The Biometric Devil's in the Details

By Ben Rothke CISSP, QSA, and Benjamin Tomhave, MS, CISSP

Planning For, and Dealing with, Resistance

End-user resistance represents one area where organizations generally underestimate the amount of planning required in support of a biometric deployment. In fact, one of the most successful biometric initiatives undertaken never saw the light of day for this very reason.

In 2006, the Piggly Wiggly grocery store chain actively tested fingerprint-based biometric solutions. While there was significant consumer interest at the beginning of the rollout, Rachel Bolt, assistant director of information systems for the $700 million grocery chain, stated in an interview in e-Week that this interest evaporated due to negative publicity.

Bolt said she didn’t appreciate how emotionally intense some of the opposition was until she visited a store and saw a 70-year-old woman literally throw a Bible at an employee trying to enroll people in the program. The customer was reacting to the concern of some in the religious community that RFID (radio-frequency identification) and biometric controls were the embodiment of the Biblical “mark of the beast” from the Book of Revelations.

“She told him that God was going to rain hellfire on him and that he was promoting the devil’s work," Bolt said, adding that she took that to mean the customer was not interested in enrolling. “We piloted it in four stores and it worked out extremely well,” Bolt said. “The rollout to the entire chain, however, did not go nearly as well as we expected.”

The complaints that Piggly Wiggly encountered are not unique. Most user complaints are concerns over the unknown. Issues such as privacy, hygiene, employee groups resisting change, and more can undermine even the best-conceived biometric controls’ projects.  Biometrics concerns have stemmed primarily from an incomplete understanding of the technology on the part of the end-user and a mistrust of the entities that want to implement the technology.

Until biometric controls are more mainstream and generally accepted, the only way to deal with this challenge is an effective end-user awareness and education program in advance of the roll-out of biometric controls. Biometric deployments will be most effective and flow most smoothly when users are educated ahead of deployment. 

From a security and privacy perspective, it is imperative to let users know that their biometric images will not be stored. Most biometric applications, with the notable exception of law enforcement, do not store the actual biometric image (fingerprint, retina scan, etc.). Instead, they generate a composite of biometric data from a number of individual data points (minutiae).

This composite data is often mathematically hashed, and the hash is then stored, just as is typically done with passwords today. It is important to educate users that there is no way to recover a full biometric reading from the minutiae scanned.

Making users aware of the actual implementation details can go a long way in defraying their concerns and subsequent resistance. Many users incorrectly believe that their biometric data can be stolen and used against them, but this is not true of modern biometric security systems. (Note that this is not saying biometric controls cannot be tricked, but that the data itself is innocuous.) Though users will still ultimately have to trust that the system is performing as described, it is vital that they understand that this data cannot be used to reconstruct actual user biometric images.

Making Biometrics Work

According to Forrester Research, the most successful applications of biometric controls to date – in terms of scale, efficiency, usability, and public acceptance – have been facilitated by government agencies, intergovernmental agencies, and companies like airlines that cooperate closely with government. However, private companies do have success stories to tell, primarily in the financial services sector, such as in areas like payments and ATM transactions.

The ultimate challenge is taking the potential security benefits that biometric controls offer and making them into a viable solution. Most of the challenges associated with biometric solutions will be business rather than technical in nature.  Since biometric controls are for the most part stable and reasonably mature, the focus should be on core business issues, such as: 

  • Making biometrics meet business requirements
  • Integrating biometrics into applications
  • Producing documentation to deliver trust
  • Management and reliability
  • Planning and deployment
  • Managing migration and scalability

Before going down the path of using biometrics, it is important to know what the specific security problem is and how a biometric solution can solve it.  If this fundamental question can’t be easily answered, odds are that the biometric initiative will fail. In essence, it is of the utmost importance to properly define a problem before attempting to apply a solution.

Another key factor in successfully deploying biometric controls is to start with a small-scale rollout.  It is good to gain small technical victories and then expand the program. It is often a mistake to attempt a huge enterprise roll-out right away when a pilot program can more easily demonstrate the utility and effectiveness of the solution. Use these scaled-down successes to build the case for a broader deployment.

Given that metrics are a crucial area within information security, it is vital to include them as a gauge of the efficacy of a biometric deployment. Some useful metrics and other ways to determine the efficacy of your biometric solution may include:

  • Does the solution deliver real business benefits?
  • Is it deployed in a timely and cost-effective manner?
  • Is it secure and does it provide trust?
  • Is it reliable and easy to use?
  • Can it be managed?
  • Can it evolve and scale?
  • Was it cost effective?
  • Does it support regulatory efforts?

In addition to these metrics, the report Biometrics: Beginning to Fulfill Its Promise from Forrester Research highlights two success factors. First, end users understand the system and trust the provider. Public fears of biometrics technology stem primarily from two sources: a lack of knowledge of the technology and mistrust of organizations that would deploy and manage biometric applications. Second, the system should be simple. When the public perceives direct benefits from using biometrics technology, there is a much higher degree of acceptance. Anyone planning to incorporate biometric technology into any business process needs to clearly define these benefits.



The Magazine — Past Issues


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.