Relying on human anatomy to authenticate the identity of a company’s employees or customers has still not caught on. The standard corporate password is accepted by most. Canadian uncertainty about biometrics contributes to a slower-than-expected adoption rate, says Michelle Warren, an IT analyst at Evans Research Corp. in Toronto.
“We aren’t, overall, very comfortable with the idea of Big Brother knowing our every move,” Warren says, adding the industry lacks hard numbers on biometrics usage. “We have a connection with the word ‘bio’ and we still, as individuals, shy away from associating our bodies with technology.”
84 per cent rely on passwords
Although it may be argued Canadians are somewhat skeptical of other forms of authentication, these are still more readily adopted, Warren says.
In its IT security surveys this year of 200 technology decision-makers, Forrester Research Inc. found the vast majority (84 per cent) of the 147 who responded said their organization is “most likely to use” strong password policies to allow their employees to log on.
Only 13 per cent of respondents predicted they would use biometrics by the end of 2005.
Warren says traditional work environments, such as small businesses, accounting firms or university Web portals, tend to rely on passwords for network security, though they are cumbersome.
But one-time password tokens with a digital number that changes every minute and digital certificates are also popular among respondents to Forrester’s survey. About one in three respondents predicted they are likely to require their employees to use one-time tokens to access their networks while 25 per cent anticipated they would rely on digital certificates by the end of 2005.
“In some environments — science and technology, for example — heightened security is expected and embraced,” says Warren.
Smart cards are another way to confirm someone’s identity. Some may argue these cards can be passed from one person to another, Warren says built-in features like photos may make transfer difficult.
The real growth, however, is projected to be in strong authentication — the use of several of these credentials to verify workforce identity.
Wally Kowal, marketing vice-president of Diversinet Corp. in Toronto, says four factors or credentials may be used collectively to identify someone: user name or account number; a password associated with this; a one-time password; and services pinpointing location.
Diversinet focuses on one-time passwords — which Kowal says is the focus of the authentication industry — but also works with companies supplying biometrics.
“Our technology is proven and available and primed for mass consumer deployment,” Kowal says, adding the specialized field of biometrics, in comparison, has “teething problems.”
He says installing a palm-print or fingerprint scanner on every computer in the workplace may be expensive.
Chris Voice, Ottawa-based vice-president of technology for Entrust Inc. of Addison, Tex., estimates biometric readers range from $50 to several hundred dollars, with the more complicated infrastructure requirements of iris scanners making these more costly.
cumbersome registration process
Some PCs include biometric readers, but others involve a separate purchase that contributes to a higher cost, Warren says. Interoperability, then, becomes a huge issue, she says, because biometric devices must work with hardware, software and, in some situations involving multiple security features, the security information and data pockets must be compatible with each other. As a result, she says, companies tend not to adopt biometrics unless management of these enhanced security features can be combined with the overall IT budget.
Reliability is another concern. Kowal argues false-positive readings arise when a biometrics reader verifies the wrong employee’s identity. In some cases, a person who is supposed to have access is locked out — for example, if a bandage is removed from the fingertip but a scar across the fingerprint causes confusion.
With biometrics, moreover, an enterprise must acquire each employee’s fingerprint or iris scan from the reader in a time-consuming registration process.
Voice says biometrics will become more popular as IT security budgets increase and prices drop, but it will not necessarily be the leading way organizations choose to authenticate users.