[prev in list] [next in list] [prev in thread] [next in thread] 

List:       cypherpunks
Subject:    biometrics hoopla II
From:       "Vladimir Z. Nuri" <vznuri () netcom ! com>
Date:       1998-08-30 3:13:09
[Download RAW message or body]


------- Forwarded Message

Date: Sat, 29 Aug 1998 08:14:24 -0500
To: believer@telepath.com
From: believer@telepath.com
Subject: IP: Biometrics: Solving Password Proliferation

Source:  Government Executive Magazine
http://www.govexec.com/features/0998/0998sup2.htm

INFORMATION SYSTEMS SECURITY GUIDE

Solving Password Proliferation

By Nancy Ferris
nferris@govexec.com

Tired of trying to remember all the passwords and personal
identification numbers (PINs) that you need to get your work
done these days? You're not alone. As more federal business
is done online and as security and privacy concerns are
amplified, agencies are piling on layers of security for their
information systems.

You may need one password to use your networked personal
computer, another for your e-mail and a third for agency
applications, such as a financial system or database. If your
system administrators are following the security rulebook,
they're changing these passwords frequently and forbidding the
use of easily remembered passwords such as your name or
your spouse's. In the most by-the-book settings, passwords
are issued by the systems staff and aren't words at all, but an
unmemorable, random combination of letters and numbers.

Add these passwords to the PINs for your credit card, calling
card and bank ATM card, plus the ones for your home
computer's Internet service, and you have a nightmare in the
making. It's no surprise that many people end up writing a
password or two on sticky notes just inside their desk
drawers-or even posting them in plain sight on a cubicle wall.
Needless to say, this defeats the purpose of passwords.

That's why many experts are predicting a surge in the use of
biometric identifiers. These devices recognize some unique
body attribute quickly and easily, so that no password is
needed. Biometrics-usually a fingerprint or facial
image-provide extra security for information systems while
making log-ons more convenient for the user. It's a rare
win-win combination with very few downsides.

Smaller, Faster, Cheaper

Until recently, biometrics were quite expensive, both in terms
of capital outlays for the hardware and software and in terms of
system overhead-the extra network, processing and storage
capacity they demanded. In addition, most biometrics products
came from small, young companies that did not inspire
confidence. But that situation is changing. Well-known
companies such as Compaq Computer Corp. are building
fingerprint-recognition capabilities into PCs for less than $100
apiece.

Small fingerprint readers can be built into an ordinary PC
keyboard or mouse, or mounted on a monitor or other surface.
They capture the print, then reduce it to a mathematical formula
or template. That number is matched with those on file at the
network server. The user is allowed to log on to the network
only when there is a match.

Forgotten passwords are perhaps the most common cause of
calls to network help desks, according to Compaq officials,
who are marketing their Compaq Fingerprint Identification
Technology as a way to reduce help desk operating costs and
make things easier for individual network users, in addition to
improving security.

To security experts, there is something reassuring about
biometrics. Passwords can be borrowed, or extorted by force.
Passcards can be stolen. Biometric identifiers are less likely to
be misappropriated. High-end fingerprint readers, in fact, read
two or more fingers and check that they are within the range of
normal body temperature, to guard against duplication with
plastic molds and other gruesome possibilities. 

Although fingerprinting is the most common and accepted form
of biometrics, there are many others. The state of Illinois is
installing a facial recognition system for drivers' licenses, to
improve verification of license applicants' identities and avoid
duplicate licensing. The Immigration and Naturalization Service
is testing a facial recognition system to speed border crossings
for commuters between California and Mexico. PC-based
facial recognition systems can cost less than $300 per PC.

Scans of the retina or the iris also provide unique identity
verification, but many people are disturbed by having a camera
or scanner directed at their eyes. The iris scanner developed by
Sensar Inc., a small New Jersey company, is less intrusive than
retinal scanners, company officials claim, and doesn't require
the customer to stand in a precise spot or touch a surface.

Hand geometry devices, which add up a number of
measurements for each user's hand, appear less common, but
they are used in federal prisons to open gates for guards and
visitors. Voiceprints, which translate voice tones into unique
mathematical patterns, make sense particularly for remote
access to information systems because they require only an
inexpensive microphone and sound card, plus software.

Consumer Resistance

While these techniques may comfort the security experts, they
generate anxiety in some prospective users. Representatives of
biometrics companies admit that people object to being
fingerprinted, or scanned, and worry about unforeseen and
unauthorized uses of the personal identification data. To allay
such concerns, the makers of some fingerprint ID systems
publicize their products' lack of compatibility with law
enforcement fingerprint systems.

Consumer resistance can sometimes be helpful. The Defense
Department and various state and local agencies that dispense
welfare have discovered that simply introducing more powerful
identification technology can help curb fraud based on false
IDs. In the first 18 months after the county social services
department in San Diego installed fingerprint identification for
welfare recipients, it paid out $200,000 less than had been
expected. Some recipients refused to be fingerprinted,
probably because they were applying for aid under more than
one identity. The county withheld payments from others
because the fingerprinting showed they were receiving
duplicate payments.

Paul Collier, director of operations for Identicator Corp. in its
Rockville, Md., office, says the public's dislike of biometric
approaches seems to be becoming overshadowed by the
desire to use electronic commerce and networked information
systems without being hacked or intruded upon. At a recent
series of focus groups, he says, private citizens reacted mostly
positively, saying things like, "You mean, if I lose my credit
card [one requiring a biometric verification], no one else can
use it?"

