begin issuing passports with digital fingerprints in early 2007 so that their citizens comply with the security requirements of other countries, including the United States.
Travellers aren’t the only people at airports who are carrying biometric identification. Between 12 and 15 million U.S. Transportation Security Administration employees will receive biometric smart cards. Some airports already use biometrics to control access to restricted areas such as tarmacs and baggage loading. For example, in 2002, the Greater Rochester International Airport in New York deployed a facial-recognition system that uses biometric information stored on smart cards supplied by HID.
The United States’ neighbors also are adopting biometrics. In 2004, the Canadian Air Transport Security Authority began deploying biometric smart cards at the country’s major airports as part of its two-year-old Restricted Area Identification Card program. The initiative includes 200,000 multi-technology contactless smart cards from HID, with features such as anticounterfiting measures, upgradeable contact chips and write/erase/rewrite capabilities.
Why Biometrics?
Biometrics are ideal for a wide variety of applications besides transportation security. For example, many enterprises use biometric information such as fingerprints, irises, retinas and voices to control access to buildings and to computers. The appeal is hard to miss: Users can’t misplace a body part or have it stolen, the system is authenticating a person rather than a card, and the authentication process is fast and easy. The faster and easier that a security process is, the less likely users are to try to find a way to circumvent it. If biometrics weren’t convenient, the U.S. Department of Homeland Security’s “Registered Traveller” program for frequent fliers wouldn’t be using biometrics to streamline the checkpoint process without compromising security.
The business case also is attractive because biometrics help reduce overhead costs. Nearly 40% of calls to corporate help desks are about lost or missing passwords, according to Compaq. Biometric-based smart cards significantly reduce those calls, yet the technology actually improves security in the process because unlike passwords, users can’t tape biometric information to the bottom of their keyboard, be tricked into divulging it or forget to change it periodically.
Biometrics and Smart Cards
Although biometrics provide high security on their own, they’re often paired with other technologies. For example, suppose that to enter a secure area, a company requires employees to swipe a smart card and then have their fingerprint scanned. If that biometric information is stored in the company’s database, the second stage of this two-factor authentication process can be completed much more quickly because the system knows which archived fingerprint to look at rather than searching the entire database for a match. Regardless of the technology it uses, the faster and easier that a security process is, the less likely users are to try to find a way to circumvent it.
Biometric information also can be stored on the smart card by using templates to reduce the amount of memory required. For example, a complete fingerprint image takes up 50-100 kilobytes, depending on the resolution, but the template version requires less that 2 kilobytes. By using minimal memory, the cost of the smart card can be reduced, and other applications have more memory to work with.
Cost and flexibility are two more reasons why biometrics are often paired with smart cards. For example, although biometrics are deployed in places such as airports, the network of support infrastructure is still developing and hasn’t yet reached the point of ubiquity. Biometric smart cards dovetail nicely with that trend because they do double duty, enabling biometric-based security in places where the technology is deployed and working with established, widely deployed authentication systems.
Smart cards also give biometric systems more flexibility to evolve. As a 2004 Frost & Sullivan report noted, “A secure ID system using smart card and biometric technology provides improved system return on investment through the flexibility and upgradation that smart cards provide, allowing support of different authentication methods and multiple evolving applications.”
Finally, smart cards can carry information that biometrics can’t. For example, a fingerprint can’t provide that person’s account number or employee ID, but a smart card can.
Balancing Security and Privacy
Airports highlight the balancing act that today’s security solutions must achieve. As a mainstream application, biometric passports must be convenient and user-friendly, or else travellers and airport personnel may be tempted to look for ways to circumvent their security features. At the same time, convenience isn’t an excuse to compromise security.
Biometric smart cards also deftly balance privacy and security. For example, smart cards have enough processing power and storage capability to be considered mini computers. As a result, they’re able to engage in a peer-to-peer relationship with other secure devices. This approach offers greater protection of the cardholder’s private information than if it were stored in a database, which could be compromised. When smart cards store biometric information, users literally hold control over when, where and how their personal identity information is shared. That control is key for winning public support for security mandates that use biometrics.
Standards and Selection
For companies and government agencies looking to deploy biometric security, the good news is that there are plenty of hardware and software choices. For example, the BioAPI Consortium currently has more than 90 members, including hardware vendors, systems integrators and application developers. This growing ecosystem ensures that customers have a wide, comprehensive selection, so they don’t have to cobble together solutions on their own. (For a detailed list of biometrics vendors, see www.biometrics.org/html/examples/examples.html.)
Companies and government agencies also benefit from standardization. For example, the BioAPI Consortium began developing an application programming interface (API) in April 1998 and released the first version in September 2000. Now an American National Standards Institute (ANSI) standard, the API helps application developers and users by creating a platform that works across all BioAPI-compliant devices and with multiple operating systems. (More information about BioAPI is available at www.bioapi.org.)
This flexibility means that an application can use multiple types of biometric devices, so developers get a write-once, run-many environment. Meanwhile, business users and consumers can use their biometric smart cards to access everything from buildings to bank accounts – and without having to wonder whether their smart card will work with one application but not another.
The worldwide biometric market is expected to grow from $1.4 billion in 2004 to more than $4 billion by 2007, according to the International Biometric Group, a research firm. Biometrics wouldn’t be enjoying that success if it didn’t provide the right mix of security, user-friendliness and privacy. That’s why although airports might be the first place that you encounter biometrics in the United States, they won’t be the last.
