If you doubt your
employees have strong opinions about their computers, just
watch the number of complaints to your help desk spike when
you add layers of security. It’s understandable: Passwords
are a pain, especially if you have to change them often.
Biometrics, if properly implemented, offers a win-win
solution. Biometric security — which uses measurements of
human characteristics to confirm identity — can at once
enhance security and free users from the plague of passwords.
And biometrics can be applied to more than just computers. It
can be used to control access to buildings, rooms, networks
and other resources. Proponents of the technology say simply
using any kind of biometrics sends a powerful psychological
message that your agency takes security seriously, which can
produce an important mood of vigilance.
Finally, increased security may be the primary goal of
biometrics, but don’t let it be the only one. “Agencies
narrow themselves out of solutions,” said Vic Berger, a
technologist at reseller CDW.
By deciding too quickly what you want, you may be missing more
complete solutions that offer additional benefits. For
example, placing video cameras in a corridor may give you all
the security you need, but facial-recognition and tracking
software can add significant information, including insights
into traffic patterns, behavior and resource usage.
“Don’t jump into a request for proposals if a request for
information is more appropriate,” Berger said.
Put your finger on biometrics
Once the province of James Bond-style movies with futuristic
facilities, biometrics is becoming commonplace — even
showing up as standard equipment on Dell laptop PCs. The list
of available biometric modes is growing all the time:
Although hand readers and fingerprint readers are employed in
about 80 percent of biometric access applications, any of
those modes can verify your identity. They differ, however, in
many characteristics, including:
- Eye, including iris and retina.
- Hand, including fingerprint, palmprint and hand shape.
- Head, including face, earlobe and lips.
- Biochemistry, including DNA and odor.
- Behavior, including voice, signature, keystroke and
Each mode — and, in some cases, each product — differs
greatly in approach and installation, so direct comparison is
difficult during a typical bid process. Moreover, each mode
involves some trade-offs. For instance, iris identification is
accurate but can be slow and requires more cooperation from
users than some other types of biometrics.
- Ease of enrolling individuals.
- Accuracy in distinguishing individuals.
- Speed of identification.
- Size of reader.
- Operation in various environments.
There are a number of other major issues to consider in
selecting the best biometric mode.
Hurdles to clear
- Ease of enrollment. You need to enroll new
individuals quickly and simply, not just to save time but
to maintain staff goodwill — and make no mistake,
biometrics depends on goodwill just as any other type of
You are asking people to expose their eyes, allow
themselves to be fingerprinted or permit other essentially
intrusive procedures. Expect resistance for religious or
political reasons but also simply because bodies are
private, and people aren’t comfortable exposing body
parts, even for excellent reasons.
- Error rates. Error rates are not a big problem
with small populations, but a high error rate with a large
population is a recipe for disaster because user patience
tends to decrease as error rates increase.
- Recognition speed. Speed of identification can
play a similar role. For example, fingerprint
identification is relatively slow and most suitable for
low-volume applications, not for hundreds of workers
waiting impatiently to check into the facility each
- Device size. Size of the sensor device is most
important in small areas, such as next to doors.
- Environment. The environment can affect the
choice of modes in subtle ways. For example, if you’re
protecting a lab where the staff wears gloves, fingerprint
readers probably aren’t a good choice. “Voice
recognition — or a combination of modes — might make
more sense,” said Gregory Zekster, an associate at
consultant Booz Allen Hamilton.
- Cost. Especially for low-volume operations, cost
is a key consideration. Biometrics saves the burden and
expense of a card-based system, not to mention eliminating
the headache of lost or stolen cards. People don’t often
forget their hands.
- Multiple-factor authentication. What if other
constraints push you to biometric solutions that are
comparatively less secure? “Multimodal solutions using
two or more different biometrics are becoming more
common,” Zekster said. Multimodality can also be more
flexible, with certain kinds of access requiring only one
mode and others requiring more.
First and foremost, don’t let a biometric solution lull you
into a false sense of security. Don’t abandon your
firewalls, encryption, passwords and other security
precautions just because you have biometrics. The measurements
for comparison reside in a database, which must be encrypted
and subject to security. “Always save the raw data of each
measurement,” said Chris Crooks, an associate at Booz Allen
Hamilton. As capacity for detail improves, you’ll find uses
for it, and keeping that data in a standard format makes data
sharing across agencies possible.
You may want to avoid large, centralized databases of
biometric information. Self-contained, individual fingerprint
readers, for example, can verify identity and keep the
biometric data out of the centralized database. Users also
feel more comfortable knowing that their fingerprints aren’t
in some massive repository. But losing a reader can be
expensive and annoying.
And bear in mind that biometric technologies have limitations.
Some portion of the population will always be physiologically
unable to use certain modes. It’s not just that one-armed
man, either: Approximately 4 percent of people can’t use
fingerprint technology because of dry skin.
Psychological and political issues are no less important.
“Most Europeans — and many Americans — are unwilling to
entrust their fingerprints,” Crooks said. Others are
squeamish about exposing their eyes to scanners, no matter how
harmless they are. Even the chance of infection from a
fingerprint scanner is objectionable to some people.
