CIOs in the Biometric Age

By Kim Boatman

Too often, says Forrester analyst Geoffrey Turner, security rides on mundane tidbits of everyday information and vulnerable passwords.

“Right now, one of the biggest drags on the economy and the ability to use information systems and networks to advance commercial activity is because we have very weak abilities to establish and verify the identities of individuals,” says Turner. “It’s all based on non-secret information. It comes down to your mother’s maiden name.”

The maturation of biometrics offers a viable alternative, says Turner, author of a recent Forrester report, Biometrics: State of the Art and Future Implications. 

Biometrics -- the distinct, measurable characteristics of an individual -- was once thought to be a technology likely to gain widespread use in a distant future. But several factors have contributed to biometrics’ arrival as a reliable process of verifying identity, says Turner, including the following:

• Technological developments Iris scanning, through a high-definition image of an individual’s eyes, uses software to generate a unique mathematical description. Fingerprint recognition is perhaps the most familiar technology, using software that maps the unique patterns of a person’s fingerprint. Facial recognition and hand geometry are also employed. Uses of vein geometry in the hand or finger are less mainstream forms of biometric identification, although they are already in practice at some Japanese ATMs. Other biometric technologies under development include skin biometrics and gait and voice recognition.

• Formal standards Standards provide a framework that defines how biometric technologies are implemented. They allow for interoperability, predictability and reliability. Organizations such as the American National Standards Institute/International Committee for Information Technology Standards set the parameters for biometric technology. Organizations work together to “harmonize” the standards, says the Forrester report. “The result is very coherent and common biometric technology architecture with high degrees of inherent interoperability. This bodes well for the rapid economical adoption of the technology across most vertical applications in both the public and private sectors.”  

• The successful implementation of biometrics Public familiarity with biometrics has increased with the arrival of programs such as the U.S. government’s e-passport, which incorporates biometrics. Biometric ID programs are being used to make business travel more convenient, easing the way for frequent travelers between the United States and England, for example.

“Anything where the presence of the individual is in question, biometrics can be an improvement over the current level of assurance,” says Turner.

However, there are considerations CIOs should make before implementing biometric technologies, says Cheryl Waldrup, director of global marketing at Daon, a biometrics software company. Key areas to cover:

• Consider applications, present and future CIOs making a business case for biometrics should think about current and future applications and choose wisely. “Be careful to choose hardware and software that allows for expansion or updates as the technology advances,” Waldrup says. Biometric security can encompass a wide range of applications, from accessing a physical facility to retrieving sensitive data to managing customer accounts. A centralized biometric platform can integrate with human resources, says Waldrup, tracking employee work hours and even allowing employees to use biometrics or a smartcard containing biometric data to pay for lunch in the company cafeteria.

• Get buy-in  Biometrics brings with it a wariness about privacy issues, acknowledges Turner. Employees or clients might not be educated about how a technology works. “Most people don’t distinguish between systems that store biometric data in a centralized database versus those that only store them on a user-owned credential,” says a Forrester report Turner co-authored earlier this year. Implementing biometrics becomes “almost a bureaucratic, political task” for CIOs, says Turner.
  
  Everyone from management to employees to clients may have questions that must be answered. Waldrup suggests surveying employees before launching a biometrics program, or using focus groups to determine issues or special needs. An internal biometrics fair is a creative way to achieve buy-in, says Waldrup. Allowing employees to view the technology, experiment with devices and learn about tech advances can smooth the way. Inviting vendors of consumer-use biometrics can also be helpful. “By allowing employees to see how finger or palm readers can be used for home access control and how voice biometrics can be used to access bank account information, you may succeed in creating an environment of acceptance and adoption,” Waldrup says.
  
  It’s important to establish biometrics as a convenient, streamlined way to control identity rather than as a technology that requires surrendering privacy, says Turner. “It’s a means to have better control of their identity,” he says. “Include a message to the people who are going to be participating as to why it’s an improvement.”

• Understand biases Certain technologies may be met with particular resistance. For instance, using fingerprints can carry a stigma, since fingerprinting has long been used as a form of identification by law enforcement agencies. Some people might also have hygiene concerns about fingerprint readers or other contact devices.

• Offer reassurance Understand that ongoing support is a necessity as employees and/or clients adjust. Waldrup recommends offering online help, FAQs and in-person assistance.

• Evaluate the technology Understand the pros and cons of various biometric technologies. For example, it’s sometimes difficult for people with dry skin or worn hands to give a clear fingerprint. Sensors may react differently when placed outdoors.

• Plan implementation CIOs will need to look for ways to streamline enrollment in a biometrics program, particularly if many employees and multiple locations are involved. If biometric data is captured and stored on a smartcard, management of the smartcard system is also a consideration, says Waldrup. Enrollment kiosks may need to be established in several locations. Programs such as the Registered Traveler program -- in place at some U.S. airports -- can serve as a model, allowing the private sector to capitalize on systems developed by government agencies.

In an age when organizations, both public and private, are confronted with the possibility of costly, embarrassing data breaches, the potential payoff of incorporating biometrics is huge, says Turner. 

“Having biometrics in place is a firm gold standard as to how you establish your identity,” he says.

Kim Boatman is a freelance business journalist in Silicon Valley, Calif. She spent more than 15 years reporting for the San Jose Mercury News.