Biomarvel, biohazard?


There’s been a lot of discussion about biometrics.

 A lot. We've discussed precise definitions, we've discussed health and safety issues, potential human rights violations, data protection requirements and, of course, how to make the technology work. Eyeball scanning and fingerprint recognition are just some of the elements of a technology which has genuinely captured the public imagination, helped in no small way by movies like Mission Impossible and any James Bond outing you care to mention. However, biometric security has yet, to enter the day-to-day lives of the majority of the population, and few would question that there is still significant work to be done to reach that stage, if indeed, we ultimately decide that this is the right path for security to take.

So, while we're trying to reach agreement, let's throw another perspective on biometrics into the arena for discussion - that of the customer experience. It is something that has been worryingly overlooked to date, and I was reminded of this yet again last week when I came across the definition of biometrics by the U.K. government's Biometrics Working Group in its paper, Biometrics for Identification and Authentication - Advice on Product Selection. It reads: "...the automated means of recognizing a living person through the measurement of distinguishing physiological or behavioral traits.' Accurate - yes. Thorough - yes. Reflecting individual experience or response - no. For any company planning to use this technology with its customers, and indeed its employees, a positive experience of using biometric security technology must be a primary objective. Otherwise, you could be left with some very expensive state-of-the art equipment and no one willing to use it.

The bottom line is that the security of a system, and its usability, are not always in harmony with each other. Quite the opposite - security systems are usually specifically designed to frustrate (unwanted) users. Extrapolate that and you realize that there is a fine line to tread between establishing trust with your customers through provision of secure systems, and frustrating them through complex processes and false rejects. Particularly problematic areas here are those of authentication and access control into systems.

Picture this. Saturday night on a holiday weekend. A man strolls up to his local bank's cash dispenser. Instead of a pin number, the man simply puts his finger against the screen to be scanned. He waits for verification of identity and access to his account. He waits. He waits. He is informed by the machine that he is not recognized as the account holder. Man asks for fingerprint to be rescanned. Machine reasserts that the man is not the account holder. Man informs the machine loudly that he is the &*^$&^* account holder. Machine has no further comment to make. Man bangs on screen while shouting further expletives. Police arrive. Man is taken away, gesticulating wildly. Man terminates his account with the bank and tells anyone and everyone he knows about bad the bank's service is. Okay, maybe a little exaggerated but I think we all recognize the picture.

At Detica, we recently carried out some research where we asked consumers, rather than companies, about their experience of electronic CRM to date. Worryingly, almost three quarters (73 per cent) felt that, when companies introduced new e-services, it was often done to benefit the company alone. The lesson which we can learn here and apply to biometrics is that in order to reap the value of more secure systems, we also have to ensure that customers feel they're not being inconvenienced, or that companies are taking advantage of them.

Because, let's face it, there are tremendous potential advantages that biometrics can give us in terms of security. Take banks as an example. Their call centers may require customers to give them part of a password, plus their date of birth, plus their postcode in order to confirm their identity. The banks may then also issue different user names and completely different passwords to the same users, for when they choose to bank online. Each time you give a user a different method of authentication for a different channel, you ask him or her to commit more and more information to memory. We all know that the majority will simply write down the data and keep it somewhere handy, which immediately renders the entire process insecure and self-defeating. Biometrics is often seen as the silver bullet solution to this growing problem. You don't need to remember your own voice pattern because it's instinctive and (hopefully) pretty tough to lose.

If companies do decide to go down the biometrics route, then they will ultimately have to confront the issue of balancing a hassle-free customer experience with provision of robust security that will satisfy customer concerns. There are questions that still need to be answered. For example, a fingerprint scan when compared against an original 'template' scan for authentication. Two samples, although from the same person, will never, never be identical. So how similar do they need to be before they are accepted as the same? However this measure of acceptance is set, there will always be some false accepts (i.e. people being identified as someone they are not, which weakens security) and some false rejects (i.e. genuine customers being told they are not who they think they are - which will obviously upset them).

It seems certain that, in the short term, using biometrics alone for customer authentication is fraught with difficulties. Combining biometrics with other means of identification, say a PIN, is one way out. So-called multi-factor authentication means you can be less reliant on the biometric, but still improve security over a single authentication technique. The issue is the impact on customer experience. If the industry will now consider security and customer experience together, then at least we're moving in a direction that will eventually enable us, whatever the outcome, to use biometrics technology in harmony with our businesses, rather than against them.

Martin Sutherland is head of security practice, Detica (

Detica  are exhibiting at Infosecurity Europe, Europe's largest and most important information security event. Now in its 8th year, the show features Europe's most comprehensive FREE education program, and over 200 exhibitors at the Grand Hall at Olympia from April 29- May 1, 2003.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.