Biometrics, the security method for identifying an individual by making a match of fingerprints, iris, face, voice, DNA and other unique physical traits, scares people, an industry leader in the field acknowledged this week. But enterprise technology managers say there's no doubt biometrics is a boon to enterprise security.
"There are perception issues we all face," said John Mears, director of biometrics and identity management solutions at Lockheed Martin Information Systems and Global Services Civil. In his keynote address at the Biometric Consortium Conference last week, Mears acknowledged that the public perception of biometrics tends to be rather negative because it's personal and physical.
"There's the perception that biometrics can injure you," he pointed out, telling industry attendees there's a need to educate the public that gathering of biometric samples, such as scans of the iris of the eyes, is not harmful. He said he can understand how people are nervous when the subject of DNA comes up. DNA is in every human cell, and saliva samples collected in a cotton swab in the cheek are enough to analyse a person's unique DNA profile to create a unique identifier (aside from identical twins).
"They think when you've taken their DNA, you've taken their soul," he said. The biometrics industry has to do a better job of explaining the technology and its purpose to the public, he said. He also noted that there are now a lot of state efforts to kill biometrics projects, with US state governments such as Texas repealing use of biometrics in its food stamp programme, while California, Alaska and other areas are also battling biometrics.
In New Hampshire, there has been a bill to restrict collection of biometric data, Mears pointed out, adding the next hit that biometrics could face is if it's perceived that social networking sites are using facial recognition wrongly.
However, positive perceptions of biometrics can be heard from enterprise IT managers that find it delivers strong security and helps in meeting auditing requirements.
"We use biometrics in all our clinical areas through a fingerprint on a pad," says Jim Lowder, vice president of technology at OhioHealth, the regional group of hospitals in Ohio. Hospital workers accessing a computer to view clinical applications all use fingerprint-based verification.
The healthcare system's Imprivata OneSign authentication appliance for single-sign-on (SSO) and access management accepts this type of fingerprint biometric. Simple passwords still exist for internal purposes and as an alternative, but using them is rare since the Imprivata SSO device is set up to accept the fingerprint identification as the primary strong authentication.
Not only does this spare staff from having to remember user ID and passwords for each application but the fingerprint biometrics security also helps in meeting requirements from the Ohio Board of Pharmacy that allow for approval of medical prescriptions without physicians having to sign a paper-based prescription.
In general, fingerprint-based identification for access to computer applications has worked very well, though in a very small number of people, their fingerprints are too faint to allow the device to work well, says Lowder. Other forms of two factor authentication that OhioHealth uses include PhoneFactor, which once you enter a corporate PIN and password, an automated call is made to your phone and you verify your identity. If there's any downside to fingerprint biometrics, says Lowder, it's that end users tend to forget their passwords entirely.