Biometrics: primed for business use

Similar documents
Recommended Practice 1701 l

BIOMETRICS - WHY NOW?

Why Biometrics? Why Biometrics? Biometric Technologies: Security and Privacy 2/25/2014. Dr. Rigoberto Chinchilla School of Technology

Biometrics in Border Management Grand Challenges for Security, Identity and Privacy

International Biometrics & Identification Association

HOW CAN BORDER MANAGEMENT SOLUTIONS BETTER MEET CITIZENS EXPECTATIONS?

Hong Kong General Chamber of Commerce Roundtable Luncheon 13 April 2016 Collection and Use of Biometric Data

CASE STUDY 2 Portuguese Immigration & Border Service

SUMMARY INTRODUCTION. xiii

IDEMIA Identity & Security. Providing identity assurance to. secure & simplify lives N.A.

Bali Process Ad Hoc Group Workshop on Biometrics for Identity Integrity in Immigration India April 2012

The Angola National ID Card

TECHNICAL ADVISORY GROUP ON MACHINE READABLE TRAVEL DOCUMENTS (TAG-MRTD)

Biometrics Technology for Human Recognition

PRIVACY IMPLICATIONS OF BIOMETRIC DATA. Kevin Nevias CISSP, CEH, CHFI, CISA, CISM, CRISC, CGEIT, CCNA, G /20/16

1/12/12. Introduction-cont Pattern classification. Behavioral vs Physical Traits. Announcements

Identity Verification in Passport Issuance

CRS Report for Congress

Introduction-cont Pattern classification

TRUE IDENTITY IBORDERS BIOTHENTICATE: SECURING BORDERS WITH BIOMETRICS POSITIONING PAPER

Achieving Interoperability

Policy Framework for the Regional Biometric Data Exchange Solution

Position Paper IDENT Implementation for U.S. VISIT

Singapore's Automated Clearance using Biometrics

e-passports: Uses, Limitations, and Impact on Simplifying Passenger Travel Initiatives

Machine Readable Travel Documents: Biometrics Deployment. Barry J. Kefauver

How biometrics can improve the targeting of social protection. What we do. How we do it.

BIOMETRIC RESIDENCE PERMITS General Information for Applicants, Employers and Sponsors

MACHINE READABLE TRAVEL DOCUMENTS (MRTDs)

Biometrics & Accessibility

Emergence of multimodal biometrics at the Border Biometrics Institute Asia-Pacific Conference

U.S. Department of Homeland Security: Improved homeland security management and biometrics through the US-VISIT program

The digital traveler. Automating border management solutions to facilitate travel and enhance security

MARYLAND Maryland MVA Real ID Act - Impact Analysis

An overview of the European approach to the cross-jurisdictional and societal aspects of biometrics

CORPORATE HEADQUARTERS

The Legal Workforce Act 1 Section-by-Section

INTRODUCTION 4 Borders under pressure 4 On the move 4 Open for business 4 Experience matters 4

EDPS Opinion 7/2018. on the Proposal for a Regulation strengthening the security of identity cards of Union citizens and other documents

A unique digital identity from birth and for a lifetime Civil registration as the foundation for digital identification systems

Enhanced Driver s Licence (EDL) and Enhanced Identification Card (EIC) Program

Report for Congress. Border Security: Immigration Issues in the 108 th Congress. February 4, 2003

STANDING COMMITTEE ON CITIZENSHIP AND IMMIGRATION COMITÉ PERMANENT DE LA CITOYENNETÉ ET DE L IMMIGRATION. Ian Williams BY FACSIMILE PAR TÉLÉCOPIEUR

CRS Report for Congress

Senator Daniel K. Akaka Statement on the REAL ID Act December 8, Mr. AKAKA. Mr. President, I rise today to discuss the REAL ID Act of

Frequently Asked Questions for Participating Members and Organizations

Biometrics from a legal perspective dr. Ronald Leenes

Government of Pakistan NADRA Headquarters, Islamabad

Consumer Attitudes About Biometric Authentication

AUTOMATED AND ELECTRIC VEHICLES BILL DELEGATED POWERS MEMORANDUM BY THE DEPARTMENT FOR TRANSPORT

Pros and Cons of a fully Automated Border Crossing. Alejandro Gomez de Cuenca Solutions Sales Director Middle East Gemalto

