6

can anyone give a realistic estimation, based on real-world experience, of how much biometric authentication techniques are being used in the IT field?

Andrea Spadaccini
  • 163
  • 5
  • 1
    Please define "IT field" further? If you just mean 'related to computers' across all industries across the world, then the answer is probably "biometric authentication is almost never used". –  Apr 27 '11 at 20:48
  • Didn't people pick up yet that the common ones were trivial to fool? – Bruno Rohée Apr 28 '11 at 11:34

8 Answers8

4

As I'm sure I posted in one of the other biometric questions, the only places I see it a lot are datacentres. And more specifically, datacentres protecting high value root certs. For this type of environment it is the norm, rather than the exception. Update to say - it is only ever used in addition to all the other controls, not instead of!

Elsewhere, it's patchy - people are starting to use fingerprint scanners on laptops etc., but I get the impression that is just because they are there so might as well be used:-)

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
4

Fingerprint scanners have become more common since they became so cheap. Several years ago they were included in nearly every laptop on the market. They're not so common anymore, though, presumably because people never used them.

Most of the top-tier datacenters I've visited have had some sort of biometric scanner at the door -- usually hand geometry -- though I rarely see biometrics entering any other type of building. As a rule, facilities built or upgraded from around 2000 to about 2007 will often implement biometric security. Some new places still do, but it's not as in vogue as it used to be.

There's an important point about biometric authentication that many of the commercial installations respect, but which is not immediately obvious: you should never rely on biometrics to supply both authentication and identification. Biometric measurements are useful, but they're in no wise unique. Two people may not have the exact same fingerprint, hand geometry, or iris patterns, but the measurements are often lossy enough to allow for collisions. Biometrics need to be just one part in a multi-factor authentication system.

tylerl
  • 82,225
  • 25
  • 148
  • 226
  • 1
    Very good point. Alternatively, it is possible to use it as identification (it's used by police departments all the time), but then it is *only* id, and not authentication. – AviD May 03 '11 at 21:27
3

Over the years I've seen commercial organisations evaluating biometrics (e.g. voice) and limited deployments (e.g. fingerprint readers on pcs), but it's very rare in my experience (which is mainly with financial and large asset management organisations).

I think the main reasons biometrics have not got very far are:

  1. Flaky implementations (e.g. simply don't work very well, and often prevent the real users from getting in!)
  2. The actual security achievable in practice is far less than the initial impression given by the James Bond style tech. Because of this biometrics are generally preferred in organisations which either have very special environments (e.g. data centres) and/or organisations that are given to security theatre.

The reason for (2) is that any biometric system digitises some human characteristics, and the resulting bunch of bits is by definition not secret and eminently replayable. Thus one must trust the sensor and all the communications with it. This is almost impossible to achieve outside of a physically secure environment, and actually impossible to achieve without physically secure sensors.

Furthermore even given a physically secure sensor one has to be sure that the sensor is reliable against errors and impersonation attacks. For example a fingerprint sensor must be able to tell that the fingerprint it is reading is actually alive and attached to the person, and also not a fabricated replica :-)

frankodwyer
  • 1,907
  • 12
  • 13
3

I work in the biometrics security field for a government contractor. I can't get into specifics of who uses our products and services for security and non-disclosure reasons; but it's used by a wide variety of government, military, law enforcement and private organizations.

We can provide SDKs so people can develop their own applications which interface via drivers to the hardware; or they can use our solutions for software along with the hardware.

There's many different forms of biometrics in both portable and stationary forms, all which range from iris/retina scanning and fingerprinting to much more. (Again, sorry I can't go into details.)

PS - Ubuntu has biometric support built into it, but none of our customers ude that, to my knowledge.

Ron
  • 31
  • 2
1

I'm not sure that any single person could answer this one - I get the sense that we all work in different industries, so there's probably no one right answer. I'd bet that if you hit the right niche, the answer is "of course, we use it everywhere" but many other industries would say "it's an interesting idea, but we don't use it."

I'm certainly in the "it's an interesting idea, but we don't use it" camp. I do a lot with PKI, but then that's my career. I've been in several cases where I've heard of biometric access controls in some other system that someone I knew used, but it always seems rare and far away.

bethlakshmi
  • 11,606
  • 1
  • 27
  • 58
  • I was expecting to hear from you "we use it everywhere"... defense/military is actually one area I *do* see it more. – AviD Apr 27 '11 at 23:28
  • 1
    @AviD - maybe I'm just not telling you! O_o Could easily be a case of personal bias. – bethlakshmi Apr 28 '11 at 13:45
1

If you are asking about "how many different technics, such as fingerprint scanning, retina scanning, hand scanning, ear scanning etc.", then I think I named them all.

If you are asking, how widespread the use of biometrics is, then I'd say "not much" mainly due to lack of uniform APIs that would work as a bridge between user applications and hardware. Each hardware vendor has it's own set of APIs. There exists BioAPI, but it lacks some important (for programming) things such as lack of encryption mechanisms (simply answering "this person is 99,99% the one he claimed to be" is not enough in many scenarios).

