Until recently, San Francisco International Airport was in a state of crisis. Employees could access secured areas of the airport such as airfields and baggage transport areas by displaying their photo IDs to attendants or by typing their personal identification numbers (PINs) into special door locks. But the system was flawed. Workers often lost or borrowed each other’s badges, and wrote their PINs on doorjams. Not only did repainting doorjams and replacing badges become a major expense, it severely compromised the airport’s security.

Months after September 11, SFO invested $3 million in state-of-the-art hand-geometry scanners from Recognition Systems that confirms an employee’s identity by measuring biological features of the person’s hand and comparing the results against stored information in a secure database. Today, employees simply hold their hands up to one of the airport’s 600 scanners and the door opens automatically.

"The [scanner] is a very vital component to ensuring that we validate only those people authorized to be in secured areas," says Mark Denari, airport security coordinator. "The scanners haven’t fixed all access problems",he says, but "our airport couldn’t function as smoothly as it does without them."

In addition to safety concerns, between $1 and $10 billion per year is lost due to security fraud in the United States, according to the Department of Trade and Industry. It is no wonder THAT more companies from Citibank to Calvin Klein ARE looking to strengthen their security systems BY turning to biometric technology. Biometrics provides the highest level of security available, but some question whether its security outweighs its privacy.

User Authentication

In the world of information technology, passwords are the most common method of using confidential knowledge to authenticate users. Easy to administrate and convenient for most users, passwords are also the least expensive method of user authentication. But they have some drawbacks.

"A person can use a password to authenticate their identity, but passwords are very susceptible to attack," says Yvette Draghi, head of IT at the Gartner Group.

User-selected passwords are very short and simple, which makes them easy to guess. Making passwords more secure by implementing rules like certain password lengths, using capital letters or numbers, or regularly changing them often makes passwords even harder to remember, leading some users to write them down and compromise the original goal of security. Passwords can also be shared by several users or stolen when a thief monitors keyboard keystrokes or network traffic. Knowledge factors such as password authentication are viewed as a weak form of user authentication.

The simplest, most secure and inalterable security code come in the form of your own body.

What is Biometrics?

The strongest single approach to achieving user authentication uses the unique physical attributes of a person - such as a fingerprint or patterns in the eye - to verify identity. This field of technology is known as biometrics.

Biometric authentication factors include: fingerprint scans, which analyze the unique pattern of ridges on a person’s finger; retinal or iris scans, which record the unique arrangement of blood vessels in the retina of an eye or capture the pattern of color in the iris; voice recognition systems, which recognize a unique audio wave pattern that is generated when a person says a specific word; and facial recognition systems, which store information such as the distances and angles between a person’s eyes, nose and mouth.

Advantages and Disadvantages

Biometric factors may represent the strongest form of user authentication because they cannot be lost, stolen, shared or forgotten. However, they are prone to three types of error: false rejection of a person’s physical attribute where the system doesn’t recognize the biometric even though it is valid, false acceptance of a person’s physical attribute, and failure to enroll a person’s physical attribute.

"A person with no hands cannot use a fingerprint system. Even a person with dry skin can confuse a fingerprint system, a speech impediment can render a voice recognition system useless and a beard might prevent a user from being recognized by a facial recognition system," says Roger Clarke, a consultant at the Biometrics Institute.

The Future of Biometrics

Even with technology glitches, biometric use is on the rise.

"There was a lot of hype back in 2000/2001 that there would be a dramatic growth with the biometrics industry, with the US Government security programs and the need for higher security in general," says Dr. John Chang, senior analyst of Allied Business Intelligence Inc., a research firm specializing in communications and emerging technology markets.

Currently under consideration by Congress is the Enhanced Border Security and Visa Reform Act, which will require visitors to the US to obtain visas with a biometric identifiers from US consulates by 2004. Also being debated is the institution of a national ID card for each United States citizen that would contain one’s specific biometric data.

Other industries are also heading towards biometric security systems.

"We definitely see large growth within the transportation, financial and healthcare industries," says Chang.

To expedite such growth, governing bodies, consortiums and committees including THE National Institute of Security and Technology are working quickly to allow faster implementation of biometrics.

Public Concerns

The most common concern about biometric technology is its association with law enforcement, as people think their individual privacy might be compromised when their unique information is put into a database. However, there are significant differences in the way the law enforcement systems and authentication systems use biometric data.

In law enforcement systems, a computer uses biometric data to determine the identity of the person who supplied biometric data. FOR EXAMPLE, a fingerprint of an unknown person is compared against thousands of fingerprints stored in a database to determine the fingerprint's owner.

"Unlike a law enforcement system, a user authentication system does not attempt to determine a person’s identity if a match does not occur. It only confirms the identity of a known person," says Malcolm Crompton, privacy commissioner at the Biometrics Institute.

In law enforcement systems, a person’s picture or a full fingerprint is stored as an image. But biometric data such as fingerprints are not stored as images. Instead, in a biometric security database they are stored as a mathematical representation called a template, making it impossible to recreate the original image.

For example, a fingerprint template is simply compared against another stored template. No invasion of privacy occurs, as a person's fingerprint is only used to prove an identity, not to determine one.

But privacy invasion remains a prevalent concern, as this technology collects data intrinsic to each individual in addition to general information about a person.

"People feel that biometrics may be intrusive, but education and familiarity will resolve this," says Chang.