CPSC 467b: Cryptography and Computer Security

MoneyPad, The Future Wallet

ABC systems in Europe and beyond - status and recommendations for the way forward

NEW YORK IDENTITY THEFT RANKING BY STATE: Rank 6, Complaints Per 100,000 Population, Complaints (2007) Updated January 25, 2009

BIOMETRICS IN A HUMANITARIAN CONTEXT

The Five Problems With CAPPS II: Why the Airline Passenger Profiling Proposal Should Be Abandoned

Privacy Impact Assessment Update for the. E-Verify RIDE. DHS/USCIS/PIA-030(b) May 6, 2011

Checklist for Conforming Laws Related to Remote Online Notarization ( RON )

Ad-Hoc Query on identity documents issued by EU Member States. Requested by EE EMN NCP on 2 nd June Compilation produced on 9 th August 2010

5/6/2009. E toll Database. Census Database. Database. Database. Consumer Balance and Bill Subscriptions. Mobile Connections.

Using Identification for Development: Some Guiding Principles

Case Study. MegaMatcher Accelerator

Approximately eight months after the terrorist

SECURITY, ACCURACY, AND RELIABILITY OF TARRANT COUNTY S VOTING SYSTEM

BIOMETRIC INDUSTRY LETTERS

Second wave of biometric ID-documents in Europe: The Residence Permit for non-eu/eea nationals

Cross-Border & Regional Identity Management

Biometric Technology for DLID

Public Consultation on the Smart Borders Package

The Honorable Michael Chertoff Office of the Secretary Department of Homeland Security Attn: NAC Washington, DC 20528

EVIDENCE OF IDENTIFICATION

The Perception of Biometric Technology: A Survey

Ten Years of Reforms Structural impact

German Federal Ministry of the Interior 20 August / 6

TRANSPORTATION WORKER IDENTIFICATION CREDENTIAL (TWIC) FACTS

Moving to the Second Generation of Electronic Passports

The public consultation consisted of four different questionnaires targeting respectively:

Going with the flow. Helping border agencies to exploit technology convergence to gain consistent, comprehensive and automated border management

AGENDA. Focal Ideas A systemic approach. The enrolment The deliverance The control. Needs & Challenges Conclusion Look ahead

U.S. Customs and Border Protection

Ad-Hoc Query on Implementation of Council Regulation 380/2008. Requested by FI EMN NCP on 10 th September 2009

REDMOND MUNICIPAL AIRPORT INITIAL ID APPLICATION AOA ID

ID4D IDENTIFICATION FOR DEVELOPMENT

Frequently Asked Questions for Participating Members and Organizations

Biometric Authentication

DATA PROTECTION (JERSEY) LAW 2005 CODE OF PRACTICE & GUIDANCE ON THE USE OF CCTV GD6

The United Nations study on fraud and the criminal misuse and falsification of identity

Identification checking guidelines

2.8 Country of Birth >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 2.9 Nationality 2.10 Do you hold any other nationalities? >>>>>>>>>>>>>>>> 2.11 If please provid

The Case for implementing a Bio-Metric National ID for Voting and/or to replace the Social Security Card

GAO DEPARTMENT OF STATE. Undercover Tests Reveal Significant Vulnerabilities in State s Passport Issuance Process. Report to Congressional Requesters

for fingerprint submitting agencies and contractors Prepared by the National Crime Prevention and Privacy Compact Council

IDENTITY CARDS BILL REGULATORY IMPACT ASSESSMENT

Changes in Schengen visa application process

The Modern TENPRINT Examiner

PRESENTATION TITLE. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

GAO HOMELAND SECURITY. Key US-VISIT Components at Varying Stages of Completion, but Integrated and Reliable Schedule Needed

COUNCIL OF AUSTRALIAN GOVERNMENTS COMMUNIQUÉ SPECIAL MEETING ON COUNTER-TERRORISM 27 SEPTEMBER 2005


Transcription:

