Biometrics systems are acknowledged as having the potential to be a more secure form of authentication than typing passwords or using smart cards, which can be stolen, but, some forms still have relatively high failure rates. The sophisticated retina-scanning, voice recognition and thumbprint acknowledgment systems, popularised in many Hollywood movies, are generally yet to be embraced by big business.
Biometrics is variously defined as 'The automated identification, or verification of human identity through repeatable measurements of physiological and behavioural characteristics', or 'the biological identification of a person, including iris and retinal patterns, hand geometry, fingerprints, voice responses to challenges, and the dynamics of hand-written signatures'.
Globally, biometric authentication systems and solutions are now being used in aviation security, border control, financial services, the healthcare industry, government, identity theft prevention, passport control and smart cards.
Asia's broad adoption
Research firm Hydrasight's analyst John Brand said that Asia's adoption of biometrics solutions was at both the high and low end-but not much in between.
"Biometric solutions are typically used in high security applications such as government, defence, intelligence and heavily regulated, high risk industries," says Brand, "But they're also now being used quite heavily in the consumer market, especially on some laptops that now come with inbuilt fingerprint readers. We even see that children's toys include biometric solutions such as diaries that they can only unlock with their own voiceprint."
He said that on the enterprise level, however, most organisations too often fail to perceive any benefits from biometric-based authentication and this market remains perpetually nascent.
"Overall, biometric solutions have been slow in adoption though, probably for good reason," Brand says. "For example, there are many issues tied up in the concept of identity and particularly around "chains of trust" with identity. We expect that biometrics generally will continue to have a slow deployment, even in Asia, due to the philosophical issues and technical challenges in managing biometric based solutions."
Indeed, current Asian adoption of biometrics appears to be focused on just two areas-government control of borders and the financial services industry.
Controlling borders and crime
Two regional examples are the Malaysian and Singaporean governments' increasing use of biometrics to manage population, immigration and visa processes.
Singapore's government has announced it will be introducing a new Long Term Pass (LTP) card to all foreigners residing in Singapore on a Student's Pass (STP), long term visit pass, Employment Pass (EP) and Dependant's Pass, as part of the government's initiative to enhance the national security of the lion city. The card is now being introduced in phases.
The LTP card will replace the current process, which is a stamp endorsement on travel documents and a paper-laminated Disembarkation/Embarkation (or D/E) card issued to long term pass holders.
The Malaysian government recently renewed its contract-for the ninth year-with US-based security firm Unisys Malaysia to continue work on the national ID card (MyKad), issued to Malaysian citizens. MyKad is a multi-application smart card, which uses advanced technology, including biometrics, to provide a single authentication credential for Malaysia citizens.
Unisys's Asia South general manager, Scott Wyman says: "The ability to access bank accounts, health services, public transport and other functionalities makes the MyKad the largest deployment today of a government identity smartcard worldwide, and to date, Unisys and a consortium of companies, under the MyKad project, have deployed more than 22 million national ID smartcards nationwide."
In Hong Kong, the immigration department had started accepting applications for new HKSAR electronic passport (HKSAR e-Passport) and electronic document of identity (e-D/I) introduced in February 2007. As at the end of August 2008, more than 825,000 e-passports were issued, representing about 20 per cent of the total HKSAR passports issued that are still valid.
The HKSAR e-Passports and e-D/Is contain enhanced security features including the holder's personal data and facial image which are stored in the contactless chip embedded in the back cover of the travel documents. The holder's personal particulars and photograph are inscribed onto the polycarbonate bio-data page of an e-Passport or e-D/I by laser engraving technology, according to the immigration department Hong Kong.
A global phenomenon
Wyman explained that Unisys has implemented similar biometric and identity management solutions for government agencies around the world. Examples include the U.S. registered traveller pilot programme, the HANIS (Home Affairs National Identification System) project for the department of homeland affairs in South Africa, the Australian department of immigration and citizenship, and the a six-month biometrics field trial for citizen and immigration Canada (CIC).
Brand said governments have a role to play in understanding the potential impact of biometrics and ensuring compliance of use throughout the world.
"However, it is not for one government to be working alone with biometrics," he says. "In fact, it is important that we as a global populous don't allow a single government to go off on its own and develop its own strategy alone. The risk in some parts of the world (including some parts of Asia) is that some governments (and indeed some enterprises) will adopt biometric solutions naively or, even worse, maliciously."
FSI Security and customer service
IDC's Financial Insights senior research analyst, Abhishek Kumar, says that in Asia's financial services industry, biometrics has two purposes-increased security and improved customer service.
"Examples include enhancing security through the implementation of biometrics at channels such as ATMs-common in Korea and Japan-and improved service by implementing biometrics at branches to introduce paperless environments," says Kumar. "The latter is also seeing growing usage in the microfinance sectors in Indonesia and India."
Not expensive nor difficult
Asian banks, such as Bank Danamon, have been successful in dispelling the myth of biometric authentication systems being an expensive and difficult technology to use in consumer and mass financial services.
However, Kumar explains that current challenges centre around biometric templates. "The differences in enrolment templates, matching algorithms, and biometric systems make it very difficult for banks to implement biometrics on their wider, shared networks."
Enrolment templates may not necessarily be compatible with other biometric authentication devices, though common templates are available in the market, he says.
However, he says, "Standardisation methods for these templates are already being introduced through groups such as the International Committee for IT Standards (INCITS), with its finger template standards. Whether these standards are widely accepted or not is another issue."
Kumar suggests that this problem could be overcome if banks use common enrolment templates. "Common templates mean that they will be interchangeable among the banks' biometric systems, but before this can happen, banks and customers must be willing to share their templates."
In addition, the biometric devices all must be of only one type, for example, fingerprints. "Banks can then use the templates and enter them into their own systems and have their algorithms match the templates," he says. "This solution is not simple to implement and does result in security issues."
Kumar says that the lack of standardisation hinders the growth of biometric authentication and is an issue that will face some form of regulation along with authentication rates.
As an example from the financial services sector, Kumar says: "Vendors use their own proprietary algorithms to perform biometric authentication. This may cause problems for banking customers as biometric authentication grows more commonplace. With shared ATM networks, one bank would find it very difficult to roll out BTMs because access by other bank network customers would automatically be limited. All the banks on the network would need to agree to a common biometric vendor/standard to implement BTMs efficiently and effectively."
Hydrasight's Brand says: "Often the challenges associated with biometrics are not with the technology itself but with the process of managing the biometric data and with issues of trust. Biometrics only provides one source of data about identity. It of course brings up the more philosophical questions about what identity is at all."
Brand believes that in most cases, biometric based authentication should be treated as just a more efficient means of assessing a 'good enough' match for someone's identity, but that it should not necessarily be taken as a stronger or more valid match. "Please let's try not to legitimise 'authentification' as a word. It doesn't exist and it doesn't need to exist. It doesn't describe anything different than the correct word-which is 'authentication'," says Brand.
Moving ahead, Brand says that other applications include voice authentication that streamline the process of routing voice calls through a organisation. "Although these have proved to be fairly unreliable and inefficient and we don't see a large take up of this type of technology at any level."
In addition, Brand believes that widespread trust in biometrics is actually a backward step. "We should never completely trust biometrics as a more reliable source of truth for identity. There are applications that can benefit from biometric based authentication but most are poor attempts at trying to legitimise an unneeded technology solution."
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.