ID Cards Get a Touch-Up

Biometrics technology has its place in the identification world, though it does not spell the end of ID cards

• By John Ekers
• Aug 03, 2006

Ten years ago, the use of biometrics for identifying people was only seen in the movies -- too advanced for the real world. Conversely, today's TV shows and movies, such as Las Vegas, The West Wing and X-Men, demonstrate just how common the technology has become, employing some form of biometrics in their plots.

The International Biometric Group estimates that biometric revenues for 2006 will be $2.1 billion, with growth estimated to be as high as $5.7 billion in 2007. This growth is visible at the government, corporate and even consumer level. Last year, a Minnesota-based grocery chain, Cub Foods, launched a payment system that allows customers to pay for their groceries using a finger scan linked to their financial accounts.

The International Biometric Group estimates that biometric revenues for 2006 will be $2.1 billion, with growth estimated to be as high as $5.7 billion in 2007. This growth is visible at the government, corporate and even consumer level.

It's clear that biometrics will continue to play a leading role in ongoing efforts to improve security credentials. But does the proliferation of biometric technology spell the end of ID cards? In other words, if you have 10 fingers, a hand or an iris to scan, do you still need to carry an ID card?

For privacy and security concerns, the answer is yes. Biometrics offer a way to enhance the security of a card-based security program, not replace it. Biometrics is an additional factor in authenticating a card holder.

Verifying a card holder's identity can be done using one, two or three independent criteria for authentication.

Authentication factors are generally recognized as:
1. Something you know, such as a password.
2. Something you have, such as an ID card.
3. Something you are, such as a fingerprint, handprint, iris scan, voice pattern or other biometric.

The more factors involved in the identification of a card holder, the more accurate the verification is. Anyone who has used an ATM understands this concept. You slide your card through (something you have), enter your PIN (something you know), and are authorized to complete your banking transactions. Adding a biometric factor to this kind of authentication adds another level of security. Biometrics can turn a weak authentication protocol into a strong one by adding a true personal identifier.

Match-On-Card Technology
So why not use a biometric with a PIN, without a card? The answer is the case for Match on Card biometrics. A Match on Card authentication program holds the biometric template on a secure smart card, rather than on a server or computer. The template is compared to a live biometric sample when the cardholder requests access or privileges. To enroll a card holder, a biometric, such as a fingerprint, is taken and stored onto the smart chip.

When a card holder needs to be verified, he presents his smart card to the access control device, then puts his fingerprint on the reader. The smart card's processor compares the two fingerprints to verify a match. Based on the match, the smart card makes the decision to deny or grant access.

Match on Card matches a live biometric sample to a biometric template on a smart card. The alternative, a one-to-many platform, means the biometric template is stored on a network, or in a database, rather than on a card. The FBI, for instance, has a one-to-many platform in their automatic fingerprint identification system. It contains 46 million computerized fingerprint records in its fast, highly secure system.

However, most civilian applications don't have the funds or expertise to set up a system on par with the FBI. When a biometric is stored on a network, it's out of the hands of the individual and is potentially available to anyone with access to the network. The recent loss of sensitive information on more than 26 million U.S. veterans and their families exposes how critical it is to retain individual control over personal data.

By matching the live biometric sample to the one stored on a smart card, additional benefits are gained:

Privacy. The biometric is locked on the card, not stored in a database or a network. Individual card holders control their biometric at all times. It is not released into a potentially non-secure environment such as a network or PC.

Security. The biometric data never leaves the card. At the point of access, the biometrics from both the card and the reader are read, but not stored. Plus, there is no identification of the card holder as the biometric comparison takes place. Access is granted by a match of two biometrics; the card holder's identity is not involved.

Speed. Generally, Match on Card is a faster alternative. When the fingerprint is stored on a central server instead of a card, the system has to look through all the different fingerprints on file to find a match. A one-to-one match saves time.

Integration. Since the match is done at the point of access, it's easier and less expensive to install a Match on Card system into an existing infrastructure. It also requires less memory usage.

Card Security
Should card security be a concern? For those afraid that walk-by hackers may be able to skim data off a card containing biometrics or other personal identifiers, this is a misconception. Even so, new technologies are available that shunt or block RFID transmissions, rendering a card completely disabled.

Other Considerations
Despite the advantages of biometrics, there are other, more practical reasons why it won't replace ID cards in the near future. In the United States, magnetic stripe and proximity cards still dominate the identification market. Until the need for security, privacy or efficiency pushes the market to full adoption of smart cards, biometrics as a means of identification will advance slowly.

In addition, an ID card generally contains the card holder's photo. This simple visual identification is important when electronic systems fail or when disaster hits. At the scene of a fire, a chemical spill or a terrorist attack, there may not be time or technology available to support an electronic identification of response workers. Visual identification -- matching a card to a face -- may be the only way to monitor whether a utility worker, telecom worker or medical professional is authorized to enter the disaster area.

Biometrics provide a clear path to significantly improving the authenticity of identity credentials. At their best, they will enhance the existing authentication factors to keep sensitive personal data protected.