Biometric authentication: the key to keeping businesses and users happy?

Fingerprint and barcode

Even when there isn't a scare about whether hardware tokens like RSA's SecureID might have been compromised, two -factor authentication still means a physical device your users can lose as well as a password they can forget. Biometric authentication is more convenient - it's hard to leave your finger or voice at home. It's also potentially more secure employees are less likely to log someone else in with their own biometrics unless there's a serious threat to their safety, which is a different problem entirely.

Fingerprint-based biometric solutions are the most common form. Many business laptops and keyboards have a fingerprint reader built in that you can use for federated single sign-on to enterprise apps as well as just logging into Windows and saving passwords for websites. Fingerprints can be used as an additional security measure that doesn't interrupt what the user is doing the way having to swipe a token or smartcard again does. If you want to make bankers re-authenticate to authorise a stock trade over a certain level, you need to do it quickly enough that the trading situation doesn't change.

Other systems scan vein patterns in the finger (Hitachi) or the palm of the hand (Fujitsu). They can still recognise a user if they have a cut on their finger - dirt and antibacterial hand gel also cause problems for fingerprint readers in industrial locations - but you'll need to buy, install and integrate them. Having users register a couple of fingers on each hand is usually enough to avoid the issue in a business environment.

Facial recognition and iris scans still tend to be either too unreliable or intrusive for general use and voice print recognition has some interesting applications, especially for customer-facing operations that have the scale to make the cost and complexity of implementation worthwhile. But the majority of biometrics in use today involves fingerprints for PCs and many other devices.

Every prescription written in the state of Ohio requires strong authentication and one of the popular methods is fingerprint recognition. That's carried out on the PC but adding fingerprint authentication to printers means confidential documents won't be sitting waiting on the printer for anyone to pick up as they walk past, and swiping a finger is less irritating for the kind of senior staff who need to print such documents rather than having to remember a PIN or token. You'll need to integrate this with a document security system. As an example, Ricoh recently added a fingerprint option (for both new and already installed printers) that works with Equitrac document protection software and BioStore's identity management system.

Biometrics aren't just useful for protecting confidential data. Construction firm Killby & Gayford is using custom fingerprint readers (built for personnel management software supplier Simeio by Psion) that also record a signature. That means the firm can accurately log hours worked by sub-contractors on building sites and automatically generate invoices, as well as proving that workers have read the safety rules for each site and simplify checking the roll call if there's an emergency. Using the information to generate accurate invoices has avoided concerns about spying on staff by showing the system is useful to everyone. But, equally, productivity has improved too.

Convenience is a big part of the attraction for healthcare, along with security and compliance. "A doctor logs on and off 20 or 30 times a day," points out David Ting, the chief technology officer (CTO) of Imprivata. "If I only need to log in occasionally, I'm prepared to put up with any login method. But if I have to do this repeatedly, give me something that is secure enough but at the same time make it easy for me."

Retailers and restaurants are increasingly deploying biometric point of sale (POS) terminals to improve productivity, especially in situations where there are a lot of cash sales and temporary staff the usual alternatives of video surveillance and analysing transactions tend to be expensive, time consuming and don't make employees feel personally accountable.

Tokens are easy to pass back and forth between staff (and expensive to replace if an employee takes one when they leave) and passwords need to be reset regularly because of staff turnover. In addition to recording hours worked more accurately, the accountability of biometrics discourages unauthorised transactions or outright fraud. Hospitality businesses often see a return on investment in as little as 30 days. It also helps the business comply with PCI regulations for handling credit cards, which include giving each employee a unique ID.

Many cash registers let you connect a fingerprint reader as an internal module or a peripheral. Hertfordshire pub chain Giant Macaskills recently installed Unipower's touchscreen Bar POS system in its bars and Unipower integrated Digtial Persona U.are.U fingerprint readers into the terminals. DigitalPersona has a OneTouchfor Windows SDK that simplifies adding biometrics to existing apps, and the DigitalPersona Pro server is available both as a workgroup system that supports authentication through a web service without Active Directory (AD) or requiring devices that are connected to a domain.

There's also an enterprise version that integrates with AD by extending the schema, which can be centrally managed through group policy along with the rest of your systems. That means businesses can set the same identity and authentication system in the retail environment and the back office for invoicing and accounting. German bank Sparkasse has recently used the DigitalPersona system to move all internal users to biometric authentication for Windows as well as hundreds of applications.

