Security Profession blog
Comment and discussion about the security industry of interest to the security professional. Blogs will be submitted by (ISC)2's management team and Advisory Board members.
Monday 18 August 2008, 3:56 PM
Biometrics needs to keep the bad guys out not the good guys
I was interested to read recently that the biometric market was about to double. This market has been around for almost as long as modern information security. In some respect it’s a bit like PKI, a solution looking for a problem. The difference with biometrics however is not that there are no problems to solve but rather that there is always a trade of between “false negatives” and “false positives”. The paradox for us in information security is keeping the bad guys out without restricting access to people who need it.
When I was at the Royal Bank of Scotland, we undertook quite a detailed study of how biometrics could be used for banking customers and for managing internal systems. Our conclusion at that time was that the technology was still not sufficiently mature to implement on a wide scale. I believe that this is gradually changing and, in agreement with the recent report, that we will see more and more biometric technology being implemented. In fact, our last survey of the information security workforce found that biometrics was high on the list of technologies that were being planned for deployment, with 14 percent of the total survey saying they planned to deploy biometrics. It was also one of the top 5 technologies already being deployed across EMEA.
While biometrics is relatively good for authentication, it can be relatively slow and not so accurate for identification. Take for example the UK immigration’s (or I should say UK border Agency – to give it it’s new name) rather tautologically named “Iris recognition immigration system” - IRIS system. This system allows users that have pre-registered to get through UK immigration by iris recognition without the need to visit an immigration officer. This is interesting as it is using biometrics as a form of identification rather than verifying a claimed identity. I’ve used this system a number of times and the disadvantage that I have found is that at busy times, there is so many problems getting accurate results that it is often quicker to queue up to see an immigration officer. I’m sure this will improve once more reading stations are installed and users get better used to using it. So if biomterics is going to feature at the 2012 Olympics games, I hope that by then the existing problems will have been solved and that we don’t see long queues of people waiting for computer verification before they can enjoy a sporting event. Biometrics needs to keep the bad guys out but not the good guys as well!
John Colley, CISSP
Managing Director (ISC)2 EMEA
When I was at the Royal Bank of Scotland, we undertook quite a detailed study of how biometrics could be used for banking customers and for managing internal systems. Our conclusion at that time was that the technology was still not sufficiently mature to implement on a wide scale. I believe that this is gradually changing and, in agreement with the recent report, that we will see more and more biometric technology being implemented. In fact, our last survey of the information security workforce found that biometrics was high on the list of technologies that were being planned for deployment, with 14 percent of the total survey saying they planned to deploy biometrics. It was also one of the top 5 technologies already being deployed across EMEA.
While biometrics is relatively good for authentication, it can be relatively slow and not so accurate for identification. Take for example the UK immigration’s (or I should say UK border Agency – to give it it’s new name) rather tautologically named “Iris recognition immigration system” - IRIS system. This system allows users that have pre-registered to get through UK immigration by iris recognition without the need to visit an immigration officer. This is interesting as it is using biometrics as a form of identification rather than verifying a claimed identity. I’ve used this system a number of times and the disadvantage that I have found is that at busy times, there is so many problems getting accurate results that it is often quicker to queue up to see an immigration officer. I’m sure this will improve once more reading stations are installed and users get better used to using it. So if biomterics is going to feature at the 2012 Olympics games, I hope that by then the existing problems will have been solved and that we don’t see long queues of people waiting for computer verification before they can enjoy a sporting event. Biometrics needs to keep the bad guys out but not the good guys as well!
John Colley, CISSP
Managing Director (ISC)2 EMEA
Previous