Article Biometrics: primed for business use Introduction For the regular traveller, identity and security checks are becoming ever more intrusive. Walk though an airport today, and you are likely to be tracked by CCTV. That CCTV will be monitored by security officers, and may well use automated, facial recognition to scan for terrorist suspects or smugglers. Hand your passport to the immigration officer, and he or she will check it, and quite possibly, the biometric details contained in a tiny microchip concealed in the cover. Alternatively, depending on the airport, you might walk through a gate controlled by iris scanners, or by facial recognition. At others, your photograph is taken before you head to security. Before stepping on the aircraft, the traveller might be subject to a full body scan, using millimeter wave technology, which delivers images leaving little to the imagination. And, at the end of the journey, the traveller might have their fingerprints scanned; this is already standard practice for visitors to the United States. These measures have generated controversy, not least among privacy campaigners. But they are also changing the way many members of the public view biometric security. As security measures generally become more stringent and more intrusive, biometrics can offer greater levels of assurance, as well as convenience. Irrefutable, or at least stronger, proofs of identity can reduce the need for the background checks and questioning that goes hand in hand with biographical identification. It is increasingly common for organizations to position biometrics as a convenience, allowing for automated identity or credential checking which would simply not be secure enough, with other forms of identification. Stronger identity checks and the increased use of biometrics might be at their most visible in areas such as public transport and the criminal justice system, or for controlling access to critical infrastructure. But the support for stronger identification is gaining ground in fields such as health care provision and financial services. Concerns about identity theft and related financial fraud remain high on the public agenda. Countering such threats means improving identity verification, or relying on less robust and possibly more inconvenient or intrusive antifraud measures. These measures include transaction pattern analysis or the need to attend a branch or medical facility in person, in order to prove identity or entitlement. Where an organization needs to prove someone s identity beyond reasonable doubt and at a manageable cost to itself and minimal inconvenience to the consumer, then biometrics provide an increasingly practical option. Security and government drive biometric acceptance The widespread use of biometrics for identity verification means overcoming a number of technical and practical hurdles; this applies equally to government-backed schemes and to the use of biometrics by business. However, partly as a result of heightened concerns about security, partly because of more effective and efficient biometric identification technologies, and partly because of the advent of national, biometric-backed identification and travel document schemes, the public is now more willing than ever to accept biometric IDs. In the UK, for example, 56% of consumers are willing to provide biometric data for identity verification for retail or financial transactions. As many as 95% of Britons are prepared to use biometric identity information and are willing to use fingerprints when dealing with banks and government agencies, according to Unisys, the technology vendor. International data, also from Unisys, showed that acceptance of biometrics ranged from 50% in Germany to 66% in Australia. Again, fingerprints appear to be the most readily accepted biometric ID, proving more popular than facial scans or voice recordings but also more acceptable than PINs. Passports and national ID cards that incorporate biometrics are bringing the technology to the attention of a much wider group. Government initiatives to persuade the public about the security benefits of biometrics, together with efforts to minimize the inconvenience of enrollment, have had an impact. Similarly, heightened public concerns over information theft and fraud, have increased public awareness of, and the appetite for, stronger forms of authentication. Biometric technologies have also improved rapidly as a result of investment made by public safety and security agencies. Read rates, false rejects and false acceptances have reduced significantly during the last five years, and biometrics seem largely to have shaken off their association with criminal justice.

Authors Stephen Davies is a senior manager in the Advisory Practice, Ernst & Young, London, United Kingdom Biometrics: primed for business use Seamus Reilly is a director in the IT Risk and Assurance Practice, Ernst & Young, London, United Kingdom The widespread use of biometrics for identity verification means overcoming a number of technical and practical hurdles 13

