An approach to using biometric technologies

Biometric technologies offer the future of security technology, but integrating cutting-edge technology alone may not automatically solve all your security problems. Here U.S. Government experts offer an approach that may help.

One of the primary functions of any security system is the control of people moving into or out of protected areas, such as airports, buildings, information systems, and nations. People are identified by three basic means: by something they know, something they have, or something they are. People and systems regularly use these means to identify people in everyday life. For example, members of a community routinely recognise one another by how they look or how their voices sound – by something they are. Automated teller machines (ATM) recognise customers from their presentation of a bank card – something they have – and their entering a personal identification number (PIN) – something they know. Using keys to enter a locked building is another example of using something you have. More secure systems may combine two or more of these approaches.

Technologies called biometrics can automate the identification of people by one or more of their distinct physical or behavioural characteristics – by something they are. The term biometrics covers a wide range of technologies that can be used to verify identity by measuring and analysing human characteristics. Biometrics theoretically represent a more effective approach to security because each person’s characteristics are thought to be distinct and, when compared with identification cards and passwords, are less easily lost, stolen, counterfeited, or otherwise compromised.

In the United States, biometrics are increasingly being used for aviation security. Since the 2001 terrorist attacks, the U.S. Congress has directed a greater use of biometrics. For example, the Aviation and Transportation Security Act of 2001 and the Intelligence Reform and Terrorism Prevention Act of 2004 include several provisions regarding the use of biometrics for applications such as perimeter security and access control. Current pilot biometric programs for aviation security in the US include the Transportation Worker Identification Credential (TWIC), the registered traveller program, and programs designed to control access to secure areas of airports. Further, ICAO has selected and endorsed the use of facial recognition, fingerprints, and iris biometrics for machine-readable travel documents such as passports and visas.

Using risk management as a security tool

While biometric technology is currently available and used in a variety of applications, questions remain regarding the technical and operational effectiveness of biometric technologies in large-scale applications. We have found that a risk management approach can help define the need and use for biometrics for security. The approach to good security is fundamentally similar regardless of the assets being protected. This approach can be reduced to five basic steps (see Five Steps to Effective Security).

Countermeasures identified through the risk management process support the three integral concepts of a holistic security program: protection, detection and reaction. Protection provides countermeasures such as policies, procedures and technical controls to defend against attacks on the assets being protected. Detection monitors for potential breakdowns in protective mechanisms that could result in security breaches. Reaction, which often requires human involvement, responds to detected breaches to thwart attacks before damage can be done. Because absolute protection is impossible to achieve, a security program that does not incorporate detection and reaction is incomplete.

Security is not just about technology

It is important to realise that deploying biometric technologies will not automatically eliminate all security risks. Technology is not a solution in isolation. Effective security also entails having a well-trained staff to follow and enforce policies and procedures. Weaknesses in the security process or failures by people to operate the technology or implement the security process can diminish the effectiveness of technology.

Accordingly, there is a need for the security process to account for limitations in technology. For example, procedures for exception processing would need to be carefully planned. Not all people can successfully enrol in a biometrics system. For example, the fingerprints of people who work extensively at manual labour are often too worn to be captured. People lacking fingers or hands from congenital disease, surgery, or injury cannot use fingerprint or hand geometry systems. Further, biometric technologies are not perfect. False matches and false non-matches will also sometimes occur. False match and false non-match rates are inversely related; they must, therefore, always be assessed in tandem, and acceptable risk levels must be balanced with the disadvantage of inconvenience. For example, for access control applications, perfect security would require denying access to everyone. Conversely, granting access to everyone would result in denying access to no one. Obviously, neither extreme is reasonable, and biometric systems must operate somewhere between the two.

Procedures need to be developed to handle these situations. Exception processing that is not as good as biometric-based primary processing could be exploited as a security hole. The effect on the process is directly related to the performance of the technology. In our study of biometrics for border security, we found that fingerprint recognition appears to be the most mature of the biometric technologies.1 Fingerprint recognition has been used the longest and has been used with databases containing over 40 million entries. Iris recognition is a young technology and has not been used with large populations. While facial recognition has also been used with large databases, its accuracy results in testing have lagged behind those of iris and fingerprint recognition.

As with any credentialing or identity management system, it is critical to consider the process used to issue the credential. Biometrics can help ensure that people can only enrol into a security system once and to ensure that a person presenting himself before the security system is the same person that enrolled into the system. However, biometrics cannot necessarily link a person to his or her true identity. While biometrics would make it more difficult for people to establish multiple identities, if the one identity a person claimed were not his or her true identity, then the person would be linked to the false identity in the biometric system. The use of biometrics does not relieve the credential-issuing authority of the responsibility of ensuring the identity of the person requesting the credential or of conducting a security check, commensurate with the level of access being granted, to assure itself that the person is entitled to receive the credential. The quality of the identifier presented during the enrolment process is key to the integrity of a biometrics system.

