By Andy McCue, 16 February 2006 16:00
NEWS
Iris and fingerprint-scanning technology will replace passwords and PIN numbers as the long-term answer to identity management problems, according to UK IT chiefs.
An overwhelming majority of IT bosses - 11 out of the 12-man silicon.com CIO Jury IT user panel - predicted biometrics will overcome the current technical and standards issues to be a more user-friendly and secure alternative to passwords.
Kevin Fitzpatrick, CTO at Manpower, said: "As a user of an IBM fingerprint protected laptop, I am a convert. It provides quick and secure access. The advantages of biometrics are for truly mission critical security and/or ease of access. When these apply we will see growth."
Biometrics will replace passwords in many institutions in the next 18 months via fingerprint recognition for authenticated sign-on and via iris and facial recognition for physical building access, according to Graham Yellowley, director of technology at Mitsubishi UFJ Securities International.
He said: "Bloomberg have already deployed a biometric keyboard to authenticate users and many institutions are looking at implementing fingerprint recognition to provide a fully authenticated sign-on, though this will not be the single sign-on that most firms are aspiring to."
Mark Devine, IT director at ACCA, said: "It is generally accepted that technology will deliver a useable quad-band/G3/PDA/television/MP3 that works in the jungle or the desert and is also waterproof to 200m. Given this level of micro-electronics and processing ability is there any doubt that current issues with biometrics will be overcome? Thereafter, like most pervasive technology, it's a matter of cultural resistance."
Paul Broome, IT director at 192.com said biometrics are preferable to Bill Gates' vision that Microsoft will aggregate a users' passwords and account information with a new product called InfoCard.
Broome said: "Yet more mirth from Microsoft regarding security - we will trust them to roll up and hold all our passwords? It's more secure writing them on your shirt cuffs."
A slightly more sci-fi vision of a biometrics future was painted by Nick Clark, director of IT services at Tower Hamlets College.
He said: "In the longer term I expect identity will be via an implant, and we will be connected permanently to the net. I don't mean a Borg collective consciousness as we will all be individuals. It's going to be just like the mobile phone, creeping into our lives until we think we can't do without it and so won't even think of disconnecting."
But Neil Hammond, IT director at British Sugar, said he favours existing identity management technology over the "Hollywood glamour factor" of biometrics.
Hammond said: "I can't see biometrics replacing user ID and password as the basic mechanism for routine security because that is easy to set up and administer. For more secure identification I still see the tried and trusted Secure ID token as the preferred mechanism for a while yet."
Today's CIO Jury was...
Paul Broome, IT director, 192.com
Nick Clark, director of IT services, Tower Hamlets College
Colin Cobain, IT director, Tesco
Mark Devine, IT director, ACCA
Michael Elliot, IT director, Hasbro
Kevin Fitzpatrick, CTO, Manpower
Mark Foulsham, CIO, eSure
Neil Hammond, IT director, British Sugar
Rory O'Boyle, head of IT, The Football Association
Jacques Rene, director of IT and projects, Airclaims
Davesh Shukla, head of IT, London City Airport
Graham Yellowley, director of technology, Mitsubishi UFJ Securities International
If you are a CIO, IT director or equivalent at a large or small company in the private or public sector and you want to be part of silicon.com's CIO Jury pool, or you know an IT chief who should be, then drop us a line at editorial@silicon.com
Comments
There are 9 comments. Join the discussion
1. Jeremy Wickins MA LLB
This is very worrying. CIOs are supposed to be reasonably tech-savvy, but so many of them trust the cheap fingerprint scanners on a computer Even relatively expensive ones are set by default to give as few false negatives as possible - there are plenty of stories out there about how easy it is for these things to be defeated, either by the correct user using a different finger, or the wrong user using the right fingerprint (they are not difficult to get hold of - we leave them all over the place!), or, in some cases, the user with the wrong fingerprint.
