Future Security Approaches and Biometrics

Communications of the Association for Information Systems Volume 16 Article 48 December 2005 Future Security Approaches and Biometrics Serguei Boukhonine University of Houston, Vlad Krotov University of Houston, Barry Rupert University of Houston, Follow this and additional works at: https://aisel.aisnet.org/cais Recommended Citation Boukhonine, Serguei; Krotov, Vlad; and Rupert, Barry (2005) "Future Security Approaches and Biometrics," Communications of the Association for Information Systems: Vol. 16 , Article 48. DOI: 10.17705/1CAIS.01648 Available at: https://aisel.aisnet.org/cais/vol16/iss1/48 This material is brought to you by the AIS Journals at AIS Electronic Library (AISeL). It has been accepted for inclusion in Communications of the Association for Information Systems by an authorized administrator of AIS Electronic Library (AISeL). For more information, please contact . Communications of the Association for Information Systems (Volume 16, 2005) 937- 966 937 FUTURE SECURITY APPROACHES AND BIOMETRICS Serguei Boukhonine Vlad Krotov Barry Rupert University of Houston ABSTRACT Threats to information security are proliferating rapidly, placing demanding requirements on protecting tangible and intangible business and individual assets. Biometrics can improve security by replacing or complementing traditional security technologies. This tutorial discusses the strengths and weaknesses of biometrics and traditional security approaches, current and future applications of biometrics, performance evaluation measures of biometric systems, and privacy issues surrounding the new technology. Keywords: biometrics, computer security, information security, privacy I. INTRODUCTION The idea behind biometrics is not new. Even in ancient Egypt administrative workers used unique body characteristics to identify construction workers and ensure a fair distribution of food. Ashbourn [2000] relates a story about Khasekem, an administrator under the Pharaoh Khaefre, who was responsible for distributing food among construction workers. When giving out food allowances to the craftsmen, he discovered that some of them would attempt to receive their food allowance twice. To prevent future cases of fraud, Khasekem decided to create a profile for each of the construction workers. Besides such basic information as name, age, place of origin, and occupation, each profile included some of the unique physical and behavioral characteristics of the worker. Without the benefit of today’s computing power, Khasekem managed to employ biometrics to eliminate what we now call double dipping. Closer to modern times, Frenchman Alphonse Bertillon proposed a methodology for identifying criminals by anatomical measurements. This methodology, called judicial anthropometry, became popular in Europe and the U.S. In 1823, the research of the Czech Jan Evangelista Purkinje forced the scientific community to accept the idea that fingerprints are unique for each individual. The scientific thinking which emerged during the nineteenth century allowed for the development of real-world applications of fingerprint technology in the beginning of the twentieth century. In 1901 Scotland Yard became the first police force to adopt a fingerprinting system. Fingerprinting technology, now used throughout the world, is the best known example of biometrics. Other types of biometrics were not widely used until the end of the twentieth century when computers and other technologies made new approaches possible. Future Security Approaches and Biometrics by S. Bourkhonine, V. Krotov, and B. Rupert 938 Communications of the Association for Information Systems (Volume 16, 2005) 937- 966 The tragic events of 9/11 created a new wave of interest in biometrics in the United States and other countries. This revived interest can be attributed to the potential for computer-powered biometric technologies to bring national security to a higher level of effectiveness. In June 2004, The Department of Homeland Security awarded a multi-billion dollar contract for the US-VISIT project to Accenture [eWeek, 2004]. The US-VISIT project involves developing a computer system that uses fingerprints and face recognition to track millions of visitors to the United States. Michael Chertoff, the Secretary of Homeland Security, says that the primary reason behind using biometrics for tighter boarder control is that traditional security approaches do not provide an adequate level of security [Long, 2005]. For Chertoff, “in the area of international travel, biometrics is the way forward in virtually every respect” [Long, 2005]. The UK Passport Service (UKPS) in partnership with several governmental bodies and Atos Origin, a consulting firm, is working on introducing national identity cards (passports) with biometrics features [UKPS, 2005]. A number of other countries are either piloting or planning to introduce National ID cards with biometric security features [Nanavati et al., 2002]. Endorsements of biometric technology by influential organizations, as well as extensive coverage of the technology by the mass-media, may create an impression that biometrics is totally replacing old approaches to security. This is not true, at least at this stage of development of the technology. For biometrics to become commonplace, the technology must be reliable, inexpensive, easy to use, deployable in a variety of environments, and non-invasive. Moreover, the end users of biometric solutions must be educated about the technology and comfortable with the privacy implications of the technology. A decision to implement biometric security systems must be based on thorough comparative evaluation of biometrics in relation to traditional security approaches. To perform an evaluation, both the basic operating principles of the various biometric solutions and their strengths and weaknesses must be understood. Privacy implications of biometrics are also important when deploying biometric solutions. The purpose of this tutorial is to educate the reader on these (and many other) dimensions. This tutorial begins with the discussion of numerous security threats faced today by a typical organization. Then we discuss strengths and weaknesses of traditional security approaches in addressing these threats (Section II). Section III begins with an elaborate definition of the term “biometrics” followed by a discussion of some of the fundamental operating principles behind biometric systems. After that we discuss, in detail, each of the main types of biometrics technologies (Section IV). For each of these types of biometrics, we discuss operating principles, advantages and disadvantages, and vulnerabilities to spoofing. The section also looks at some of the less common and emerging types of biometric technologies. In Section V we provide examples of current and future applications of biometric technologies. We look at biometric system performance from both technical and social (...truncated)