As Indian organisations search for more secure authentication methods, biometrics is slowly being perceived as a frontier technology. And though the industry is still evolving and emerging, the use of biometrics can greatly enhance security measures.
Hollywood action thrillers like Mission Impossible, Minority Report, and the James Bond flicks portray savvy men who constantly seem to easily break into the best security systems in the world, sometimes discouraging even the most ardent technologists in their endless quest for the perfect security device. In real life it’s not so easy a task. Especially with the rapid advances taking place in the biometric security space.
According to an International Biometric Group market report, biometric revenues grew from $399.4 million in 2000 to $523.9 million in 2001 and are expected to touch $1.9 billion in 2005. Till now, fingerprint and face recognition have been the high-growth areas, thanks to the rapid adoption of e-commerce and the increasing usage of security-enabled applications worldwide. The events of 9/11 in the US have also served to wake the world out of a lackadaisical attitude towards security. The perception is that as technology matures and prices of devices come down, more and more security applications will become biometric-based.
However, biometrics vendors still do not have a clear picture of the market and differ in their views regarding growth rate in this market. Pradeep Bhatia, managing director, BioEnable Technologies, feels that the nascent market today is worth only around Rs 100 crore with a growth rate close to 70 percent. But Girish Podar of Jaypeetex Engineering differs. “Though no independent market analysis has been done so far, based on the growth rate of individual players one can say that we are witnessing a growth rate of more than 250-300 percent,” he says.
Podar’s assumption would make the Indian biometrics market worth close to Rs 500 crore by 2005. There are two kind of biometric technologies globally available today, namely physiological and behavioural. The commonly used physiological biometrics include fingerprint, face, iris, retina, palmprint and hand geometry recognition. Traits like signature, voice, keystroke pattern and gait recognition, which are more to do with recognising the unique behavioural characteristics of an individual, constitute behavioural biometrics. Abhay Khinvasara, CEO and president, Axis Software, explains that behavioural biometrics, involving the incorporation of time as a metric, is commonly used for physical access, virtual access, time attendance, criminal and civil identification and e-commerce transactions. Many of these technologies including fingerprint, iris, face, voice, hand geometry and keystroke pattern recognition are currently available in the Indian market.
Still infant in IndiaEven India, with its fatalistic attitude and reluctance to adopt new technology, is slowly realising the power of biometrics in providing security. Both the private sector and the government are on a fast-acceptance mode, and it might not be long before all password and card-based systems currently in vogue get replaced with biometric devices. The otherwise reticent government sector has been enticed by the convenience and near fool-proof security biometrics can provide in mass applications like passports, voter ID cards, public distribution system and law enforcement, and is therefore already conducting a host of pilot projects in these areas.
Though fingerprint recognition devices are the current hot favourites in the market, Podar feels that iris scan will soon emerge as the market leader. According to him, iris scan has not caught on as expected because of the high costs involved. The technology is also not perfected as yet. But it offers greater accuracy and is far harder to replicate than any other technology available in the market at this point of time.
Fortunately for India, the front-end applications are now becoming more user-friendly than the earlier systems. The supporting hardware too is maturing. The space requirement for fingerprint and palm scanners has also come down significantly. Even back-end integration with existing Public Key Infrastructure (PKI) and other encryption systems has seen dramatic improvements.
Lack of infrastructureThe basic problem faced by most organisations in implementing a robust biometric security system in India has been that of infrastructure. An enrolment template—a highly distinctive file created from the features of a user’s biometric samples—is created when a user initially interacts with the system. This template is stored for usage in future biometric comparisons. But during subsequent verification attempts more templates are created. The infrastructure problem creeps in when one needs to store all these templates in the system. In the case of access control to sensitive areas it becomes important to store all these templates in a database. Since these files are huge, storage becomes an expensive proposition, especially for smaller organisations.