Iris scanning seems to be more secure at the moment (though far from undefeatable), but that is possibly because because there are not as many scanners in the wild yet, and there have been less opportunities to find out how to defeat them.
Okay, nothing is totally secure - any sensible person has to agree with that - but biometrics do seem to be the fool's gold of the security world: very pretty, but essentially worthless.
2. John Stewart
The fundamental problem with biometrics is that you need a compatible reader at every point that a user wants to log in. We all want to use many differnet access devices during a day - laptop, PDA, Home PC, Internet cafe - and there is no practical way that there will be he same biometric reader installed on every device.
So tho' biometircs wil probably happen in applciations where access is tied down to specific access - in the world where users demand Anywhere Access" to their data from any device - biometrics just won't happen. It's the same reason that smartcards are just not happening.
The only authentication credenials that we will be able to use are those that can be used at ANY access device - namely a password, a One-Time passcode (eg as generated on a SecurID token) - or, possibly, a generic USB device that the user carries.
3. Simon
Hmm, same old stuff - the technology will allow it, therefore we should !
What I've still to hear an answer to is the simple question of : "WHEN the biometric data is compromised, how do you revoke and change it ?"
I can change a password, I could carry a new token, but I'm sure as hell not going to change my fingerprints or iris !
4. Richard Sarson
"smartcards are just not happening", says John Stewart. Isn't an Oyster card a smart card? Or a chipnpin card?
OK, in the UK and USA, they have hardly taken off, because they were not invented here, but cross the channel and they have been pervasive for 20 years or more, in banking, transport, health care, insurance, and, dare I say it, ID cards.
Or is my definition of smart card different from John's?
5. Mark SPLINTER
all the people you asked will make more money and get bigger budgets if biometrics are adopted.
to suggest a secure identity system is as technologically easy as a wireless mp3 player shows how little these people really know about the world beyond their bubble.
6. Mike
Locksmiths know that there is no such thing as a totally secure lock! Similarly, there is no such thing as a totally secure system.
The trick is to stay one step ahead of the crooks and to slow them down enough that they get caught. But it is never 100%.
The weak link is always the human factor. Either, they get lazy and don't follow the procedures or they get corrupted - There is always someone, who is susceptible to bribery or threats (as any good spy knows)!
7. Ingo Schubert, RSA Security
Biometric as a second factor e.g. replacing the PIN for a smart card. That sounds ok - but as the main part for strong authentication? No way...
First of all it has been proven again and again that especially finger print scanners can be fooled with ease. Even facial recognition or iris scans have been fooled by simply holding pictures of a person or iris into the camera.
"Something you are" is *not* "Something you have"!
Your fingerprint belongs to you but you leave it everywhere and the same is true for a lot biometric characteristics a person has.
Deploying biometric scanner is another challenge. If anybody would know how to ship new hardware, attach it to a PC and configure the software correctly we would have smart cards all over the place.
Why should biometric scanners be any different?
The hardware costs are always only a fraction of the real costs of a rollout. It does not help the scanner is build into a keyboard.
Biometric helps in one place only: authentication. Neil Hammond mentioned already that there is a solution that does this already without the trouble that comes with biometric devices: SecurID (if you wonder why I like his statement so much have a look at the company I work for...).
If a company likes to invest money into security they rather should spend it on OTP tokens or smart cards - the first one is cheaper and works everywhere (not only where a scanner is installed) and the latter can also provide encryption and digitial signatures.
Acceptance of biometric scanners by users is a big obstacle. Yes, the engineers (and apparently some CIOs) love cool things like biometric but they are not the general public which has a different view.
8. Phil Young
I am astounded that people think CIO's and IT Directors of 'non supplier' compaines will make more money from this! We just get the 'bad heads' and no more pay I am affraid.
9. Alan
The single most worrying aspect about biometrics as ID is what will happen when the code is 'cracked'.
I mean its one thing to change a password etc. - but what do you do *when* some personal biological imprint is copied?