After years of confinement in the likes of the Bond films, Biometric Security is stepping off the movie screen and into the business environment and the mainstream, writes Mark Dye.

By 1971, when he returned to take his penultimate bite of the Bond cherry, a certain Mr Connery was already starting to look just a little long in the tooth for the role. Nothing too telling. A double chin here, a broadening waistband there. Greying temples notwithstanding however, that familiar unmistakable air – sort of a cool unshakeable menace – remained. If anything in fact – perhaps fuelled by the savoir faire that maturity so often brings – big Sean was even more self assured.

That film, Diamonds Are Forever, also saw the movie debut of something else that has rather improved with age: Biometric Security. (In case you haven’t seen it, Tiffany Case, aka Jill St John, tries to scotch Bond’s cover as smuggler Peter Franks by lifting his thumbprint from a glass and running it through a scanner. It doesn’t work. 007 is wearing falsies supplied, of course, by Q).

OK, so it’s taken its time to mature and can’t claim to have done so with quite Mr Connery’s grace, style, and economy, but there’s no doubt that biometrics has come a long way since the early 70s. And while – a lot like Bond himself – the technology has had a history of flattering to deceive, it is now gaining in both confidence and market share.

Indeed, driven by several factors – a broadening repertoire, greater availability, a lack of faith and trust in traditional password-based security, and the growing variety and weight of regulatory compliance for instance – biometrics now looks nailed on for a key supporting role in business and IT security, with Frost and Sullivan predicting biometric revenues to hit $2.07bn within five years in the financial sector alone. So what’s made the difference? What’s broken the inertia?

All in all, it’s been a basic case of needs must, notes Wayne Parslow VP of EMEA Operations at biometric appliance specialists Imprivata, who says that more and more organisations are realising that even simple incidents of rogue users stealing their colleagues’ credentials, or users sharing passwords between themselves can constitute serious breaches in security policy. And many are now turning to strong authentication and specifically biometrics as a definitive efficient answer, he says.

Perhaps the most fundamental driver behind this is that biometrics is the only way to truly link an individual to a specific time and place, and to a particular set of actions. And while useful – particularly as complementary elements in two and threefactor authentication scenarios – other forms of authentication such as tokens, smart cards, and passwords can still be shared, lost, stolen, or just forgotten.

The glare of publicity hasn’t done biometrics any harm either. The last 12 months have seen more than their fair share of security based front-page stories. One of the highest profile – that of rogue trader, Jerome Kerviel and his £3.6bn fraud at Societie Generale – would prompt an internal investigation among whose recommendations was the introduction of biometric security.

The fact that biometric technology is finding a much wider range of uses these days is also helping drive the sector forward, adds Cyrille Bataller, a partner with Accenture Technology Labs. “With mandates for use in civil identification in travel documents; for border entry and exit control; for visas, residence permits, ID cards, and health cards, biometric technologies are moving from niche and criminal justice applications into mainstream civil applications”, he says.

Traction for such usage is apparently widespread in both the public and private sectors; in the UK for instance, where the Government is looking to use biometrics in national ID cards, and passports; and in Hong Kong, where it’s already being used daily to control the 000s of foot crossings between Hong Kong and Macau.

Biometrics is also moving beyond security and into the realms of automation, convenience, comfort, and ease of use – where it has a value as a replacement for a human presence, and where it can shave costs and free headcount up for higher value activities. In addition, as already touched on briefly, Biometrics is now more or less universally accepted as one of the cornerstones of multi-factor identification – i.e. ID determined by several factors; something you possess, something you know, and something you are.

It is an area where there has been an important shift in perception, says Francis Toye, managing director at Unilink. He believes that “...the balance is shifting from suspicion to acceptance as the need for identification is becoming more accepted.” – Something else that’s helping people’s receptiveness towards the likes of fingerprint, retinal, and voice scanning.

Also shifting are perceptions of exactly where biometrics fits in the bigger security picture, says Jim Fulton, VP of marketing at DigitalPersona. Where they once were viewed as competitive with password management solutions, he says, Biometrics are now competing with authentication technologies such as tokens and smart cards as the need for multiple factors of identification has grown. “Today, such ‘second factor’ forms of logon are principally used for VPN or website access”, he says. “But over the next 18 months, this will move into the mainstream for corporate access to networks, applications and even transaction-level access to data.”

Biometrics’ primary markets, at least for now, remain environments such as finance and retail (whose Payment Card Industry Data Security Standard – PCI DSS – mandates strong authentication wherever card payment data is stored), where regulation and legislation demand strong authentication. But, thanks to all the drivers above, other niches are showing promising signs, says Parslow.

The healthcare sector, where several NHS Trusts are now opting for biometric-based system access, is one such area – the appeal being Biometrics’ ability to properly protect patient data whilst ensuring it can be accessed quickly by authorised clinical staff whenever needed. Elsewhere, NEC is involved in the delivery of a biometrics-based methadone dispensing system in 70 prisons, where it’s being used in the secure administration of the drug to dependent inmates.

Another vertical leading the way in biometric take up is the airline industry – but was the situation with Heathrow’s much-maligned Terminal 5 – this has not been without its snags with some human rights groups claiming, for example, that biometric checks are intrusive in such environments and even breach the Data Protection Act. The latter is a key point, says Fran Howarth, principal analyst at Quocirca.

Whilst biometrics are certainly an attractive option for controlling access to highly sensitive areas or facilities, rules vary across Europe and indeed worldwide as to how and where biometrics can and can’t and should and shouldn’t be used. “Take up in France for such applications as access control is hampered by the fact that using biometrics for time and attendance has been deemed illegal”, she says.

Moving forward however, Bateller sees multimodal biometrics (systems that combine several flavours of biometrics) as the key to creating programs that are both accurate and highly secure – as he says, no technology is 100% foolproof. He thinks though, that biometrics will continue to complement other security technologies rather than, necessarily, replace them. A PIN might not be sufficient ID for a border crossing, he says, but it’s still deemed
sufficient for withdrawing cash from an ATM.

Richard Farnworth, general manager for Enterprise Solutions at NEC UK thinks the die has already been cast however, and sees fingerprint or iris recognition replacing smartcards for applications such as building access, with PINs used only as a secondary check. This, notes Parslow, is where a good business case becomes vital.
“Issues such as PCI DSS and Data Protection are helping to drive the takeup of strong authentication”, he says. “But overall it has to be backed up by a business case as well. Organisations with compliance or corporate governance requirements can – for example – use their investment in biometrics to improve their reporting and auditing processes.”

As such, it seems clear that as the sector continues to develop, most of the issues surrounding its advancement will concern not the technology, but understanding how best it can fit into business practices and where ROI can be achieved. The technology meanwhile, looks certain to keep evolving and finding its way into new applications. Facial, behavioural, and environmental recognition are on the way; scanner-equipped mobile phones are predicted to arrive over the next 12 months, and products like media players, remote controls, and toys will likely follow close behind.

The parallels between biometrics and Bond look set to hold firm then. Cool, self assured, solid, reliable and – for its producers – great box office.