Lending a Hand
Palm reading, one of the most accurate forms of biometric identification, isn't just for psychics
- By Joel Hagberg
- Aug 01, 2008
It’s been clear for a long time now that user names
and passwords are simply not enough to ensure
secure authentication in enterprise applications.
Three years ago, IT research firm Gartner predicted
that 80 percent of IT organizations would
reach a password breaking point and start using
stronger authentication technology by 2007. Yet, here we
are with 2007 in the rear-view mirror, and most organizations
still continue to depend on passwords to guard their
most valuable data.
The ramifications of this lingering dependence on
passwords are significant. Every day, password-related
data breaches put organizations in harm’s way. The latest
high-profile debacle came to light in April, when the
mortgage firm LendingTree announced that several former
employees gave company passwords to outside
lenders who then had free reign to view LendingTree’s
customer files. The event not only undermined
LendingTree’s good name, but it also opened the company
up to a class-action lawsuit.
The unfortunate truth about the LendingTree situation
and many others like it is that if the company had chosen
a second form of authentication, the breach could have
been avoided altogether. So why is it taking so long for
enterprises to move beyond their singular dependence on
It is not for a lack of available authentication alternatives.
These days, there are many options available, most
notable among them being secure biometric technology.
Universally regarded as the most secure authentication
method, biometrics is based on who the person is rather
than what they know—as is the case with passwords—or
what they have—the identifier with USB tokens.
The challenge is that until now, many of the long-running
biometric offerings have failed to successfully benefit
the IT security world from their value, ease of use and
ease of deployment to influence operational efficiency,
and ultimately the bottom line. And those that do meet
cost and ease-of-use requirements often suffer from slight
accuracy deficiencies, a risk many IT security managers
refuse to accept. But a new technology that reads the vein
patterns in a user’s palm could be the game-changing biometric
technology that finally convinces enterprises to
step forward and update their authentication processes.
This exciting new biometric category is poised to become
a major player in enterprise authentication as it meets the
current challenges facing the biometrics market.
One of the fundamental challenges with biometrics is that
it deals with the human body. Because of this, biometric
technology tends to be intrusive. Some people are not comfortable
providing a fingerprint or standing in front of a
device exposing their eyes to an unknown technology.
Additionally, because the human body and the nature of
biometrics that deal with physiological factors are so
unique, some biometric technologies statistically cannot be
applied to certain users. In fact, it is said that 2 to 8 percent
of the U.S. population cannot successfully interface with
today’s fingerprint technology. Some users’ fingerprints are
too thin, and others have been exposed to harsher elements,
causing the skin to become too worn or dry to be read accurately.
Even when a user can successfully interface, his
body is always subject to changes that the technology cannot
analyze. For example, some factors as simple as paper
cuts can throw off certain fingerprint biometric systems.
Another important issue is accuracy. Although biometrics
is known to be a very accurate method of identifying
people, no single biometric technology can guarantee 100
percent accuracy. Vendors are competing with one another
by attempting to get close to a 0 percent error rate for falsely
accepting or rejecting a user. Though fingerprint biometrics
is widely deployed, most of these technologies present
some accuracy issues.
In many cases, they may be good enough for certain
applications limited to personal use—for example, laptops
and PDAs. But other more critical enterprise applications
require more consistently accurate technologies, compared
to conventional fingerprint recognition or other biometric
techniques such as hand geometry comparisons or facial
recognition. Iris scanning technology is one of the most
accurate biometric technologies today, but it is not easy to
deploy. It’s also an intrusive technology to many people and
is cost-prohibitive to the average organization.
The final major stumbling block is ease of deployment.
In the biometrics field, some vendors only provide
sensors, some provide just the middleware and others only
software. This leads to an integration-intensive security
project for most IT departments, which want a product
that will work right out of the box and easily interface
with existing IT systems.
In recent years, palm vein pattern recognition technology,
also referred to as vascular recognition, has been refined
to meet all of these concerns. The underlying technology
of palm vein biometrics works by extracting the characteristics
of veins in the form of an image. The image is captured
by a high-performance sensor that maps the deoxygenated
hemoglobin running through someone’s veins.
Deoxygenated hemoglobin absorbs near infrared rays,
so a sensor emits these rays and captures an image based on
the reflection that comes back from the palm. As the hemoglobin
absorbs the rays, it creates a distortion in the reflection
light so the sensor can capture an image that accurately
records the unique vein patterns in a person’s hand. The
recorded image is then converted to a biometric template—
a numeric representation of several characteristics measured
from the captured image, including the proximity
between veins. This template is then compared against a
user’s palm scan each time he authenticates.
