Will biometrics revolutionise information security and access control?

Add to: Digg Add to: Del.icio.us Add to: Facebook Add to: Furl Add to: Google Add to: Live Spaces Add to: MySpace Add to: StumbleUpon Add to: Twitter
Wednesday October 2, 2013 at 10:00am
Biometrics and access control
For anyone responsible for information security within an organisation access control is often the biggest headache. In formal, ISO standard terms, access control is the ability to permit or deny the use of an object (a passive entity, i.e: a system or file) by a subject (an active entity, i.e: a person or process). Traditionally passwords and personal IDs or passes have been used as security measures to prevent either access or use of premises or data by unauthorised personnel. We’ve all seen the news items however about how frequently these security measures are breached, which is perhaps where biometrics fit in.

Biometrics is based on the third factor of authentication - something you are. Rather than the other two factors - something you know (your PIN) or something you have (a credit card).

Examples of biometric identification come in the form of fingerprints, voice recognition or iris patterns. Obviously Apple’s Touch ID is a form of fingerprint identification in the new iPhone 5S. Fingerprint biometric systems are the most common biometric systems in place today. It appears the system Apple are using is a finger print scan system, which only stores sample points of the user's fingerprint. This is the right move from a security perspective as no one can re-create the fingerprint in its entirety.

Accuracy is critical to any biometric system, another important factor is the system’s ability to detect or reject forged or counterfeit input data. False Reject Rate (FRR) or type 1 error, False Acceptance Rate (FAR) or Type 2 error are common terms when dealing with the accuracy of a system. FRR is the % of authorised users to whom the system incorrectly denies access while FAR is the % of authorised users to whom the system incorrectly grants access. Crossover Error Rate (CER) is the point which FRR is equal to FAR.

We should not be seeing any type 2 errors on the new iPhone as this would make Touch ID flawed. I applaud Apple for giving users the option to do away with a basic PIN or password. The password alone is coming to the end of its natural useful lifecycle. Time will tell if fingerprint authentication in mobile devices becomes more common place but with many people storing vast amounts of personal data on their mobile devices it would seem like a sensible information security move.

Marcus Allen
Parker Management Consultants

Comments on this post:

There aren't any comments for this post yet. Why not be the first to comment?

Share your experiences:

Your Name  
(to appear with your comment)
Email Address  
(will not be published)
Human Validation Check  
In the box below, please type the characters that you see in the picture. This helps us to ensure a real person (and not a crafty computer!) is submitting this form.

Enter the code shown to the left:

Parker Management Consultants, 1st floor, Dominion Court, 43, Station Road, Solihull, B91 3RT Contact us here