The Biometric Devil's in the Details

By Ben Rothke CISSP, QSA, and Benjamin Tomhave, MS, CISSP

After numerous false starts, it seems that biometric controls are everywhere. Once the province of sci-fi TV shows and movies, biometric solutions are increasingly being deployed at border crossings, in airports, and in the work place. Yet, despite their increasing prevalence, the reality remains: far more deployments fail than succeed. The situation has been so bad at times that many organizations wonder why they should even bother considering biometrics in the face of so many possible failed cases. There are, however, many advantages to using biometric controls, which can be deployed successfully when a detailed, strategic approach is used.

Before examining why biometrics are alluring, often fail, but nevertheless can succeed, companies interested in deploying biometrics must know precisely what these technologies do and how authentication differs from identification.

Biometric controls use technologies that confirm a person’s identity by comparing patterns in their physical characteristics against enrolled computer records of those patterns. Biometric controls may include scans of the iris or retina, measurements of hand geometry, or any other measurement of the physical person that represents a reasonable unique attribute. These measurements are then compared against previously registered measurements to effectively authenticate an individual.

It is important to note that biometric controls are only used as a form of authentication, not identification. The difference is that identification is a one-to-many match, most often used by law enforcement to identify criminals or to identify qualified recipients for benefit programs.  Authentication, on the other hand, is a one-to-one match.  The user presents a live body attribute and it is compared to a stored sample previously given by that individual during enrollment. The match is then confirmed or rejected.

Biometrics: Why Bother?

With a long and distinguished history of project failures, why should anyone attempt to deploy biometric controls?

One of the main benefits of biometric controls is the ability to avoid the need for user created passwords. Good passwords are hard to create and users, often oblivious to what makes a good password, have historically chosen ineffective, easy to crack passwords.  Biometric controls, on the other hand, offer a reasonably secure solution to insecure passwords in a form that is harder to lose or forget.

In the past, the most successful biometric deployments have been those that are for small-scale, closed-loop applications. These are often niche areas where biometric controls provide a unique solution to an unwieldy or unsolvable problem. The most significant biometric success stories have been with those organizations that had a specific security issue to solve, such as identifying bank employees in vaults or for customer access to safe deposit boxes, security guard stations, and sensitive payroll systems.

Yet with the myriad benefits biometrics offer, it’s challenging to deploy an enterprise-wide biometric solution. Even after a successful biometric pilot test, the decision to not deploy the solution is often made because of cost, acceptance and adoption issues, or complexity.

The cost of deployment and maintenance is perhaps the biggest issue for many companies. Unlike passwords, which rely on software and the user, biometric controls also require specialized hardware devices. Depending on the application, this could require a biometric device per user if biometric solutions are located at each workstation or work location.

Cost can also become problematic from a technical support standpoint. Historically, biometric controls have had difficulties with accuracy and consistency, to the point that many solutions, like hand geometry, have had their tolerance levels opened wide in order to reduce false negatives and to lower the overall support costs. Enrollment itself can be a costly process, requiring physical presence from both an authority conducting the enrollment and from the person being enrolled.

Another common negative factor is acceptance of biometrics by employees. Many people see any sort of device that records their physical attributes for the benefit of their employer as an invasion of privacy. Concerns have even been raised in the past decade regarding how employers might use biometric data collected to authenticate users. Other times, certain legacy biometric solutions were simply uncomfortable to use, such as forcing the eye open while it’s scanned.

Finally, biometric security systems are complex. This challenge is made worse by the lack of standardization between vendors. Few enterprises enjoy vendor lock-in and the relative lack of alternatives—due in large part to inadequate interoperability—can make the decision to move to biometrics even more difficult.

Biometric Failures

Biometric control projects fail for a variety of reasons, but many of those reasons aren’t fully understood and appreciated. Given the significant number of failures, it is, perhaps, instructive to look at some cases in which biometric deployments failed to see what lessons can be learned.

No Pilot Testing. Pilot testing is a way to simulate the live operation of a new technology within an organization. In a case of rushing to delivery, historically, it is not uncommon for biometric control projects to attempt an enterprise-wide roll out without first performing a pilot on an adequate sample size of users. Failing to pilot a solution will reduce the overall acceptance by end-users, often because of an increased level of anxiety over the seemingly intrusive nature of the technology.

No Documentation, Processes, or Procedures. Policy defines the aims and goals of the biometric solution. A comprehensive biometric security policy is required to map abstract security concepts to the real world biometric implementation. As part of a risk resilient organization, all technical solutions must be supported by a complete set of supporting documentation, including well-defined processes and procedures. Everything from enrollment to disaster recovery must be accounted for to ensure a successful deployment. If a major network component upon which your biometric solution is dependent fails, how do you get into the server room protected by the biometric solution? The fastest way to kill a deployment is to have it cost the company money by hindering the normal operation of the business thanks to poor planning and documentation.

Ineffective Training. Deploying a technical solution is far more than installing hardware and software. Users and administrators must be provided proper training on use and maintenance of these solutions. Never is this more evident than in biometric solutions. If the solution is not optimized to meet the needs of the business, and users aren’t trained in the proper and efficient use of the interface, then nobody should be surprised when the solution develops a negative reputation that eventually leads to its demise.

Inadequate Server Provisioning.  One of the most common deployment failures is in planning adequately for server utilization and performance. Without adequately scaled infrastructure, processing times may be excessive, introducing additional costs to the deployment that were not previously expected. Performance and scalability must be included attributes during the design phase.

Lack of Legacy Support. For all the security benefits of biometric controls, they can only be realized if the solution can be integrated with existing technology. Case in point, if an enterprise relies on legacy mainframe programs and does not plan to recode these applications in support of a biometric solution, then the overall benefits of the solution may decrease substantially. These issues should be identified during the design phase and addressed during the positioning phase.

Oversized Initial Roll-out. Similar to the first failure listed above, if the initial deployment of a biometric solution is oversized, then users and administrators may become overwhelmed. This fail case usually plays out in one of a couple ways. Either the enrollment process bogs down because of inadequate staffing to integrate the test users, or the support team becomes overwhelmed by support calls when the roll-out experiences challenges user acceptance and usability. This fail case is often amplified by an ineffective training program.

BR/DRP Not Included in Design. As already noted previously, it is imperative that there be thorough, functional, and effective documentation in place ahead of a deployment. Perhaps the most important set of documentation pertains to business recovery and disaster recovery procedures (BR/DRP). If a biometric system goes down and there is no alternative way to authenticate, then companies will often stop using biometrics. This fail case is more than just a matter of throwing the baby out with the bath water. If a technical solution cripples a business, the result will be lost revenue and increased overhead expenses. Both of these impacts can be effectively mitigated through proper planning during the design phase.

Inadequate Project Management. A skilled project manager will address many of the above fail cases. As is true of all major IT deployments, biometric controls must be deployed through a formalized project management process. Given that biometric solutions are used for authentication, it is thus imperative that such a project be well managed. This is especially true when the deployment gets to the point of enrolling users. Proper project management should expect chaos and develop a plan for controlling it as best as possible. An efficient and painless enrollment process and an effective training program will maximize user acceptance as well.

No “One Size Fits All” Technologies. Not every technology is suitable to every individual. For example it has been found with fingerprint-based solutions that many people cannot be fingerprinted due to factors such as thin skin as a result of prescription drugs or genetic make-up; extensive use of cleaning chemicals; finger injuries, including minor cuts and scrapes; fingers with limited movement (as they sometimes cannot be scanned properly); and the difficulty of enrolling elderly and construction workers due to injury or disease or both.



The Magazine — Past Issues


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.