biometrics

Biometrics uses personal characteristics to identify users. When it comes to
security, mapping unique patterns and traits in fingerprints, irises or voices
is considered light years ahead of forcing employees to memorize combinations of
letters and numbers -- which are easily compromised and easily forgotten.

The technology works by taking measurements -- whether it is the weight and
length of bones in the hand or the pattern of blood vessels inside the eye or
the pattern of fingerprints -- and then storing the specifics, often called
minutiae, in a database. When a user scans a hand or retina, the new mapping is
compared with the stored data. Access is either granted or denied based on
matching patterns that are unique to each individual. It\'s that ability to
identify someone based on unique physical traits that is driving biometrics into
the corporate enterprise. As more high-priced transactions are conducted over
the Internet, businesses increasingly need ironclad authentication of someone\'s
identity. Add to that the increasing amount of in house security breaches and
corporate espionage, and you\'ll find network and security administrators
grappling for a better way to secure information from unauthorized eyes.

Until recently, the problem with biometrics has been its staggering cost. But
prices have dropped by 80% to 90% in the past two to three years. A boom in
research and development has produced quality improvements and price reductions.
A stand-alone fingerprint reader might have cost anywhere from $2,000 to $3,000
two years ago, but now it can sell for less than $100.

Analysts say fingerprint scanning is the top biometric in terms of mind and
market share, with hand geometry coming in second, followed by face and iris
scanning.

There\'s a growing crop of biometrics vendors expanding the market and pushing
what was once technology solely aimed at forensics and government security into
the enterprise market. Companies such as Identix of Sunnyvale, Calif., Veridicom
of Santa Clara and Key Tronic in Spokane, Wash., are taking biometrics
corporate.

And they\'re catching the eye of industry giants like Compaq, which is
embedding fingerprint scanners into keyboards and laptops.

The city of Oceanside, Calif., is well beyond the initial testing phase when
it comes to using fingerprinting to authenticate users. With 90% deployment,
Michael Sherwood, director of the city\'s IT department, says the city is already
saving $30,000 to $40,000 per year, and the IT department has been unshackled
from password torments.

"Password-related calls made up about 25% of the calls coming into our
help desk," says Sherwood, who started using fingerprinting technologies
from Identix about a year and a half ago. "And we figure each one of those
calls cost us $20 to $50, factoring in that a field technician has to be
dispatched to make sure the password is delivered to the right person, not
someone posing as that person."

Then there\'s the call to check back with the user to make sure everything is
OK, plus the user\'s downtime while he is waiting for help.

"We have so many different systems, and each system has its own
security," Sherwood says. "You need a password to log on in the
morning and another password to get to certain files and then another password
for financial applications, for example. And then you figure that people have to
remember their ATM PIN number, their home security PIN, the security code for
their cars and their cell phones. It\'s just all too much. We had to simplify
that."

And looking at Oceanside\'s help desk statistics, it seems they\'ve succeeded.
Sherwood says the IS department has only received 10 calls for assistance with
the fingerprint scanners since Oceanside started using them in 1998, and most of
the problems can be traced to dry skin or small abrasions that inhibit the
scanner\'s reading.

"Our security administrator isn\'t spending his whole day patrolling
passwords now. He\'s looking at bigger security issues," Sherwood says.
"We spent about $170,000 on the system, and we figure we\'ll recoup all of
our investment in two years."

Analysts support Sherwood\'s numbers, citing that calls about forgotten and
changing passwords are a major drain on most help desks. They say it shouldn\'t
come as a surprise, because the average user has to remember four to eight
different strings of characters, and is supposed to change them every 30 to 60
days. Just getting employees not to use their own names, nicknames or birthdays
as their passwords is a major IS headache.

An issue of privacy

While biometrics offers tighter security than passwords, industry watchers
warn that the technology poses its own set of threats (see Face-off on the issue
of biometrics and privacy).

"The ugly truth is if you\'re storing people\'s fingerprints in a
database,