Biometrics and Identity Management
Your fingerprints, your iris, even the shape of your ear are unique and can be used to identify you. But beyond their unique properties, they contain no information about you – who you are, what groups you belong to, what you have been give access to. Biometrics are best used to strengthen existing methods of identity management.
What exactly is identity?
Identity is not a quality that exists for an individual. If you are alone on a desert island, no one is there to identify you. Identity is something that exists between two or more people. Identity gives the group a way of recognizing an individual as a member and authorizing the privileges offered you by membership in that group. For example, a bankcard gives you privileges to access your bank account. A passport identifies you as a citizen of a specific country and gives you the privilege to cross certain borders while traveling.
There are three primary ways that people identify themselves. Through the use of credentials, such as passports, badges, or ID cards; with a shared secret such as a password or PIN number; and by biometrics, which provide a way to identify a person by sensing a unique physical property such as a face, a voice, hand geometry, retinal or iris patterns and fingerprints.
Each method has its drawbacks. For biometrics to work, a person must be enrolled in a group. A fingerprint is useless if it’s not pre-associated with a group. On the other hand, a fingerprint cannot be lost. In the case of a shared secret, if that secret is learned by a third party, the users and the issuer may not be aware of it. If credentials are lost, the owner is usually aware of the fact, but unable to prove identity.
Identification and verification
There are two main approaches to biometric security: identification and verification. In the case of identification, there is typically no credential involved. A biometric identification system delegates to a machine, such as a fingerprint reader, the process of identifying an individual. A biometric template is stored in a central database. In order to identify a person, a scan is taken and a search is conducted comparing the current scan to all templates in the database. A match not only verifies membership but also identifies the person.
Verification, however, is done in tandem with credentials. If an individual possesses the appropriate credential they are considered to be a group member, but a biometric identifier is used to confirm that individual is the rightful holder of that credential. A biometric template is stored on a credential such as a passport or company badge. When an identity is to be verified, a scan is taken and compared to the stored template to verify a match. This method is considered to be more accurate and faster than identification. It also carries a higher level of security. The biometric information is stored on the credential, not in a central database. The biometric identifier is not used as a key; it is used to reinforce the credential, which is the actual key. This not only provides two levels of security, this can work much more quickly because the biometric identifier is not being referenced against a central database, just against the template stored in the credential.
Convenience and security
There is a trade-off between convenience and security. Biometrics are very convenient, but less secure. Fingerprint recognition is best suited for use with locks, but because of its 3% error rate, it is too weak to be used as a single guard. The use of fingerprint recognition in tandem with a card reader has proveen to be successful. The use of biometrics in such a solution increases the strength of the card reader.
* indicates mandatory field