Practical biometrics

Up until a couple of years ago, biometric security devices were the exclusive domain of secret government agencies and corporations with deep pockets. However, as with many defense technologies, biometric technology is now within the grasp of cost-conscious organizations. It's not inconceivable that you could even install a biometric access system at your home – the technology is available today for under $900!

Let's take a brief look at a few common biometric techniques:

• Fingerprint scanning is perhaps the most commonly used biometric measurement. It's one of the least intrusive of the measures – after all, people are already used to the idea of having their fingerprints taken at a bank, when applying for a sensitive job and in other situations. Fingerprint scanners are usually quite small and are integrated into a number of security products such as locks, access control systems and smart cards.

• Hand geometry analysis takes a slightly different approach. Rather than reading a user's fingerprint, hand geometry analysis uses a system of lasers to analyze the bone structure of the user's hand and compare it to stored data. The major advantage to this system is that it's even less intrusive than fingerprint scanning. However, this leads to a significant drawback – it's not foolproof. Hand geometry is not as unique as fingerprints. The relatively innocent nature of this system has led to its use at Walt Disney World.

• Voiceprint identification isn't the stuff of science fiction movies any longer! These systems work by asking the user to recite a short phrase. The analog voice waveform is then converted to a digital voiceprint that is compared to a stored record. If the two voiceprints meet the defined threshold for similarity, access is granted. Otherwise, it is denied. Voiceprint systems are generally accepted by users, but they are sometimes perceived as annoying.

• Eye scanning comes in two basic forms – retinal scanning and iris scanning. Both use light to scan portions of the human eye and compare it to databased information. Iris scanning is somewhat less intrusive as it only requires the user to look briefly at a camera. Retinal scanning, on the other hand, requires the user to stare into the light source for a short time.

• Face recognition technology has seen high-profile use at events like the Super Bowl where police use it to scan the crowd for wanted criminals. It's also gaining a little steam for use in products like FaceIt from Identix. This technology uses a complex mathematical algorithm known as Local Feature Analysis (LFA) to compare images of two human faces.

Most implementations of biometric authentication are combined with one or more traditional authentication techniques (such as a password, smart card or challenge/response question). These hybrid techniques provide added security and peace of mind to administrators.

About the author
Mike Chapple, CISSP, currently serves as Chief Information Officer of the Brand Institute, a Miami-based marketing consultancy. He previously worked as an information security researcher for the U.S. National Security Agency. His publishing credits include the TICSA Training Guide from Que Publishing, the CISSP Study Guide from Sybex and the upcoming SANS GSEC Prep Guide from John Wiley. He's also the About.com Guide to Databases.

• Article: Biometrics improving but not perfect
• Ask the Expert: Biometric vulnerabilities
• Tip: Biometrics gaining more identity as security option