Fingerprint ID devices are ready to make their mark

| SPECIAL TO GCNThis year's edition of the FBI's annual computer security survey, conducted with the Computer Security Institute of San Francisco, revealed some cold, hard facts about cybercrime.Of the 538 agencies, corporations and other enterprises surveyed, '85 percent of respondents'primarily large corporations and government agencies'detected computer security breaches within the last 12 months,' the FBI and the institute said in announcing the results. 'Sixty-four percent acknowledged financial losses due to computer breaches.'The Internet, of course, is the primary avenue people take to enter a computer system without authorization. But walking up to a computer they're not authorized to use remains a threat.Even without an apparent threat of computer crime, the notion that you, and only you, should work at your PC is an appealing thought. But what's the best way to ensure this?An increasingly popular method of securing a PC or workstation is a fingerprint reader. Once a user has been enrolled with a full image or details of the fingerprints, a simple fingerprint scan can authenticate the user and unlock the system.Readers use one of two methods for enrollment and verification: taking an image of the actual fingerprint and then comparing scans; or using minutiae, or unique details of a given fingerprint, which are then converted into a digital code that is stored and matched on future scans.Each method has advantages. A full scan of a fingerprint is the most detailed method and ensures a high degree of accuracy. But a scanned image, at about 120K, is larger than the 8 bytes of digital code produced by the minutiae method. Detractors of full scanning point out that it takes longer to do an image match than a minutiae match, which can add up to network traffic hassles in a large installation.Critics say that both methods, at present, could be defeated by a very good image of a fingerprint'or, in a grisly scenario more suited to HBO's 'The Sopranos' than to real life, the severed digit of a user.Assuming you'll keep all your fingers, and that the classification of your work isn't likely to inspire high-tech fingerprint forgery, fingerprint readers could be a viable choice for access control.Prices and sizes of devices have dropped dramatically. A few years ago, readers cost roughly $1,000 per seat and were the size of a shoebox; today, they cost about $100 and are about the size of a PC Card.'Device sales will grow tenfold over the next three to four years [and] we will start to see it on a majority of new desktop systems,' said Samir Nanavati, a partner with the International Biometric Group LLC, a New York consulting and research firm ().Nanavati said better and cheaper devices are fueling their popularity.'Five years ago, the devices did not perform well for most wide-scale deployments,' he said. 'Our testing shows that devices now, as a rule, are significantly better. That includes a number of metrics, but the most basic is the ability to identify the right person and keep the wrong person out. They now also fit inside a keyboard or a mouse.'Nanavati said the entry into the field of larger firms such as Sony Corp. of America enhances the credibility of the devices with users and developers.'The presence of a number of large players, such as Sony, lends to the maturity of the industry,' he said. It's not just small niche players making the equipment anymore. The emergence of standards also makes it easier for developers to write programs, he said.The security needs of large organizations are adding an imperative to move toward fingerprint identification, said Hal Tipton, a security consultant in Villa Park, Calif., and a veteran at federal contractor Rockwell International Corp.'It's only going to take a few big losses from poor access control before everybody wakes up and realizes what they have to do,' he said. 'People have been sitting back fat, dumb and happy thinking authentication by passwords is just enough; soon they'll wake up and see it's not good at all. Smart cards and tokens have been coming along, but they haven't really taken off here.'Advocates of fingerprint technology say the devices' return on investment is a contributing factor to their success.'What you have to take a look at in cost of hardware is cost savings by implementing biometrics,' said Tom Pak, vice president of sales for SecuGen Corp. in Milpitas, Calif.He cited a study by Gartner Inc. of Stamford, Conn., 'that says password issues cost a 2,500-user network $340 per employee per year in terms of help desk costs, downtime [and the] cost of lost business. By implementing biometric software, you're looking at a cost of $150 to $160 per user. You get a return on investment in six months.'Manufacturers are trying to develop devices that are even smaller and less expensive than they are now. Bob Bradford, director of engineering for SecuGen, said the company also wants to find ways to make the technology usable in personal digital assistants, mobile phones and other devices.On the software side, Rolf Boegli of I/O Software Inc. in Riverside, Calif., which makes software fingerprint devices, said the aim is to extend fingerprint identification beyond access control.'We envision a wider range of functionality, beyond just log-on ... such as application launch control, and file and folder encryption. There are a number of ideas and projects in the making for Internet and e-mail. Wherever you have any kind of password, you can replace it with a biometric measure, that is, a fingerprint,' he said.In evaluating fingerprint devices, analyst Nanavati said, it's important to understand what measure of performance should be used.'One of the critical things is an understanding of what performance means. Everyone talks about performance; very rarely do they have all of the components. To summarize it most simply: False acceptance is the wrong person getting in, and a false rejection means the customer will be dissatisfied with the equipment. One of the components is failure-to-enroll rate. How is five to 10 percent, or sub-1 percent?'Nanavati said his group is developing objective testing to rank the devices. The Financial Services Technology Consortium of Chicago, the automated teller network Star System, Lockheed Martin Corp. and Electronic Data Systems Corp. are working with the International Biometric Group on the project.XXXSPLITXXX-