HostedDB - Dedicated UNIX Servers

-->
Handbook of Information Security Management:Access Control

Previous Table of Contents Next


Section 1-2
Access Control Issues

Chapter 1-2-1
Biometric Identification

Donald R. Richards

Envision a day when the door to a secured office building can be opened by using an automated system for identification based on a person’s physical presence, even though that person left his or her ID or access card on the kitchen counter at home. Imagine ticket-less airline travel, whereby a person can enter the aircraft based on a positive identification verified biometrically at the gateway. Picture getting into a car, starting the engine by flipping down the driver’s visor, and glancing into the mirror and driving away, secure in the knowledge that only authorized individuals can make the vehicle operate.

The day when these actions are routine is rapidly approaching. Actually, implementation of fast, accurate, reliable, and user-acceptable biometric identification systems is already underway. Societal behavior patterns result in ever-increasing requirements for automated positive identification systems, and these are growing even more rapidly. The potential applications for these systems are limited only by a person’s imagination. Performance claims cover the full spectrum from realistic to incredible. System implementation problems with these new technologies have been predictably high. User acceptance obstacles are on the rise. Security practitioners contemplating use of these systems are faced with overwhelming amounts of often contradictory information provided by manufacturers and dealers.

This chapter provides the security professional with the knowledge necessary to avoid potential pitfalls in selecting, installing, and operating a biometric identification system. The characteristics of these systems are introduced in sufficient detail to enable determination as to which are most important for particular applications. Historical problems experienced in organizational use of biometric systems are also discussed. Finally, the specific technologies available in the marketplace are described, including the data acquisition process, enrollment procedure, data files, user interface actions, speed, anticounterfeit information, accuracy, and unique system aspects.

BACKGROUND AND HISTORY LEADING TO BIOMETRIC DEVELOPMENT

Since the early days of mankind, humans have struggled with the problem of protecting their assets. How can unauthorized persons effectively and efficiently be prevented from making off with the things that are considered valuable, even a cache of food? Of course, the immediate solution then, as it has always been for the highest-value assets, was to post a guard. Then, as now, it was realized that the human guard is an inefficient and sometimes ineffective method of protecting resources.

The creation of a securable space, for example, a room with no windows or other openings except a sturdy door, was a step in the right direction. From there, the addition of the lock and key was a small, but very effective move, which enabled the removal of the continuous guard. Those with authorized access to the protected assets were given keys, which was the beginning of the era of identification of authorized persons based on the fact that they had such keys. Over centuries, locks and keys were successively improved to provide better security. The persistent problem was lost and stolen keys. When these events occurred, the only solution was the replacement of the lock (later just the cylinder) and of all keys, which was time-consuming and expensive.

The next major breakthrough was the advent of electronic locks, controlled by cardreaders with plastic cards as keys. This continued the era of identification of authorized persons based on things that they had (e.g., coded plastic cards). The great advancement was the ability to electronically remove the ability of lost or stolen (key) cards to unlock the door. Therefore, no locks or keys had to be changed, with considerable savings in time and cost. However, as time passed, experience proved that assets were sometimes removed before authorized persons even realized that their cards had been lost or stolen.

The addition of a Personal Identification Number (PIN) keypad to the cardreader was the solution to the unreported lost or stolen card problem. Thus began the era of identification of authorized persons based on things they had and on things they knew (e.g., a PIN). This worked well until the “bad guys” figured out that most people chose PINs that were easy for them to remember such as birthdays, anniversaries, or other numbers significant in their lives. With a lost or stolen card, and a few trials, “bad guys” were sometimes successful in guessing the correct PIN and accessing the protected area.

The obvious solution was to use only random numbers as PINs, which solved the problem of PINs being guessed or found through trial and error. However, the difficulty in remembering random numbers caused another predictable problem. PINs (and passwords) were written on pieces of paper, post-it-notes, driver’s licenses, blotters, bulletin boards, computers, or wherever they were convenient to find when needed. Sometimes they have been written on the access cards themselves. In addition, because it is often easy to observe PINs being entered, “bad guys” planning a theft were sometimes able to obtain the number prior to stealing the associated card. These scenarios demonstrate that cardreaders, even those with PINs, cannot positively authenticate the identity of persons with authorized entry.

The only way to be truly positive in authenticating identity for access is to base the authentication on the physical attributes of the persons themselves (i.e., biometric identification). Because most identity authentication requirements take place when persons are fully clothed (neck to feet and wrists), the parts of the body conveniently available for this purpose are the hands, face, and eyes.


Previous Table of Contents Next