Importantly for business users, the economies of scale of biometric technologies have changed for the better. The large orders placed by governments for national ID and travel document schemes have driven down costs and brought technology that was once limited to niche applications into the mainstream. One example is the move by agencies such as the US Department of Homeland Security to scan multiple fingers of arriving visitors. This improves both accuracy and speed of entry, compared with the previous single-finger scans. Such technologies were initially too expensive for large-scale deployment. Organizations that have implemented biometric security measures have also learned from their experience. Not only are biometric sensors more accurate, but experience from the early projects and trials has shown the importance of robust and reliable procedures for handling citizens or customers who fail the biometric tests. Concerns, expressed by some privacy groups, that biometric controls would unfairly lock out genuine service users or customers, have not so far proved to be a major stumbling block, although it is essential that any organization has adequate fall-back systems both for verifying the identity of those whose biometrics are not recognized or cannot be recorded, and for allowing identity verification in the event of a systems failure. These developments present an opportunity to businesses: to make use of biometric identity technologies to improve the accuracy of customer identification, to reduce the inconvenience of the checks and verification processes associated with accessing services, and strengthening the security of critical processes and business systems. The business case for biometrics Building a business case for a biometric identity system is necessarily industry specific. In government and national ID card deployments, improved security is often the primary driver. In other areas such as proving entitlement to health or social services, or benefits, fraud reductions can provide a financial payback. In Australia, the business case underpinning the Department of Human Services Access Card initiative estimates that fraud savings could range from AU$1.6 billion to AU$3 billion over a 10 year period. In the private sector, the largest potential application for biometric identification is in financial services. Financial services firms need to deter and reduce fraud and biometrics offers a practical way to do this. Financial services organizations are governed by increasingly strict rules on money laundering. This requires the industry to ensure robust identity verification of customers. Biometrics could well have a role to play, especially if banks and other financial services firms could access national biometric identification documents, perhaps as part of a federated model of biometric identification. Identity fraud prevention could prove to be a strong driver for biometrics, as it impacts the bottom line of consumer facing companies, not just in finance, but also in retail. Estimates of the cost of identity fraud in the US range from US$5 billion to over US$50 billion a year. In the UK, the Government has estimated the total cost to be over 1.7 billion a year. Finance companies are already looking at the feasibility of replacing or supplementing biographical identity documents such as passports or birth certificates with biometrics for identity checks. The measures would largely improve security for existing processes, rather than require the creation of an entirely new identification infrastructure. For example, a customer with a validated biometric identity might need to present fewer documents in order to open an account, or open an account more quickly as the bank will need to carry out fewer checks. Banks and financial services firms could roll out biometric authentication for higher-risk transactions at first. They might also offer the technology as an additional assurance measure for high net worth account holders, as some banks have already done with CAP (Chip Authentication Program) verification for account access. The use of biometrics as an additional method of authentication, for example, for high-value transactions could also help to reduce transaction losses, if some of the practical hurdles can be overcome. Public concerns about identity theft, as

Biometrics: primed for business use well as the indirect costs of online fraud to the consumer, are making biometric verification more acceptable. Businesses are also examining some of the ways in which biometric authentication can be used to secure access to confidential data or sensitive systems. Biometrics can be used to replace passwords or tokens for users who need to log in to software applications, or access secure areas such as data centers or trading rooms. The owners of sites that represent critical national infrastructure such as power stations, chemical plants, oil rigs and airports are already using biometric authentication, as are some medical facilities and prisons. Safety-critical industries, in particular, are early adopters of biometrics. The travel and transportation industries have also had early success with voluntary biometric systems, such as Privium in the Netherlands and IRIS in the UK. These systems allow enrolled members of the public to use automated, fast-track lines avoiding queues. The technology appeals to frequent travellers, who value the convenience. For more general use of biometrics for day-to-day transaction authentication and identity management public acceptance levels may still be too low to support widespread deployments. However, such acceptance might be as little as three to five years away. For businesses to be positioned to exploit the technology, they need to establish their approach to biometric authentication now. Deploying biometrics in practice Although public acceptance of biometrics is growing, deploying biometric identification and authentication in the private sector poses a number of challenges. These can range from the issues affecting government deployment to those related to travel documentation and security. A number of early biometric authentication trials in banking, retail and travel have failed to meet expectations, typically because too many genuine users were rejected, because the cost of enrolling customers and deploying the systems was higher than expected, because of reliability issues, or because consumer take up and acceptance was low. Concerns about privacy have led to campaigns against biometrics by both consumer and privacy groups. There has also been negative press coverage. Suggestions that biometric identity data could be hacked, cloned or intercepted have also raised questions about the appropriateness of the technology. Technology has overcome some of the early problems that were experienced. In the case of travel documents, such as biometric passports, facial recognition is based on the holder s photograph. This removes the need for the individual to attend an enrollment session in person, as is the case with systems such as IRIS. Better and more accurate scanners are improving pass rates. The introduction of stronger encryption as well as an 15

