Biometric technology is now at the forefront of security discussions, but this hasn’t always been the case. Until recently, costs, social issues and implementation hurdles hindered its adoption.
Stephen Andriole, senior consultant with the Cutter Consortium and professor in the Department of Decision and Information Technologies at Pennsylvania’s Villanova University, said biometrics has been fighting an uphill battle.
“There is very little benchmarking out there…saying this is what it is going to cost you (to add a biometric solution),” he said. That inability to calculate accurate total cost of ownership, combined with social reluctance and technical hurdles, meant few companies were looking beyond user names and passwords to access corporate networks.
Today, companies are starting to reasses biometrics. Hardware costs of items such as fingerprint readers have fallen dramatically, technological advances have increased accuracy and the world has changed its security focus post Sept. 11, Andriole said.
Ironically, two Canadian companies currently using fingerprint readers to enhance security both started their implementation process prior to 9/11.
The Credit Union Central (CUC) of British Columbia has deployed 1,200 fingerprint readers to dozens of B.C. credit unions. CUC supplies wholesale financial services to credit unions across Canada. For example, if someone walks into a credit union wishing to transfer money to Hong Kong, CUC transfers the money on behalf of the individual credit union. But since each credit union is an independent company, there is no centralized network with homogenous technology to enable the process. As well, wire transfers were conducted on paper or over the phone.
The solution was to turn to a Web-based application.
Oscar van der Meer, associate vice-president of technology services at Vancouver-based CUC, said the company developed a portal through which credit union employees could access the company’s services.
But since large sums of money are potentially involved, user names and passwords were deemed insufficient.
The company looked into smart cards, certificates and biometrics. Though security was the prime concern, it was not the only one – cost per installation and ease of use were also of paramount importance.
“If we had to have people come into a central location to register their fingerprint, that would not have worked,” van der Meer said.
Instead, fingerprint readers are sent to each participating credit union. The reader is plugged into a PC. Users are then directed to a Web site to download the necessary drivers, shown how to log on to the secure CUC portal and register their fingerprint.
van der Meer said the most time consuming portion of the implementation was the development of the complex financial applications, such as wire transfers, not the actual installation of the fingerprint readers.
education is key
Educating end-users on fingerprint policy is also necessary. People may suspect an organization is collecting it for one reason but using it for another, van der Meer said. So making corporate policy very clear is important.
It is also a benefit that CUC is a financial institution. “If you are working at a credit union it is very difficult for you to opt out of security procedures, they are part of the job,” he said.
For Osama Arafat, CEO of network services provider Q9 Networks Inc. in Toronto, it was not quite as easy. His company installed fingerprint readers to allow its enterprise customers access to their own technology hosted at Q9’s data centre.
As those using the readers are not Q9 employees, Arafat said social issues needed to be addressed. Any user who is concerned with using a reader soon learns that a random series of fingerprint points – not the actual fingerprint itself – is stored and used to identify an individual. Reverse engineering, or using the stored data to create a fingerprint, is impossible.
From a business perspective, he said the decision to install the readers was much easier.
“The biometric authentication solves a whole bunch of problems,” Arafat explained. There is no passing off of swipe cards from one individual to another, so there is total non-repudiation. Operational issues such as key management are also removed. And though Arafat readily admits fingerprint technology is more costly than locks, the total cost of ownership is less than traditional methods.
“We feel it has saved us a lot of money,” he said.
The Credit Union Central of British Columbia has also seen cost savings but the bigger savings come from the consolidation of processes. “[Employees] no longer need to remember a different password for each financial application,” van der Meer said. “So administrative hassles are reduced.”
Both companies looked at several biometrics solutions (iris, voice, hand and signature scanners to name a few) but concluded that fingerprint readers were the best fit.