Collier points out that biometric techniques can be used to
protect individual privacy as well as organizational or corporate
information. Verifying people's identification protects them
against identity theft, in which an impostor appropriates the
name, address, Social Security number, credit cards numbers
and other information pertaining to the victim. Verification also
can limit access to personal information. In Spain, Collier says,
the national health system uses identity cards with biometrics to
give people access to service providers and also to unlock their
medical records, which are not available to doctors alone.

In this country, biometric devices are fairly common in places
such as airports, where they permit authorized individuals to
enter runway and refueling areas, and in law enforcement and
national security offices. But now Collier and many others are
predicting that they will become commonplace means of
fortifying information systems security in federal agencies and
corporations within the next year or two.

Big Test

The organizations in which information-systems applications of
biometrics are making the first inroads are financial institutions,
such as stock brokerages and banks. Not surprisingly, one of
the first large-scale, unclassified federal tests involves money as
well-the pay advanced to new Army recruits at Fort Sill,
Okla. During a year-long pilot program, each of the 20,000
new soldiers there is receiving a smart card with monetary
value, up to $260.

On the first day of basic training, the recruit enrolls in the
system by having left and right index fingers scanned. The
system stores the fingerprint data on a computer chip
embedded in the card. When the recruit goes to buy toiletries
and running shoes at the Post Exchange (PX), he or she verifies
ownership of the card by placing a finger on a reader at the
cash register.

Lt. Col. Joseph E. Pedone III, commander of the 95th
Adjutant General's Reception Battalion at Fort Sill, says of the
more than 3,000 cards issued between March (when the pilot
program began) and July, none was stolen and 10 were lost.
Lost cards are easily replaced, Pedone says. 

During their eight weeks at Ft. Sill, recruits need not memorize
PINs for their cards nor worry about theft, as they would with
cash. Meanwhile, Pedone says, "it gives us [the Army] time to
activate the pay system" for the newcomers. 

But the biggest benefit is to the concessionaires who operate
the PX, barber shop and other Fort Sill facilities where the
recruits spend money. Lynda Aguon, manager of the PX
annex, where the recruits go for shoeshine kits and flashlight
batteries, says she used to spend up to four hours a day on
paperwork. The recruits would arrive with paper vouchers.
She had to accept them and record the transactions, then
submit claims for reimbursement later. Not only is the new
system faster at checkout, but the transactions are tallied
automatically and forwarded to a bank for payment, just as
with credit card purchases. "It's working out a lot better than
the manual charge voucher," Aguon says.

Biometrics is not a perfect technology. The inexpensive new
fingerprint readers probably could be fooled by a determined
intruder, and some of the systems that rely on biometrics are
subject to "sniffer" attacks in which the data could be hijacked.
Unless used in combination with smart cards, as at Fort Sill,
biometrics is more suitable for fixed systems with recurring
users than for casual use.

Some knowledgeable observers view biometrics as one of
those technologies that is perpetually going to be ready next
year-never this year. It's true that most of the concepts are
not new, but there have been some real technical advances
recently that give people inside the industry hope. The science
of capturing and encoding mathematical information about
body features has made strides, while affordable desktop
computers have gained processing power. Growing reliance on
networks has driven security concerns to the foreground.

Biometric Consortium

Meanwhile, an industry that was balkanized by its origins in
small, entrepreneurial companies is coalescing. Under the
sponsorship of the National Security Agency, an organization
called the Biometric Consortium (www.biometrics.org) serves
as a focal point for information sharing and technical activities
within the federal government. Sixty federal agencies are
participating in the consortium.

The industry also is coalescing around two or three newly
developed standards for linking biometrics to other systems. In
the absence of standards, a federal agency wishing to employ
biometrics may be forced to buy all the elements of the system
from a single vendor. The participation of IT industry leaders
such as Microsoft Corp. in developing standards is regarded as
an important sign of maturity for biometric technology.

On the other hand, standards will make it easier for
organizations to share biometric information, a prospect that
alarms privacy advocates. In other nations, such as Costa Rica,
fingerprints, faces and digital signatures of citizens are being
stored in a national database. In a $4.7 million project, Costa
Rica's 2 million voters will receive ID cards for voting, cashing
checks and other purposes such as applying for health care.
The biometric information will prevent duplicate voter
registrations, but if such a project were to be proposed in the
United States, it would be difficult to convince Big
Brother-wary U.S. citizens of the value of a national fingerprint
registry and national ID card.

Because of the many unresolved policy issues associated with
biometrics, some observers say the technology will take hold in
the commercial world before it becomes commonplace in
government. 

- -----------------------
NOTE: In accordance with Title 17 U.S.C. section 107, this material is
distributed without profit or payment to those who have expressed a prior
interest in receiving this information for non-profit research and
educational purposes only. For more information go to:
http://www.law.cornell.edu/uscode/17/107.shtml
- -----------------------




**********************************************
To subscribe or unsubscribe, email:
     majordomo@majordomo.pobox.com
with the message:
     (un)subscribe ignition-point email@address
**********************************************
www.telepath.com/believer
**********************************************

------- End of Forwarded Message

[prev in list] [next in list] [prev in thread] [next in thread]