However, with growth in demand for two-factor authentication, biometric solutions should gain more important role, maybe via some scanners built into smart devices. But that's I'd say 2-3 years away from now (at least).

Eugene Mayevski 'Callback
  • 254
  • 1
  • 9
  • Well, you could also add typing cadence, voice etc. – Rory Alsop Apr 30 '11 at 19:44
  • @Rory Voice is far from working at the moment, and so is typing speed pattern. Those technologies are highly experimental and too unreliable for real-world use. – Eugene Mayevski 'Callback Apr 30 '11 at 20:00
  • @Rory, I think he covers those with "etc."... ;) – AviD May 01 '11 at 06:15
  • @Eugene, that is no longer the case - I've seen very good implementation of voice, and I'm working with a startup on typing patterns, which already works superbly. – AviD May 01 '11 at 06:17
  • @AviD are you talking about voice recognition or voice authentication? We are talking about security here, so the voice-based solution must distinguish the owners of the voice with high reliability. – Eugene Mayevski 'Callback May 01 '11 at 08:04
  • 1
    Voice authentication, of course. "High reliability" is relative, and while I dont think it hits 99%, it can give better results (depending on tuning, crossover, etc) than other common mechanisms. That said, I do agree that it's not quite "there" yet. – AviD May 01 '11 at 09:55
  • @AviD thank you for the number. For fingerprints authentication the numbers are 99,99% and higher (i.e. one failure in 10000 attempts or so). So voice is a bit behind in this aspect. That is why I called it "far from working" and didn't count it. – Eugene Mayevski 'Callback May 01 '11 at 16:06
  • @Eugene - that is why you can't use biometrics at all in many instances where you would want to use them: 99.999% accuracy is next to useless for identifying terrorists in airports for example, as the sample set is so huge. – Rory Alsop May 03 '11 at 19:08
  • @Rory, actually the problem there is that you cant "identify" terrorists. It's not like you have a specific list of names of the terrorists.... well, except for the TSA's No-Fly list... – AviD May 03 '11 at 19:19
  • @Rory biometrics indeed was not designed for such tasks, but works pretty well to protect access to mobile devices (and it's used this way eg. in HP EliteBook notebooks) or as a part of multi-factor authentication in many scenarios. – Eugene Mayevski 'Callback May 03 '11 at 19:22
  • @AviD - but you can't use biometrics to accurately identify *anyone* in a large enough group of people. – Rory Alsop May 03 '11 at 20:49
  • @Eugene - I agree it wasn't intended for most uses it is put to, but I have to say the HP notebook implementation is not good for protecting access. Very few fingerprint implementations are unless you can securely control the physical environment - which you can't with a laptop. As an addition to the usual username, password it helps, but typically people use it to replace the password. Not good. – Rory Alsop May 03 '11 at 20:52
  • @Rory, there are plenty of airports that *allow* passengers based on biometrics. Finding terrorists is a different story altogether... Though I agree it's flawed, I think it is actually a good idea there, even if accidentally - you shouldnt be *trying* to identify the passengers, you should be preventing guns/bombs/etc. Identifying the passengers is strictly in the interests of the airlines, to prevent ticket fraud, not terror attacks. – AviD May 03 '11 at 20:58
  • @AviD - nail on the head there. Fraud prevention :-) But it's sold as..... THE WAR ON TERROR (can you tell how cynical I am about airport security :-) – Rory Alsop May 03 '11 at 21:02
  • @Rory aah yeaah... join the club. Anytime I travel my wife is worried I'm gonna get myself locked up... But really, we should get some airport-related questions here.... cuz this comment thread has long gone off-topic :D – AviD May 03 '11 at 21:25
  • @AviD - good point. And as the 'security' proposal on Area51 looks to be failing I guess here is the only place where things will be discussed on that topic. Will try and think of some good questions. – Rory Alsop May 03 '11 at 21:32
  • @Rory as I often say, this site does not need to be purely technical - there is a lot of room for "risk analysis / management" type questions. As such, it makes a lot of sense to look at airports as a large system, that needs to be risk-managed. There is a lot in common - just ask @Schneier... ;) – AviD May 03 '11 at 21:36
1

The most consistent biometrics implementation that i see is for datacenters. Aside from a smaller lab, all the datacenters that I have dealt with require some level of biometrics, mostly hand scanners.

Again, this is purely my experience. Other than that, biometrics seem to be underutilized in the corporate environment. I think it would be amusing to see how many people jump on the biometric bandwagon if there was some integration into LDAP or AD (wait... is there?).

Ormis
  • 1,940
  • 13
  • 18
1

One thing I didn't see mentioned is using fingerprint scanners to prevent time-clock fraud. This has significant takeup with some of the largest players in retail and timekeeping adopting it. I'm not sure the actual percentage but I've seen them all over the States. The vendors' argument is that they prevent thousands to tens of thousands in time-clock fraud a year vs what they cost. Work reliably enough in practice so I'd say it's one of few success stories for biometrics.

Nick P
  • 667
  • 4
  • 4