Businesses looking to implement biometrics need to appreciate that a biometric authentication is a probabilitybased solution, not a binary pass or fail understanding that full biometric data does not need to be held on systems or transmitted if the technology is implemented correctly, have addressed some of the main fraud and security concerns. However, it is essential for any organization planning to use biometric technology to select the correct biometric identifier for each situation. Face recognition can be unobtrusive and carried out through CCTV, but the false reject rate can be as high as 15% to 20%. Fingerprint recognition, which requires the individual to stop and be scanned, can have false reject rates (where a genuine identity holder is barred) which are as low as 0.01%. A fingerprint test might be appropriate for opening a bank account or authenticating a transaction, whereas CCTV-based facial recognition has tended to be used so far to identify suspects, rather than to allow entry to a facility. Businesses looking to implement biometrics need to appreciate that a biometric authentication is a probabilitybased solution, not a binary pass or fail. No biometric system can be right every time. Organizations need to find their own balance for rates of acceptance and rejection: increasing acceptance rates may well increase the likelihood of a false result. What will drive finding this balance will be the organization s own score rates for acceptance and rejection, based on the technology they are using, the level of importance of the transaction or business process, and the other authentication options available. Biometric identification must be managed appropriately with respect to the business process. The security of biometric information is also critical. In all biometrics, an identity consists of a template or information the key which is compared with a data base. Any biometric information is likely to be addressed by privacy regulations and should be treated as personal information, with agreed usage, collection and retention processes in place. Businesses must implement safeguards to ensure that the data is kept private and protected as far as possible from interception or tampering. If biometric identity information is not needed once authentication has taken place, it must be discarded. An organization that is planning to implement a biometric system should also pay close attention to enrollment. The biometric authentication chain is only as strong as the enrollment process: if identity thieves or other criminals can use false documents to create a false biometric ID, it can be very hard to repudiate that identity later. In closed environments where individuals are known and trusted such as for access to part of a site or to an IT system enrollment might be possible based on existing HR and management records. For public systems, so-called footprint checks need to be done with care to ensure the person enrolling is who they say they are and can provide appropriate evidence. The thinking around how such checks might be applied to commercial biometric systems is still developing. Hand in hand with enrollment is the issue of federation. Other two-factor authentication systems, such as tokens and CAP in banking, have been hampered by the inconvenience for customers of having to hold multiple identity devices. If consumers are required to enroll in multiple biometric identity schemes run by differing service providers, take-up will remain low and businesses will not see the security benefits or scale economies. Therefore, the federation of biometric identity between service providers in a sector, or between the private sector and government, is essential for largescale adoption. At the same time, individuals should only be asked to supply the minimum amount of information necessary, and identity information should be held in as few places as possible. Businesses also need to ensure that any biometrics they use fit in with the relevant national legislative framework, as well as taking into account any local cultural issues; in some countries, for example, separate scanning lanes might be needed for male and female customers. Above all, organizations need to understand that biometrics, although attractive, are not an end in themselves. The technology needs to be part of an overall response to risk management.

Biometrics: primed for business use Conclusions Biometrics are already being used successfully across a number of sectors, including national identities, travel documentation, transport and safety-critical industries. Business should be actively exploring this technology now and looking for ways to utilize it to reduce risk, but at the same time, to bring process efficiencies and benefits to customers in terms of better security and reduced inconvenience. Financial services organizations, in particular, should be looking at the opportunity to use biometric technology in the short to medium term as a way to reduce losses due through identity theft in high-value transactions. Figure 1. The three models of biometrics The majority of large-scale biometric deployments fall under one of three categories, depending on their scale and scope. Industry-centric programs Government-enabled programs The large-scale adoption of biometrics in the private sector is likely to involve industry cooperation. For example, deploying biometrics instead of, or as well as, a PIN when presenting a credit card would require collaboration from retailers, card manufacturers and financial service providers. Source: Ernst & Young analysis Organization-specific programs Some organizations will develop their own solutions, particularly for providing access control for employees to critical or secure areas of premises. But Organization-specific programs can also be used to verify potential high-value (or high-risk) transactions within a defined customer base, or to meet particular national or international legislative requirements. The widespread rollout of national biometric schemes, for example, for national identity cards, offers an opportunity for cooperation between industries and governments on the delivery of biometric services. Governments would provide the frameworks for the schemes, as has happened in the UK with the Automated Clearance System developed jointly with BAA. In the longer term, as consumer confidence in biometrics increases, more opportunities are likely to emerge for industry-centric or governmentenabled biometric schemes. Most of all, businesses need to monitor the technology actively and consider not only how it can be used to improve security today, but also how it can bring competitive advantage in the near future(see Figure 1). In each case, whether the biometric identification is interoperable or federated, the consumer should not have to give their biometric details to multiple providers. Doing so drives up costs, and causes increased privacy and security risks. Instead, businesses should be working with the vendors, industry regulators and governments to build a federated interoperability model for biometric identification. 17

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback