Lending a Hand

Palm reading, one of the most accurate forms of biometric identification, isn't just for psychics

It’s been clear for a long time now that user names and passwords are simply not enough to ensure secure authentication in enterprise applications. Three years ago, IT research firm Gartner predicted that 80 percent of IT organizations would reach a password breaking point and start using stronger authentication technology by 2007. Yet, here we are with 2007 in the rear-view mirror, and most organizations still continue to depend on passwords to guard their most valuable data.

The ramifications of this lingering dependence on passwords are significant. Every day, password-related data breaches put organizations in harm’s way. The latest high-profile debacle came to light in April, when the mortgage firm LendingTree announced that several former employees gave company passwords to outside lenders who then had free reign to view LendingTree’s customer files. The event not only undermined LendingTree’s good name, but it also opened the company up to a class-action lawsuit.

The unfortunate truth about the LendingTree situation and many others like it is that if the company had chosen a second form of authentication, the breach could have been avoided altogether. So why is it taking so long for enterprises to move beyond their singular dependence on passwords?

It is not for a lack of available authentication alternatives. These days, there are many options available, most notable among them being secure biometric technology. Universally regarded as the most secure authentication method, biometrics is based on who the person is rather than what they know—as is the case with passwords—or what they have—the identifier with USB tokens.

The challenge is that until now, many of the long-running biometric offerings have failed to successfully benefit the IT security world from their value, ease of use and ease of deployment to influence operational efficiency, and ultimately the bottom line. And those that do meet cost and ease-of-use requirements often suffer from slight accuracy deficiencies, a risk many IT security managers refuse to accept. But a new technology that reads the vein patterns in a user’s palm could be the game-changing biometric technology that finally convinces enterprises to step forward and update their authentication processes. This exciting new biometric category is poised to become a major player in enterprise authentication as it meets the current challenges facing the biometrics market.

Biometrics Challenges
One of the fundamental challenges with biometrics is that it deals with the human body. Because of this, biometric technology tends to be intrusive. Some people are not comfortable providing a fingerprint or standing in front of a device exposing their eyes to an unknown technology.

Additionally, because the human body and the nature of biometrics that deal with physiological factors are so unique, some biometric technologies statistically cannot be applied to certain users. In fact, it is said that 2 to 8 percent of the U.S. population cannot successfully interface with today’s fingerprint technology. Some users’ fingerprints are too thin, and others have been exposed to harsher elements, causing the skin to become too worn or dry to be read accurately. Even when a user can successfully interface, his body is always subject to changes that the technology cannot analyze. For example, some factors as simple as paper cuts can throw off certain fingerprint biometric systems.

Another important issue is accuracy. Although biometrics is known to be a very accurate method of identifying people, no single biometric technology can guarantee 100 percent accuracy. Vendors are competing with one another by attempting to get close to a 0 percent error rate for falsely accepting or rejecting a user. Though fingerprint biometrics is widely deployed, most of these technologies present some accuracy issues.

In many cases, they may be good enough for certain applications limited to personal use—for example, laptops and PDAs. But other more critical enterprise applications require more consistently accurate technologies, compared to conventional fingerprint recognition or other biometric techniques such as hand geometry comparisons or facial recognition. Iris scanning technology is one of the most accurate biometric technologies today, but it is not easy to deploy. It’s also an intrusive technology to many people and is cost-prohibitive to the average organization.

The final major stumbling block is ease of deployment. In the biometrics field, some vendors only provide sensors, some provide just the middleware and others only software. This leads to an integration-intensive security project for most IT departments, which want a product that will work right out of the box and easily interface with existing IT systems.

Vascular Recognition
In recent years, palm vein pattern recognition technology, also referred to as vascular recognition, has been refined to meet all of these concerns. The underlying technology of palm vein biometrics works by extracting the characteristics of veins in the form of an image. The image is captured by a high-performance sensor that maps the deoxygenated hemoglobin running through someone’s veins.

Deoxygenated hemoglobin absorbs near infrared rays, so a sensor emits these rays and captures an image based on the reflection that comes back from the palm. As the hemoglobin absorbs the rays, it creates a distortion in the reflection light so the sensor can capture an image that accurately records the unique vein patterns in a person’s hand. The recorded image is then converted to a biometric template— a numeric representation of several characteristics measured from the captured image, including the proximity between veins. This template is then compared against a user’s palm scan each time he authenticates.

This technology is non-intrusive. There is no need to physically touch the sensor. All the user does is hold a hand above the sensor for less than a second.

The method also is highly accurate. The International Biometrics Group, which evaluates all types of biometrics products through comparative testing, found that palm vein technology was on par with iris scan biometrics in accuracy ratings and has better usability ratings. Palm vein recognition showed extremely low occurrences of both false positives and false negatives.

Palm vein recognition technology is significantly less expensive than iris scanning technology. In fact, the only biometric solution less expensive than palm vein authentication is fingerprint recognition. The edge in savings is coupled with distinct deployment advantages, as the most robust palm vein authentication solutions provide a full complement of hardware and software necessary to implement manageable deployments for most organizations.

Successful Case Studies
While significant research and lab testing has been done to advance vascular recognition technologies, the most telling sign that palm vein technology is a viable solution is its successful deployment in the field.