The alternative is an appliance like Imprivata's OneSign which works with identities from AD and LDAP. You need to deploy agents to PCs and set up policies to enforce biometrics but you don't have to make any changes to the directory infrastructure or AD schema, which some companies find disruptive.

Fingerprint and hand biometrics have another advantage; you can use them for access to more than PCs and devices. A unified authentication and access control system lets you limit entry to specific areas, or if you want to use contextual security that stops a user logging into a PC if they haven't actually been registered as coming through the door into that area.

That's also handy if someone tries the common trick of setting off a fire alarm to empty the building so they can get access to corporate PCs - people don't always stop to log off when they think there's a fire. A system like Overtis that links your physical security system to biometric access controls on computers will automatically lock them down in the case of an alarm sounding.

Voice biometrics are useful for remote authentication, like adding a level of security to self-service password resets - and with the spread of smartphones you can do it without the cost of buying devices like fingerprint readers.

HTK's Horizon Password Reset service, for example, only accepts calls from approved numbers and uses voice verification with pre-enrolled pass phrases. There are also fall back options of PINs and text messages for approval. It's a hosted solution that HTK can customise to integrate with AD or LDAP and the company is working on out-of the box integration.

Estimates of the IT cost to manually reset a password range from 30 per password to 92 per user per year depending on your environment. If you use fingerprint biometrics, you can avoid having a password to reset altogether.

If you want to try something much more experimental that could become mainstream fairly quickly, the Mobio project at the University of Surrey has facial and speech recognition apps for the iPhone aimed at improving security for consumers. Some call centres are also looking at using voice recognition to avoid fraud. ValidSoft can confirm user identity from a voice print and also confirm their location from the mobile phone mast they're connected to.

Although it takes greater investment in the backend systems, one advantage of voice biometrics is your users almost certainly already have smartphones you can use instead of having to buy dedicated hardware. This makes it a more acceptable choice for services as well.

"As smartphone ownership becomes more commonplace we're likely to see biometrics being deployed through these devices," said Alex Bazin, head of biometrics at Fujitsu. "This will most likely be using voice biometrics to secure access to cloud-based services."

Historically, biometric progress has been hindered by integration complexity and cost. There's also a psychological issue around storing and tracking users with such personal information.

But systems don't need to store live biometric data that could be retrieved and misused. Instead they store a detection pattern that the fingerprint is compared against which can't be used to generate a copy of the fingerprint. The database of that information should be stored in a secure and encrypted manner.

The way that the fingerprint recognition is presented has a big impact on how users feel about it. "If you have a system that shows a live video of their fingerprint users tend to bristle because it draws attention to the privacy issue," added Ting. For many users, as long as your system is set up in a secure and privacy respecting way and the authentication doesn't feel intrusive, the convenience of biometrics will more than outweigh any concerns.

Biometrics isn't the solution to every problem though. Sometimes it's overkill and you'll want a system that allows a mix of authentication methods. And it's down to businesses to decide what they want to achieve, according to Ting.

"You need to decide if your goal is to be ultra secure or to get a combination of security and productivity or just to make it more convenient," he added. "You have to think through what you're trying to secure. What is the impact on my user, what is the impact on my IT department?"

With increasingly simple and inexpensive biometric solutions, even small businesses look set to benefit. Once set up, a biometric-based solution gives you secure authentication with little on-going management, according to Benjamin Boulnois of DigitalPersona.

"If you have a 200 person company the IT manager has to be a jack of all trades. The question they ask is How do I do data security easily?'" he said.

"The average IT manager has 11 minutes of spare time a day. These are people whose job is not to be in security."

Mary Branscombe

Mary is a freelance business technology journalist who has written for the likes of ITPro, CIO, ZDNet, TechRepublic, The New Stack, The Register, and many other online titles, as well as national publications like the Guardian and Financial Times. She has also held editor positions at AOL’s online technology channel, PC Plus, IT Expert, and Program Now. In her career spanning more than three decades, the Oxford University-educated journalist has seen and covered the development of the technology industry through many of its most significant stages.

Mary has experience in almost all areas of technology but specialises in all things Microsoft and has written two books on Windows 8. She also has extensive expertise in consumer hardware and cloud services - mobile phones to mainframes. Aside from reporting on the latest technology news and trends, and developing whitepapers for a range of industry clients, Mary also writes short technology mysteries and publishes them through Amazon.