Privacy conundrumAs the template represents the user’s personal characters, its storage has privacy issues. Many people contend that facial recognition presents an invasion of personal privacy. But biometric authentication technologies actually increase personal privacy by allowing users to maintain their identities across disparate locations. While it is true that the system allows an administrator to keep a tab on the activities of individual users, the technology also allows bonafide users to efficiently assert their identities and obtain immediate access to resources without compromising personal privacy.
The actual threat to privacy arises from the likelihood of an unauthorised user gaining access to the template database. This person can then use information so gained, and link it with other data to obtain a profile of the individual and use it for purposes other than that for which it was actually meant.
However, privacy is still not a contentious issue in India. Says Podar, “One reason for this is that Indians are still not very aware of these issues. Privacy should be respected but it should not be carried too far.” Adds Parikh, “To some extent the industry has to be blamed for positioning biometrics as a surveillance application. We need to change this image and make people aware of the positive aspects of the technology. In certain areas the use of biometric technologies can invade privacy and this cannot be avoided. But we have put safeguards in place, which reduce this likelihood to a large extent. The understanding about the product is very low. Most people still think that fingerprints are only used for forensic purposes and that once your fingerprints are scanned you can get into trouble later on.”
Furthermore, storing the template in a centralised database makes it subject to attacks and possible compromise. The solution to this, Parikh believes, lies in creating a biometric trust infrastructure, a sort of central database which ideally is maintained by the government. This would allow users to move across disparate locations and also maintain their security clearance. However, prohibitive costs and logistics issues make this a pipe dream in India for now. Though the first step seems to be taken with the government having mooted a plan to devise a card for each and every citizen with all their individual data. Not only will this card have information on PAN, ration card number, etc., it will also have facial features and fingerprint scan of every individual. TCS has already been entrusted with developing a prototype for this project.
Also, compared to other security devices like smart cards, biometric devices are highly expensive, mainly because of high import duties. Says Nilesh Parikh, managing director, Print Electronics Equipments, “Though import duties have come down from 250 percent in 1999-00 to almost 40 percent, at times we still end up paying more than 70 percent. Though fingerprint recognition currently enjoys almost 90 percent of market share, even these devices cost up to Rs 2 lakh depending on the features included. To overcome this problem Axis is designing its own fingerprint scanner, which will be out in the market shortly. Even Jaypeetex has developed its own fingerprint scanner, which is expected to hit the market in the next two months. Christened Scan 4000—the device is expected to reduce prices significantly.
Exorbitant price tagSo far no biometric hardware is being manufactured in India. Most of it is imported from the US, Germany, Israel or China. Some of the smaller players prefer to import it from China, as the equipment cost is one-third that of that imported from the other countries. But Parikh feels that the equipment imported from China is of inferior quality and more often than not these systems fail. Because of such incidents people who are interested often lose their faith in the technology.
According to Parikh, even CTOs and CIOs of large corporates are not exactly sure of the technology. People often confuse biometrics as being part of the pharmaceutical and life sciences industry. Moreover, to optimise potential, biometrics has to be coupled with certain allied technologies like encryption and smart cards among others. The absence of a secured framework restricts usage of biometrics to certain segments only. Presence of proper infrastructure will also help in a giving a legal face to biometrics systems.
Absence of standards is another bottleneck for the Indian biometrics industry. If an organisation buys a scanner from one vendor it is practically impossible to migrate to another software application system without going in for a new device. This is not very cost efficient even if the new device provides better facilities. Axis is currently developing a standard device interface, which is independent of the hardware being used. This is expected to ease the migration from one system to another, and also save on the costs of installing a new system. Raghu Raman, practice head with the special services group of Mahindra Consulting feels that standardisation is required at the level of communication between the outer unit, the scanner and the core unit, the database. “In future most biometric products are going to depend on wireless technology for communication between the access device and the database where the verification takes place. This is going to be a weak link. Technologists should focus on fool-proofing or encrypting communication between the two areas.”