For more than three years, Bank of Tokyo-Mitsubishi UFJ, Japan’s largest bank and one of the 10 largest banks in the world, has been using palm vein authentication biometrics. The technology is rolled out in one of the most demanding customer- facing solutions, the ATM. Account holders register their palms and receive a smart card containing their vascular information. Each time they access accounts through an ATM, they must insert the card, type a PIN and then hold a palm over the sensor. These devices are installed in each of the 5,000 Bank of Tokyo-Mitsubishi UFJ branches across Japan.

The deployment affects more than 1 million people and has worked without incident. This real-world rollout is stronger evidence than lab-based studies and confirms that the technology works and can be easily accepted by end users.

Hospitals and healthcare providers are rapidly adopting this technology as well. Medical identity theft is a rising concern, and hospitals around the world want to provide customers with assurance that they are protecting their medical identity.Not only does this kind of identity theft cause financial problems for the victim, but it also can be highly dangerous.

For example, Annedorie Sachs became a medical identification theft victim when a woman stole her driver’s license, gave birth using her name and left her with $10,000 in hospital fees. To make matters worse, the woman abandoned the newborn in the hospital, and the baby later tested positive for methamphetamine. Afterward, an agent from the Utah Division of Child and Family Services notified Sachs that the agency was already putting paperwork together to take custody of Sachs’ four children, then ages 2 to 7. In the end, the false accusations were dropped, but Sachs’ medical records had been altered to include the blood type of a complete stranger. This put her at risk in future treatments since she has a blood-clotting disorder. If she is administered the wrong type of blood, it could be fatal to her.

Clearly, patient identification relates directly to patient safety, which is a No. 1 priority for hospitals. Carolinas HealthCare System in Charlotte, N.C., sought a secure method of authentication. The solution was a healthcare-centric version of a palm vein-based solution that allows Carolinas HealthCare System to accurately identify patients and retrieve their electronic medical records when they check in, thereby eliminating potential human error of pulling the wrong record, and protecting patients from identity theft attempts.

“There is great importance in properly identifying the patient,” said Dr. Rober Ray, Carolinas HealthCare System chief medical officer. “If there is a main benefit from the system, it will be in helping us avoid patient errors.”

Palm vein technology has proved to be the best choice for the organization due to its accuracy and usability, as well as the contactless sensor—a critical feature for maintaining a sanitary hospital environment. Through the use of its palm vein authentication solution, Carolinas HealthCare System has managed to achieve operational benefits. The burden on staff during the registration process has decreased dramatically due to the speed of patient registration using an automated system. Patients also are happier knowing their medical information is secure.

Many other vertical markets can benefit from palm vein recognition’s accuracy, cost-effectiveness and usability. Gaming and hospitality companies, government organizations and secondary education institutions are showing interest and starting to invest in this technology as well.

Such a secure biometric offering is especially attractive to enterprises moving toward identity management plans that include single sign-on initiatives. Though SSO solutions provide a more efficient and convenient way to manage passwords, they can represent a single point of failure if front-end authentication is not robust enough. By placing palm vein biometrics in front of an SSO system, organizations will be able to affordably ensure the system’s security.

Until now, there has been no biometric technology that can achieve the highest levels of security and usability at a reasonable cost. Palm vein recognition hits that sweet spot of biometrics between security, cost, accuracy and ease of use that makes it an optimal physical and IT access control solution for healthcare organizations, financial services firms, government agencies and other businesses across the globe.

This article originally appeared in the issue of .

Featured

  • Gaining a Competitive Edge

    Ask most companies about their future technology plans and the answers will most likely include AI. Then ask how they plan to deploy it, and that is where the responses may start to vary. Every company has unique surveillance requirements that are based on market focus, scale, scope, risk tolerance, geographic area and, of course, budget. Those factors all play a role in deciding how to configure a surveillance system, and how to effectively implement technologies like AI. Read Now

  • 6 Ways Security Awareness Training Empowers Human Risk Management

    Organizations are realizing that their greatest vulnerability often comes from within – their own people. Human error remains a significant factor in cybersecurity breaches, making it imperative for organizations to address human risk effectively. As a result, security awareness training (SAT) has emerged as a cornerstone in this endeavor because it offers a multifaceted approach to managing human risk. Read Now

  • The Stage is Set

    The security industry spans the entire globe, with manufacturers, developers and suppliers on every continent (well, almost—sorry, Antarctica). That means when regulations pop up in one area, they often have a ripple effect that impacts the entire supply chain. Recent data privacy regulations like GDPR in Europe and CPRA in California made waves when they first went into effect, forcing businesses to change the way they approach data collection and storage to continue operating in those markets. Even highly specific regulations like the U.S.’s National Defense Authorization Act (NDAA) can have international reverberations – and this growing volume of legislation has continued to affect global supply chains in a variety of different ways. Read Now

  • Access Control Technology

    As we move swiftly toward the end of 2024, the security industry is looking at the trends in play, what might be on the horizon, and how they will impact business opportunities and projections. Read Now

Featured Cybersecurity

Webinars

New Products

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area. 3

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening. 3

  • 4K Video Decoder

    3xLOGIC’s VH-DECODER-4K is perfect for use in organizations of all sizes in diverse vertical sectors such as retail, leisure and hospitality, education and commercial premises. 3