Biometric systems can also be costly and complicated to
deploy. That makes it all the more important to work carefully
with vendors. “Focus on the overall solution, not just the
product or even the specific technology,” Berger said.
“Stretch your goals. Ask for a lot from vendors: ideas and
possibilities, not just products.”
Don’t forget about scalability. Depending on the intent of
the biometric implementation, the number of people using it
will probably grow, sometimes rapidly. For example,
biometric-controlled access may be mandatory first for one
group working on a network, then for another and another until
all users must be enrolled. Your biometric solution should be
scalable to handle increases in users and locations.
Finally, although standards for biometrics are just emerging,
you should ensure that your solutions are based on existing
standards and not dependent on a vendor’s proprietary
technology. For one thing, using standards-based components
permits a wider range of possible solutions and vendors for
Furthermore, standards-based technology lets you upgrade more
easily when newer, better, faster widgets come along — and
they will. The field of biometrics is far from mature, and new
modes and implementations come along each year.
“Fingerprints are already being replaced by other modes,”
Zekster said. Try to select a vendor with a reputation for
keeping up with evolving standards.
Weighing the options
When comparing solutions, you’ll likely need to do some
probing to get the information you need.
Suppose you want to know how fast a prospective biometric
solution can handle people waiting for access. The vendor may
quote the verification time for the reader, which is the
elapsed time from the user presenting themselves at the device
until identity verification. This is certainly part of the
total time you’re looking for, but it’s not the whole
story. What you need is the total time it takes for a person
to use the device.
Depending on environmental conditions at your location, you
may also need to look closely at each solution’s durability.
Does your environment include abrasive sand, electrostatic
shock, high or low temperatures, direct sun or radiation,
chemicals, rain or snow, wind-driven grit, or other difficult
circumstances? If so, make sure the mode and its
implementation match the need.
Biometric solutions must also integrate with existing systems.
Products that are interoperable will have a longer useful life
and greater flexibility. Choose solutions that are independent
of operating system and hardware. The ability to acquire
hardware from one vendor and software from another can be
crucial for creating best-of-breed solutions.
If you need to do special application development, a software
development kit can simplify things. You may also require
remote enrollment or management capabilities for facilities in
Finally, be aware that the biometrics business is pretty wild
these days. Companies merge or acquire one another and
sometimes go out of business entirely. This has its
advantages: One company may offer many technologies. But there
are also potential downsides. For example, long-term product
support may be unpredictable and unstable. Working
collaboratively with knowledgeable and imaginative systems
integrators is vital in a technology that is so complex.
Biometrics is one technology where government agencies have
the advantage over businesses.
The government is by far the biggest customer for biometric
security, so government agencies get to see the newest and
best ideas first. “Government agencies have a moral
responsibility to pioneer and shape biometric solutions,”
Berger said. Use this advantage to create a biometric solution
that’s perfect for your agency.
Implementing a biometric solution to secure access is a
major project that will affect many aspects of your
organization. Here are the questions you should consider
before committing resources to a particular solution.
Before exploring an isolated biometric solution, consider how
it might also apply to other areas, such as single sign-on,
tracking, scheduling and so forth. Try to get as much utility
Seek vendors — or vendor-independent integrators — who can
come up with imaginative solutions that combine hardware,
software and supporting components. They should have customer
references in the government area.
What kinds of biometric modes will your employees accept? Are
they willing to be fingerprinted or give their DNA? Will they
permit iris or retina scans? Does it make sense for them to
carry individual biometric tokens? Do vendors poll workers to
identify their concerns? Can vendors educate staff to help
them understand and accept possible biometric solutions? How
will you handle security for those who cannot or will not use
the biometric solution?
What constraints of the work environment — such as required
gloves, masks or hats that hide fingerprints, faces or eyes
— affect biometric choices? Do vendors offer a variety of
modes to suit these restrictions?
What other environmental factors affect the possible biometric
solution? This might be as simple as a reader that must fit
next to a door. But consider extremes of heat and cold, rain
or snow, sunlight, radiation, chemicals, vibration, dust and
sand. Can vendors provide biometric devices hardened for the
How much security do you need this solution to provide? Which
biometric modes provide the level of security you need? If
environmental restrictions preclude the most secure modes, can
a combination of less-secure modes fill the bill? Can your
vendors provide all modes and the means to tie them together
How easy is it to enroll individuals? How accurate are the
modes in distinguishing individuals?
How fast can the system identify individuals and grant access?
Is that fast enough to handle the expected number of users? Is
the error rate so high that employees and administrators will
become frustrated with the system?
What is the cost of possible solutions? Because biometric
devices can break down at the worst possible times, can you
How many locations will the biometric security apply to? Is
this likely to increase? Do some locations need to be managed
remotely? How easy is that to do? How many people will be
using the solution? Is that likely to increase?
How and where will biometric data be stored? How will that
data be secured? Is the data in formats that support data
sharing across agencies?
How will the biometric solution integrate with existing
security, physical infrastructure, computer infrastructure and
applications? Is the solution standards-based? How does
software interoperate with existing platforms, operating
systems and applications?
How stable are the vendors? Will they be around in five years?
How easy would it be to acquire and integrate similar
components from alternate vendors?