Even if the biometric is checked against a biometrics-based watch list, the effectiveness of such a list is also dependent on non-technological processes. The policies and procedures governing the population of the watch list as well as the effectiveness of the law enforcement and intelligence communities to identify individuals to place on the watch list are critical to the success of the program. People who are not on the watch list cannot be flagged as someone who is not eligible to receive a credential.

Considering effectiveness and tradeoffs

A decision to use biometrics in a security solution should also consider the benefits and costs of the system and the potential effects on convenience and privacy. A business case should be developed that identifies the organisational needs for the project and a clear statement of high-level system goals should be developed. The high-level goals should address the system’s expected outcomes such as ensuring that only credentialed persons are permitted access to secure areas or the identification of undesirable individuals on a watch list. Certain performance parameters should also be specified such as the time required to verify a person’s identity or the maximum population that the system must handle.

Once the system parameters are developed, a cost estimate can be developed. Not only must the costs of the technology be considered, but also the costs of the effects on people and processes. Both initial costs and recurring costs need to be estimated. Initial costs need to account for the engineering efforts to design, develop, test, and implement the system; training of personnel; hardware and software costs; network infrastructure improvements; and additional facilities required to enrol people into the biometric system. Recurring cost elements include: program management costs, hardware and software maintenance, hardware replacement costs, training of personnel, additional personnel to enrol or verify the identities of people in the biometric system, and possibly the issuing of token cards for the storage of biometric information.

Weighed against these costs are the security benefits that accrue from the system. Analysing this cost-benefit balance is crucial when choosing specific biometrics-based solutions. The consequences of performance issues – for example, accuracy problems, and their effect on processes and people – are also important in selecting a biometrics solution.

Consideration must be given to the convenience and ease of using biometrics and their effect on the ability of the agency to complete its mission. For example, some people find biometric technologies difficult, if not impossible, to use. Still others resist biometrics because they believe them to be intrusive, inherently offensive, or just uncomfortable to use. Lack of cooperation or even resistance to using biometrics can affect a system’s performance and widespread adoption. Further, privacy concerns have been expressed about the collection of biometric data including the adequacy of protections for security, data sharing, identity theft, and other identified uses of biometric data.

Furthermore, if the processes to use biometrics are lengthy or erroneous, they could negatively affect the ability of the assets being protected to operate and fulfil its mission. For example, in 2002, we found that there are significant challenges in using biometrics for border security. The use of biometric technologies could potentially affect the length of the inspection process. Any lengthening in the process of obtaining travel documents or entering the United States could affect travellers significantly. Delays inconvenience travellers and could result in fewer visits to the United States or lost business to the nation. For the aviation industry, further studies could help determine whether the increased security from biometrics could result in fewer air travellers and consequently, lost business.

Summary

In conclusion, although biometric technologies exist for airport security, it is important to bear in mind that effective security cannot be achieved by relying on technology alone. Technology and people must work together as part of an overall security process. Weaknesses in any of these areas will diminish the effectiveness of the security process. We have found that three key considerations need to be addressed before a decision is made to design, develop, and implement biometrics into a security system:

1. Decisions must be made on how the technology will be used.
2. A detailed cost-benefit analysis must be conducted to determine that the benefits gained from a system outweigh the costs.
3. A trade-off analysis must be conducted between the increased security, which the use of biometrics would provide, and the effect on areas such as privacy and convenience.

Aviation security concerns need to be balanced with practical cost and operational considerations, as well as political and economic interests. A risk management approach can help identify and address security concerns. To develop aviation security systems with biometrics, the high-level goals of these systems need to be defined and the concept of operations that will embody the people, process, and technologies required to achieve these goals needs to be developed. With these answers, the proper role of biometric technologies in aviation security can be determined.

References

1. U.S. GAO, Technology Assessment: Using Biometrics for Border Security, GAO-03-174 (Washington, D.C.: Nov. 15, 2002).

Keith Rhodes

Keith Rhodes is the Chief Technologist of the U. S. Government Accountability Office and Director of the Centre for Technology and Engineering. Throughout the legislative branch, Mr. Rhodes provides assistance on computer and telecommunications issues and leads reviews requiring significant technical expertise.

Richard Hung

Richard Hung is an Assistant Director in the Centre for Technology and Engineering. He provides technical planning and assistance on GAO evaluations of government and industry computer systems. He has been an advisor on several GAO engagements, including those examining border control systems, voting systems, Census data collection systems, and weather satellite systems.