Case studies reveal the pros and cons of biometrics

Thanks to problems in some large-scale implementations, biometrics isn't quite ready to take over the password market. Nonetheless, as these case studies show, in the right situation and with the right rollout, biometrics can be a very secure move.

In 1994, I was working as a network administrator for a large insurance company. The company was very proud of the fact that it invested insane amounts of money in the latest technology. One day, my boss told me about a new technology that we were going to be trying out called biometrics. About a week later, a package arrived with two fingerprint readers inside. My boss explained to me that the company was going to quit using passwords and start using fingerprint recognition for authentication and that the two readers that had just arrived were for testing purposes.

Unfortunately, those prehistoric fingerprint readers had some serious accuracy problems. Rather than examining a person’s entire fingerprint, they looked at seven different points on a person’s fingertip. If the seven points matched, then authentication was granted. Unfortunately, this meant that the fingerprint readers couldn’t tell the difference between my secretary and me. Others in the office also suffered from similar identity problems. Therefore, we collectively decided that the technology just wasn’t ready and banished the fingerprint readers to the storage closet.

Obviously, the biometrics field has made significant advancements since my experience with the faulty fingerprint readers. Still, while biometrics does have its place in some applications, it is not for everyone. This article examines a few banking industry case studies where biometrics was used effectively, as well as some situations in which it does not belong.

Biometric device types
Fingerprint readers have greatly improved in the last several years. Likewise, there are a number of other biometric technologies available. Such technologies include signature readers, retina scanners, and DNA samplers.

Some of these devices are more practical and reliable than others. For example, signature readers require an employee to use a stylus to sign in on a touch pad. The authentication algorithm looks at the signature itself, the motions that the employee made to produce the signature, and how hard the person pressed while signing. This particular technology sometimes denies access to a legitimate employee because of variances in a user’s signature from one login to the next. Also, with a little practice, it’s possible for a forger to fool a signature reader with relative ease. At the other end of the spectrum are DNA samplers. A DNA sampler looks at a piece of the user’s hair before granting the user access. The downside is it is very expensive, tends to be slow, and can be a real pain for anyone who is completely bald.

Retina scanning case study
The biometric technologies that have had the widest adoption are fingerprint readers and retina scanners. The banking industry has experimented with fingerprint and retina scanner technologies on a limited basis. I recently read a case study in which one bank successfully implemented retina scanning-based authentication for its employees. The bank then decided that its customers might also benefit from this technology. The bank created an ATM machine with a built-in retina scanner. This ATM was designed to allow customers to insert their ATM cards and enter their PINs, and, after doing so, the customers were prompted to look into the scanner. At this point, the ATM would map the customer’s retina. The next time that the customer returned to the ATM, that person would have to insert the ATM card, but rather than entering a PIN, would be prompted to look into the scanner. After this initial retina-scanning procedure was completed, the customer no longer had to remember a PIN.

The bank received very positive feedback on this new ATM machine but currently is still considering whether mass deployment will be an option. The bank indicated that the machines cost significantly more than a normal ATM but that the use of retina-scanning technology may help them to gain more customers, which would offset the additional cost.

Fingerprint case study
Another bank also experimented with biometric technology on ATM machines. Instead of using retina scanning, the bank implemented a fingerprint reader on the machines. The bank created three such machines and placed them in strategic locations within a small town. However, the biggest mistake that the bank made was in choosing the town. The bank picked a coal-mining town in Kentucky where a large portion of the male banking customers worked in the coal mines. Because of the nature of their jobs, much of the men’s fingerprints had worn off. The test was a disaster for the bank, and fingerprint recognition technology was not implemented further.

Another bank had success when implementing fingerprint recognition by going a different route. Rather than issuing its customers standard ATM cards, the bank issued smart cards. The idea was that when a customer used one of the bank’s ATMs, that person would insert the smart card and then place a fingertip onto the fingerprint reader for verification. Rather than storing the fingerprint records in some massive database somewhere, the customer’s fingerprint was stored on the chip in the smart card. Thus, if a customer had a worn-out fingerprint, it wouldn’t matter because the damaged fingertip would match the image stored on the card.

This bank also took things one step further. The smart card’s chip also contained a photograph of the customer. If the ATM was unable to verify the customer’s identity, it would compare the image from the ATM’s camera to the image stored on the card, visually identifying the customer.

Implementing biometrics
When planning a large-scale biometrics rollout, the first thing you need to do is to determine which biometric technology is appropriate for your organization. Some technologies are more appropriate to some industries than others. For example, if you are running an industrial facility, you probably don’t want to use fingerprint recognition.

Another issue to consider is cost. Biometric technology tends to be a little pricey, but some technologies are obviously more expensive than others. Furthermore, the cost of the biometric technology could be offset by money that you would save in not resetting passwords. When a user forgets the password, there is a period of lost productivity for the user until the password is reset. The user must also call the help desk. Someone from the help desk staff must take the time to reset the user’s password. This is time that could be better spent helping someone with a more serious problem who is also unable to work. All of this lost productivity costs money. A Gartner study determined that each time a user in a large organization requires a password to be reset, it costs the organization roughly $32.

Perhaps the biggest lesson that you should learn from the banking industry about large-scale biometric deployments is that you should start with a small pilot program to make sure that the technology is really going to work for your company. You also need to provide the users with some alternate method for signing in should the biometrics fail to authenticate a legitimate user.

Editor's Picks