By Heather Clancy, Contributor
I can't count the number of times I've forgotten one of the dozens of passwords I've created to sign onto all my virtual private networks, social networking sites and other cyber-accounts -- and I'm willing to bet most readers of this article can say the same.
Therein lies just one major motivation for burgeoning interest in better biometric devices: the need for a simpler, more user-friendly authentication method for companies to control IT infrastructure and client access. According to Acuity Market Intelligence, the broad biometrics market generated about $1.2 billion in 2007. The firm's 2010 forecast calls for that number to more than triple to $4.37 billion. The larger identity management segment, which is closely related, will grow from roughly $2.6 billion in 2006 to more than $12.3 billion in 2014, according to a separate prediction and report by Forrester Research.
Despite many commonly cited trials at airports and with ATMs, biometric devices have yet to grab hold in the IT world. There are a variety of gating factors at play, including accuracy glitches (false positives or negatives) as well as cultural, cost and convenience concerns. But security VARs and systems integrators believe new biometric devices that go behind relatively well-established fingerprint readers will help spark conversations about identity management and single-sign-on solutions in key vertical segments such as government agencies, financial services companies and healthcare operations.
"We certainly haven't reached the tipping point, but we are getting close," said Paul Kolebuck, global director for Chicago-based Accenture's Smart Identity Solutions group, citing deployments in government agencies and retail accounts. Disney's use of biometric devices to control theme park access has seriously aided the cause, he added.
The most commonly accepted biometrics methods today are fingerprint readers, like the sort we're starting to find on laptops, iris scanners and facial recognition systems, but interest is growing in methods that rely on authenticating vein and vascular patterns, Kolebuck said.
One example is PalmSecure, a product shipped several months ago by Fujitsu Computer Products of America, which uses palm vein patterns to authenticate preregistered users. A mouse version of the reader retails for $427 and includes application integration hooks into single-sign-on software as well as Active Directory, according to Dan Miller, global account manager for business development with Fujitsu.
One big play for PalmSecure is in healthcare, where it is difficult to use fingerprint readers reliably for various hygienic reasons, Miller said -- PalmSecure can be used even by individuals wearing surgical gloves.
Most biometric devices aren't very compelling as standalone products, according to Grady Johnston, CEO of Tiburon Enterprises in Atlanta, one of the first VARs for PalmSecure. That's why his company has equipped all engineers and sales executives with a demo version of the product that is integrated into a complete single-sign-on application. "As long as you show it to the customer prospect and go through all the steps, it's a short sales cycle," Johnston said. "We wouldn't do it unless there is a total solution behind it."
Hitachi touts its own product based on vein authentication technology, as does start-up Identica, which sells a two-factor authentication product called the VP II Vascular Pattern Scanner for reading patterns on the back of a hand. (Both Hitachi and Fujitsu use a scan from the palm side.)
Identica's product is priced comparably with fingerprint readers, at one-third the cost of an iris-scanning system, said Ayal Vogel, vice president of sales for the Tampa, Fla., company. A vascular pattern scanner doesn't carry the same cultural baggage as fingerprint readers, because the person being authenticated doesn't actually have to touch anything, Vogel said. "It is reliable, secure and fast. This is what you care about," he said.
Like Fujitsu, Identica is recruiting VARs that can integrate its biometric devices into broader identity management solutions.
The market certainly appears ready. A survey conducted in 2007 on behalf of Unisys by market research firm International Communications Research found that approximately 40% of Americans supported the use of biometrics technology, at least in a public setting that required some sort of physical security. Support for biometrics was strongest in the western states, the research firm reported.
Mark Cohn, vice president of integrated security programs for Unisys in Reston, Va., said two keys to broader acceptance of biometrics within the IT world will be improved accuracy and the continued introduction of systems that are less invasive, which is one reason why vascular recognition is so compelling. In all cases, Cohn said, VARs should concentrate on recommending multi-factor authentication such as a biometric scan in conjunction with a PIN or password for even tighter security.
VARs and businesses should approach biometrics with caution and to require at least two authentication factors, according to Steve Lord, technical director with Mandalorian Security Services, a security services company in Hampshire, U.K. These systems aren't infallible, Lord said, pointing to stories of hackers lifting fingerprints with ballistics putty or gummy candy and forging entry. Biometric devices also won't work in environments where there is extreme heat or cold, where sanitary conditions might be an issue or where there may be other limiting factors. "We generally advise people to really consider the experience from the end user's point of view," Lord said.
Consumers, especially in retail environments such as a grocery store, will have very little patience for an access system that slows things down, said Ted Claypoole, security law expert and principal with law firm Womble Carlyle Sandridge & Rice in Charlotte, N.C. "We're a long way from building a regime that people will be comfortable with," he said.
Ed Payne, chief technology officer with Fredericksburg, Va.-based systems integrator Acolyst, which handles a large number of government accounts, is even more skeptical. For Payne, the main gating factor is the lack of clear standards on what's appropriate and where. "Most agencies use as many as three or four different badges/card keys, as the security infrastructure will not support a single key implementation," Payne said "VARs and systems integrators are going to have to invest a lot of training time into a variety of technologies to avoid being left behind in case their primary technology is obviated by a newer solution."
About the author
Heather Clancy is an award-winning business journalist and consultant on high-tech channel communications with SWOT Management Group. She can be reached at firstname.lastname@example.org.
This was first published in October 2008