This technology is non-intrusive. There is no need to physically touch the sensor. All the user
does is hold a hand above the sensor for
less than a second.
The method also is highly accurate.
The International Biometrics Group,
which evaluates all types of biometrics
products through comparative testing,
found that palm vein technology was on
par with iris scan biometrics in accuracy
ratings and has better usability ratings.
Palm vein recognition showed extremely
low occurrences of both false positives
and false negatives.
Palm vein recognition technology is
significantly less expensive than iris scanning
technology. In fact, the only biometric
solution less expensive than palm vein
authentication is fingerprint recognition.
The edge in savings is coupled with distinct
deployment advantages, as the most
robust palm vein authentication solutions
provide a full complement of hardware and
software necessary to implement manageable
deployments for most organizations.
Successful Case Studies
While significant research and lab testing
has been done to advance vascular recognition
technologies, the most telling sign that
palm vein technology is a viable solution is
its successful deployment in the field.
For more than three years, Bank of
Tokyo-Mitsubishi UFJ, Japan’s largest
bank and one of the 10 largest banks in the
world, has been using palm vein authentication
biometrics. The technology is rolled
out in one of the most demanding customer-
facing solutions, the ATM. Account
holders register their palms and receive a
smart card containing their vascular information.
Each time they access accounts
through an ATM, they must insert the card,
type a PIN and then hold a palm over the
sensor. These devices are installed in each
of the 5,000 Bank of Tokyo-Mitsubishi
UFJ branches across Japan.
The deployment affects more than 1
million people and has worked without
incident. This real-world rollout is
stronger evidence than lab-based studies
and confirms that the technology works
and can be easily accepted by end users.
Hospitals and healthcare providers are
rapidly adopting this technology as well.
Medical identity theft is a rising concern,
and hospitals around the world want to
provide customers with assurance that
they are protecting their medical identity.Not only does this kind of identity theft
cause financial problems for the victim,
but it also can be highly dangerous.
For example, Annedorie Sachs became
a medical identification theft victim when
a woman stole her driver’s license, gave
birth using her name and left her with
$10,000 in hospital fees. To make matters
worse, the woman abandoned the newborn
in the hospital, and the baby later tested
positive for methamphetamine. Afterward,
an agent from the Utah Division of Child
and Family Services notified Sachs that
the agency was already putting paperwork
together to take custody of Sachs’ four
children, then ages 2 to 7. In the end, the
false accusations were dropped, but Sachs’
medical records had been altered to
include the blood type of a complete
stranger. This put her at risk in future treatments
since she has a blood-clotting disorder.
If she is administered the wrong type
of blood, it could be fatal to her.
Clearly, patient identification relates
directly to patient safety, which is a No. 1
priority for hospitals. Carolinas
HealthCare System in Charlotte, N.C.,
sought a secure method of authentication.
The solution was a healthcare-centric
version of a palm vein-based solution that
allows Carolinas HealthCare System to
accurately identify patients and retrieve
their electronic medical records when
they check in, thereby eliminating potential
human error of pulling the wrong
record, and protecting patients from identity
“There is great importance in properly
identifying the patient,” said Dr. Rober
Ray, Carolinas HealthCare System chief
medical officer. “If there is a main benefit
from the system, it will be in helping us
avoid patient errors.”
Palm vein technology has proved to
be the best choice for the organization
due to its accuracy and usability, as well
as the contactless sensor—a critical feature
for maintaining a sanitary hospital
environment. Through the use of its
palm vein authentication solution,
Carolinas HealthCare System has managed
to achieve operational benefits.
The burden on staff during the registration
process has decreased dramatically
due to the speed of patient registration
using an automated system. Patients also
are happier knowing their medical information
Many other vertical markets can
benefit from palm vein recognition’s
accuracy, cost-effectiveness and usability.
Gaming and hospitality companies,
government organizations and secondary
education institutions are showing
interest and starting to invest in this
technology as well.
Such a secure biometric offering is
especially attractive to enterprises moving
toward identity management plans
that include single sign-on initiatives.
Though SSO solutions provide a more
efficient and convenient way to manage
passwords, they can represent a single
point of failure if front-end authentication
is not robust enough. By placing
palm vein biometrics in front of an SSO
system, organizations will be able to
affordably ensure the system’s security.
Until now, there has been no biometric
technology that can achieve the highest
levels of security and usability at a reasonable
cost. Palm vein recognition hits
that sweet spot of biometrics between
security, cost, accuracy and ease of use
that makes it an optimal physical and IT
access control solution for healthcare
organizations, financial services firms,
government agencies and other businesses
across the globe.
This article originally appeared in the August 2008 issue of Security Today.