Pentagon interest may give biometrics needed boost

BRIDGEPORT, W.VA. - In this rural outpost about a four-hour drive from the nation's capital, the Defense Department has set up its first biometrics testing laboratory to scientifically scrutinize hundreds of commercial products that scan unique physical traits - such as eye, finger or voice - to prove a person's identity.

The goal at the Biometrics Fusion Center, as the Defense Department calls it, is to determine if any of the nearly 600 products on the market are good enough for widespread - and possibly mandatory - use by Defense Department personnel to gain access to computer networks in the future. If the department puts its weight behind biometrics, it could push body-based authentication technology from the exotic to the mainstream.

But analysts following biometrics say that while products are improving, shortcomings remain. In general, the products are expensive and raise privacy fears. Biometrics offerings, particularly those for fingerprint scans, can also have high error rates, mistakenly rejecting someone based on his fingerprint.

Despite such worries, the U.S. military is taking a hard look at biometrics to determine if body-based authentication can replace passwords, says Phil Loranger, the U.S. Army's director of the Defense Department biometrics program.

Passwords can be stolen or sometimes cracked, but someone's fingerprint, voice-print and iris scan are unique, he notes.

"What attracted the Defense Department to this technology is that it can make our systems much more secure than passwords," Loranger says. Biometrics authentication also can work with public-key technology, even in place of the password typically needed to gain access to the keys, he adds.

During the next few months, the Biometrics Fusion Center will run tests on numerous biometrics products, with some preference for ones supporting the BioAPI standard developed by the Biometrics Consortium. That standard allows an application to support multiple types of biometrics authentication across vendor boundaries without having to write to separate APIs.

While there aren't plans to release the test findings, the Biometrics Fusion Center hopes to make recommendations to the Pentagon's upper echelons on the use of biometrics that could lead to large-scale purchases.Currently, biometrics finds limited use in the military, mainly in pilot programs at the U.S. Army Reserve centers and the Army Major Command for Emergency Operations Center.

According to research firm IDC, the biometrics market stands at about $300 million, with the government and private sector purchasing the technology about eq-ually for use in building and computer access. IDC predicts biometrics will be a $1.8 billion market four years from now. Finger scan, voice authentication and signature verification are the three fastest-growing segments by sales.

Cyber-Sign and Communications Intelligence are the strongest players in signature verification. Identix, Sagem Morpho, the U.S. biometric subsidiary, Veridicom and Infineon are trying to grab hold of the finger-scan market. And the voice-print authentication niche is where T-Netix, ITT Nuance and Veritel try to be heard. But there are hundreds of other biometrics challengers as well.

Most biometrics products rely on storing a kind of digital hash of a fingerprint, iris scan or voice-print - not the actual image - in a database for later comparison. Microphones, fingerprint readers and other equipment is used by an individual wanting access to a computer network, and this captured personal imprint is compared against the template stored in the database.

Some analysts following the market for authentication technology based on body parts are skeptical that today's products are ready for prime time.

"Biometrics is a form of testing to try and figure out a match, and it can have false rejects or false acceptances," says Bill Campbell, a consultant at Eagle's Reach, the security firm he founded about a year ago after leaving Fidelity Investments, where he was director of information security engineering.

The biometrics vendors recognize this weakness, and they will quote the "equal error rate" for their devices based on their own tests, Campbell notes. It's impossible to compare one vendor's equal error rate against another's because there are no standardized tests.

But the larger question is whether any false rejections or acceptances are tolerable for use with important, and perhaps sensitive, applications. Error rates drop significantly with use of multimode biometrics where the user is required to submit voice and fingerprint, for example, to be processed at the same time, Campbell says.

But there is another problem. Campbell notes that biometrics can be spoofed by hackers.

While it's highly unlikely anyone could spoof a retinal scan, most forms of biometrics are vulnerable to replay attacks, he says.

These attacks could involve the interception of biometrics data, which would be stored and replayed later to get into a system or network. Exactly how this can be done depends on how the biometrics data gets transferred on the network, although the threat of replay attacks would be largely dispelled if biometrics devices employed encryption to further secure the data. That typically isn't done today, but it could be, thus raising the bar on the level of comfort provided by biometrics.

Biometrics is moving forward, Campbell says, pointing out that fingerprint and facial-scanning vendor eTrue recently became the first company to adopt a hosted application service provider model for biometrics, storing customers' personal data on the Internet. "When you buy their service, they give you the equipment for free," he adds.

NASA employees are said to be among the first customers for eTrue's hosted service for use in logging on to secure networks from home.

Pentagon interest may give biometrics needed boost

Related Links