Biometrics Help Find Your True Identity

When you signed up at that new Web site last week, did you use one of your passwords with six characters, or is that a site that requires at least eight? Was it the one where you must combine letters and numbers, or was it just a numeric password?

I bet you're as frustrated as I am with passwords. And all of this is intended to verify our identity. Who are we kidding?

I just received an advertisement in the mail that heralds a new electronic pad that allows you to sign your name with a stylus and transmit your signature. They say that the pen has finally evolved.

This is a perfect example of taking a (legacy) practice that we are all comfortable with and upgrading it ad nauseam, rather than coming up with something that works better. Passport photos for identification fall into that camp as well. Your identity is authenticated by showing a likeness of yourself on a piece of paper–one that hardly looks like you anymore, to boot.

Or, how about the sales clerk who holds onto your credit card (rather than just scan and return it) so he can match your signature to the one on the back of the card. Oh sure. For some reason, we have not been able to get beyond the scribbles and images.

Single sign-on portals that give you access to aggregated services or portals that remember all of your passwords have come into vogue recently. Although useful, some people are squeamish about putting all their eggs in one basket, so to speak. Besides, these are not real solutions at all, but merely a work-around to perpetuate passwords like we do scribbles and images.

There are ways to confirm your identity that might be less arduous than keeping track of all those passwords–and I dont mean on “Post-it” notes encircling your monitor. We're not quite there, but some things are on the horizon.

Humans have a gold mine of distinctive traits that can be used to identify them. Behavioral traits are one way to go, although voice, handwriting and other such characteristics can change due to age and other circumstances. However, physical characteristics like fingerprints, along with facial, retina and iris features are more reliable over time. An iris's color, texture and patterns, for example, are unique, coming together to create their own version of fingerprints.

Biometrics–the technologies that seek to identify people by their unique characteristics–can verify someone's identity within one or two seconds (and you rarely forget your fingerprints, as they're always there at your fingertips). Identification also requires your physical presence, unlike passwords that can be handed out to friends or stolen.

Biometrics also can save companies time by lessening the amount of password administration they must do for new employees and workers who forget their secret codes.

However, while certain characteristics might be unique, the technologies that leverage them dont always prove to be 100 percent accurate. In addition to voice and handwriting traits changing over time, many users have a difficult time learning how to use some of these technologies.

Still, biometrics is a burgeoning industry, with $524 million in revenues in 2001, according to the International Biometric Group, a New York-based research and consulting firm. Of that, nearly $100 million was spent on finger-scan technology, while less than $20 million was spent on voice, signature and iris scanning technologies.

Two-thirds of total spending is for law enforcement and other public-sector identification efforts. IBG projects 2003 revenues of $1.049 billion. It gained much attention after last year's terrorist attacks, when some airports began experimenting with biometrics technology that matched the faces of passengers against a database of known terrorists.

In the financial services industry, facial and fingerprint recognition technology is being used at some ATMs, giving customers a way to get rid of the password's cousin–the PIN number. Facial scans also are used at check-cashing kiosks. A Seattle supermarket lets customers pay for groceries by scanning their fingerprint and entering an ID code.

Health insurers and providers might find more value in biometrics. Under the Health Insurance Portability Act, they and others are required to protect the privacy of medical records. By using, say, fingerprint scans at computer terminals in hospitals, it might be easier and faster for nurses and doctors to access patient information. If those health professionals are moving among hospitals, biometrics also could prove more convenient than remembering multiple passwords.

Americans like their privacy, which could explain why biometrics is not more widespread in the United States. It took Sept. 11 to jumpstart its use at airports, and now there's talk about scanning the fingerprints of some non-citizens when they enter U.S. borders. Signed in October 2001, the Patriot Act requires the development of technology standards to confirm identity for U.S. visa applicants.

Meanwhile, other countries are using the technology to identify citizens eligible for public benefits. For instance, South Africa uses fingerprint scans to identify about three million recipients of state pensions. Similar scans are used in the Philippines for distributing social security benefits. In addition, the Dutch are scanning irises and faces of immigrants to cut down on passport fraud. And the United Kingdom Passport Service is considering the issuance of biometric identification cards encoded with iris scans or fingerprints by 2006.

There are downsides to biometrics, in addition to the costs. Some technologies simply cannot correctly identify certain people. A system might be unable to identify a particular user, which falls under something called the “failure to enroll” rate.

An interesting part of biometrics is “liveness,” which ensures that the person being authenticated is really present. While one of the benefits of biometrics is the fact that you actually must be somewhere to have your face or fingerprints scanned, some users are concerned that computers could not tell the difference between the real thing and a “replay” of a previous iris scan, for instance.

Vendors are preventing this problem by building in ways for their systems to verify that there's a live human being on the other end. They look for the natural movements in the eyes, for example, during scanning.

All these developing technologies involve standards. With a new standard governing the use of biometric information approved in 2001, the technology is moving quickly and the standard is already being revised. What else is new?

The Accredited Standards Committee (ASC) X9, the national standards-setting body for the financial services industry, issued “X9.84 Biometric Information Management and Security.” ASC brings together bankers, securities professionals, manufacturers, regulators, associations, consultants and others in the financial services industry to address technical problems.

X9 defines the requirements for managing and securing biometric information used in the identification of customers and the verification of employees. X9 also outlines techniques for maintaining the integrity and privacy of the information.

ACORD works with OASIS (the Organization for the Advancement of Structured Information Systems), which recently formed the XML Common Biometric Format (XCBF) Technical Committee to provide an XML standard for biometrics. Its job is to define a set of XML for the Common Biometric Exchange File Format (CBEFF).

Draft versions of XCBF will be submitted through next May, with the final versions of all deliverables due in November 2003. It can be used with cellular phones, smart cards and other technologies, providing a way for them to interact with Web-based information.

E-signature laws are intentionally vague to allow a signature to be defined in new ways. The insurance industry will benefit directly in terms of policyholder services as well as improved risk management and fewer fraud claims.

The standards for biometrics mean that we're getting closer to the day when we can let go of the scribbles, images and passwords that give us our (false) sense of security today, and use those sticky pads for something more than decorating our monitors.

Gregory A. Maciag is president and chief executive officer of ACORD, the non-profit insurance standards association based in Pearl River, N.Y., with offices in Belgium and the United Kingdom.

Reproduced from National Underwriter Property & Casualty/Risk & Benefits Management Edition, September 16, 2002. Copyright 2002 by The National Underwriter Company in the serial publication. All rights reserved.Copyright in this article as an independent work may be held by the author.

Special Reports /

Biometrics Help Find Your True Identity

Related Stories

Recommended For You