So who are you? Really?

Ensuring that the people that access facilities, secure rooms and even servers, are, in fact, who they claim to be can be tricky. To help with this, security administrators often turn to biometric authentication as a method of determining if the person requesting access is indeed who they claim to be. We generally have three (or four depending on whom you ask) methods of authenticating a person entering a facility or accessing a sensitive system:

  1. What you know: Basically something that the individual remembers that will identify them as who they are. Common examples are username and password.

  2. What you have: Usually this comes in the form of a smart card, a physical token or some other physical item. Our society is quite used to a combination of "what you know" and "what you have" with the use of bank/ATM cards and PIN numbers.

  3. What you are: Biometrics is usually associated with this. Authenicators ranging from fingerprints to signatures are placed in this category. Sometimes "dynamic biometrics" (things that change over time) are also catagorized as "what you do". Our common static biometrics are found with fingerprints, hand geometry, facial recognition, iris scan, etc. Voice recognition, typing style, signature analysis and the like are usually called dynamic biometrics.
While the first two methods of authentication are common, they can be easily circumvented. Passwords are forgotten and thus we see the cultivation of "sticky note gardens" around users' desks. Cards and tokens are sometimes lost. The combination of two or more authentication methods does provide for better security and better identification. Or does it?

When we consider the first two options, all we really know is that someone has the username/password and/or someone has the smart card. That doesn't mean it is, in fact, the person we expect it to be. So what if we threw biometrics into the mix?

Biometrics certainly offer a far easier method of identification, are "truer" at identifying the specific individual, don't require taxing your memory (watch those sticky gardens vanish!) and are easier to carry (you're less likely to forget your fingers than the smart card you need). But like everything, there is a downside.

We often associate some of those "downsides" to what Hollywood presents to us. Visions of James Bond, Tom Cruise in "Minority Report" or the ominous "Gatica" give us nightmares about the invasions of privacy (will the company find out about what "diseases" I might have?), "Big Brother" watching us, the ability to "cutoff" some body part to gain access or catching some transmitted disease through contact with a biometric device.

We can also add the hypothetical situation of persons getting injured (in some way altering one's physical characteristics) and being misidentified. Imagine that the gash you suffered earlier in the day resulted in getting you locked out of your house, car, office or computer. Talk about adding insult to injury.

Certainly these are concerns and some are valid, but they aren't true of all biometrics.

I recently got to see one specific biometric security device that bypasses most of these concerns and yet, can truly provide proof of being a secure method of authentication.

Eye scans, retina specifically, are usually considered an intrusive form of biometric authentication. We see the "vacuum" cup go around the eye and scan the retina for specific patterns that match to an individual. This cup is often what turns off most employees and the general public. Iris scans, however, allow for eyes to be scanned without ever touching the eye.

Iridian Technologies, out of New Jersey, holds many of the core patents to iris scanning biometrics. And the technology is indeed impressive.

Page 2: The Tech Behind an Iris Scan and Its Applications