Biometric devices, which use body measurements such as eye scans or fingerprints to determine or verify identity, are experiencing explosive growth.
And it’s no wonder.
By increasing security and convenience, biometrics offers a win-win proposition for businesses and customers. IT managers in Cayman who effectively use this technology can achieve significant business gains.
The world is starting to see a rapid growth in the use of biometrics as evidenced by a broad range of biometric products entering the market – for both businesses and consumers alike. For example, biometric front-door locks, garage doors and safes are now available to consumers, while business-focused products, such as telephone banking systems that verify identity with voice analysis and cash points with palm-scanners, are now used by over 2 million consumers in Japan.
But what exactly does biometrics offer the consumer?
The primary benefit is additional and effective identity protection. Customers are already familiar with many different methods of securing information: PINs, passwords, keys and signatures. Yet the human characteristics used by biometric devices offer a unique added layer of security. Unlike PINs, passwords, keys or signatures, biometric indicators are specific to each individual and cannot be imparted to others.
By adding an independent level of confirmation, biometrics offers an extra source of verification which improves security. Fingerprints, voice scanning and even keystroke-dynamics that are measured when typed by the user, can be used to identify and confirm that the user is who he or she claims to be.
In addition, blood vessels in the back of the human eye, used for retinal scans, are matchless.
Two-factor authentication is a method by which personal identity is established by combining two independent means of identification. It relies on two pieces of information: something that you know, for instance, your account number, PIN or driver’s license number, and something that you have, such as an electronic token, the pattern of your fingerprint or other biometric measure.
This authentication process is now recommended in the United States by the Federal Financial Institutions Examination Council
The use of biometrics can also serve to increase convenience. Consumers at certain American grocery store chains (Albertson’s and Cub Foods) have the option of employing fingerprint scanners, along with their phone number, to purchase products. The purchase price is deducted directly from the customer’s bank account or credit card and presents a much faster method of payment versus the use of a debit card or writing a cheque.
According to Parade magazine, over 3 million customers are purchasing goods using the biometric based payment option.
These customers do not even need to carry a wallet.
In addition, companies may also be able to increase revenues by moving customers through checkout more quickly.
Convergence between added security and added convenience is beginning to take shape. In some cases, such as the cash points used in Japan, biometrics is implemented only to increase security.
Customers still must carry ATM cards and remember their PIN, but, by adding a level of biometric security, a two-factor system is strengthened to a three-factor system. While this may be more cumbersome for consumers at first, they will soon come to appreciate the increased security and convenience of biometric devices.
Voice Vault, which asks the user for a pass phrase, is an interesting application of biometrics which relates to the telephone banking system. Because the user is able to set his or her own security question with Voice Vault, it is not necessary to type in or even remember a PIN. All that is required is for the user to simply and conveniently speak the pass phrase.
Attitudes regarding the use of biometrics are becoming increasingly favourable. In addition to what we know about its existing use, research commissioned by vendor EDS in 2004 along with research conducted in the United Kingdom reveals positive attitudes amongst consumers.
The EDS survey revealed that more than 69 per cent of respondents indicated that they are open to the idea of using biometrics for identity management. Only 12 per cent said no to biometrics, while 19 per cent were unsure.
Moreover, these figures concurred with data obtained in 2005 from a study conducted by an independent non-profit organization, TRUSTE, which focused on trust-based privacy for personal information.
The rise in use of biometrics can be further explained by falling prices for equipment and the rising performance of technologies underpinning it, such as processors and digital storage. Cayman companies, especially those in the financial services industry, could also realize cost savings by implementing biometric devices.
A study conducted by Gartner Inc. indicated that password issues can significantly impact companies with a large network and can impose additional costs of up to US$340 per employee, per year.
This figure includes help desk costs, downtime, and the cost of lost business. By implementing biometric software, companies can reduce this cost by more than half – a substantial return on investment.
While biometrics offers unique security credentials, there are still vulnerabilities that can be exploited with its use. Companies that plan to implement biometrics should understand potential attack schemes that could compromise the integrity of the authentication methods used. The SANS Institute, one of the world’s largest security and research organizations, noted in a report: ‘It is not enough to assume absolute verification with biometrics alone but rather as part of a well designed security implementation that considers strong two-factor authentication.’
Biometric devices are not a single security solution – rather, they should be regarded as one component of a larger protective strategy.
The biometrics trend will soon be with us in the Cayman Islands. When coupled with a well-designed, well-implemented security strategy, biometric devices will help local companies improve safeguards and expediency while lowering the cost of doing business.
Matt Miller is an assistant manager in both the Information Technology Assurance and Security and Privacy Services groups of Deloitte (Cayman) Enterprise Risk Services. Based in Cayman, he leads and participates in IT audit and security engagements across the Caribbean. Heis a certified information systems auditor with over four years experience with the Deloitte US firm. He has served some of the firm’s largest and most complex clients, providing his expertise on security implementation projects as well as Sarbanes Oxley attestation and internal controls consulting. Matt is a member of the Information Systems Audit and Control Association.