However Podar believes that the lack of a single standard is actually beneficial. “Standardisation would entail putting up the nitty gritty of the technology for public consumption. Even criminal elements can get hold of the technology, identify the flaws and devise ways and means to break into systems,” he feels. But the industry is still far from reaching a consensus on the standardisation issue. Most vendors expect to see a standard emerging in the next 2-3 years.
Absence of standards for storage of biometric templates, transport of the templates, usage of encryption technologies, and industry-wise standard for usage of biometric authentication are some of the other factors slowing down the adoption process. The unanimous concern of the vendors is that neither the public sector nor the private sector is making any proactive initiatives in the promotion of R&D of biometrics in institutes.
Man in the middle attack: Here the template is stolen when it is on network and is being used for registration or authentication and then the attacker tries to reuse it to authenticate in a false manner.
Can the system be defeated?Though most biometric vendors claim otherwise, the fact remains that every Biometric system developed can be circumvented. Biometric accuracy rates are measured either through false-acceptance rate or through false-rejection rate. Both these methods depend on the system’s ability to allow limited entry to authorised users. Some systems reject a modest percentage of users as a by-product of extremely high security requirements. Khinvasara of Axis Software lists some types of attacks, which can take place. These include:
Playback attack: A biometric template that has been used for some transaction is obtained and the attacker tries to reuse it to gain access.
It cannot be stated with absolute certainty that images cannot be rebuilt in some fashion. The rebuilt images may be a poor likeness, but it is possible that some features can be reverse-engineered with access to vendor source code.
Despite its faults, most players agree that compared to other existing security systems, biometrics offers maximum protection. Says Podar, “It is true that the system is not completely foolproof. But other than physically disabling the system it is practically impossible to get around it.” Adds Parikh, “Every biometric can be defeated if one allows sufficient amount of time, money and attempts. Employing biometrics increases the security levels to such an extent that more often than not the cost of penetrating the system does not justify the rewards.”
It is possible to vary the security levels depending on person to person, and from transaction to transaction, through a process called “dynamic thresholding”. Based on the security clearance of the person depending on his/her personal and professional profile, this automated process adjusts the levels of security for each user.
But Raman opines that when people think of biometric security, it is limited only to cracking the system by replicating a fingerprint or the biometrics of an authentic user. “Experienced attackers would not focus on trying to replicate a fingerprint or an iris or a retina. The weak link is not the scanner or the outward unit. All an attacker has to do is change the programming at the core unit and he will have easy access to the system,” he feels. The only way to avoid this is by increasing the level of security at this level, as according to him it is practically impossible to replicate the fingerprint or iris of an individual.
But many systems offer fallback authentication, either through a live operator, a password, or another biometric method. Many players are going in for a combination of two or more technologies such as smart cards and encryption to handle the man in the middle attack and the playback attack. While biometrics is concerned with user authentication, smart cards deal with storage and portability of data, and encryption with data security and privacy. Usage of biometrics in smart cards also solves the problem of storing templates. The user’s fingerprints and details are encrypted on the card. Authentication is done after matching the template on the card with the user’s biometrics. Security is higher as individual users control their own template.
The adoption of biometrics is still dismal in India, mainly restricted to defence establishments and a handful of IDCs. Most vendors were relying on the banking sector to be big clients, but the market has not seen much growth from that area. The general lethargy amongst banks towards adoption of new technology seems to be the prime reason for this. However, increasingly visible security breaches will prompt Indian organisations to incorporate biometrics to reassure customers. For internal IT security, similarly, an increased emphasis on best security practices will lead to a revision of authentication processes, currently one of the areas more susceptible to intrusion. It’s quite likely that all kinds of cards, PINs and other security systems will gradually be upgraded to biometrics. And the day may not be far off when biometrics will become the most preferred mode of security measure for India Inc.
This article first appeared in Express Computer.
Comments
Post a Comment