Fingerprinting Puts a More Foolproof Touch on Prime Time 08/30/01 By Joab Jackson, Staff Writer When NASA needed a foolproof way of controlling who entered its new Triana Science and Operations Center at the University of California in San Diego, it went for fingerprint-based access. Security was crucial for the facility, which is part of the Scripps Institution of Oceanography, since it develops Earth-imaging tools for spacecraft and is tied closely to NASA networks. And even though the fingerprint system cost 50 percent more than the access-card approach, it was the most secure choice as far as operations manager R.B. Smith was concerned. “You can loan someone your card and personal identification number, but not your finger,” Smith said. So in January, the center installed eight fingerprint-reading units, one for each entrance and office, provided by BioScrypt Inc. of Toronto, an authentication solutions company. Without using personal identification numbers, keys or pass cards, employees now gain entry by merely placing their fingers on a reader. Access is granted or denied by a database of fingerprints from 200 authorized users. BioScrypt’s NASA work may be typical of the niche fingerprint authentication market these days, but fingerprint scanning is nearly ready for far wider deployment, experts said. Thanks to dropping hardware prices and new interoperability standards, fingerprint scanners may soon be standard gear in laptop and desktop computers, cell phones, handheld computers and even smart cards. Market research firm Frost & Sullivan Inc., San Antonio, estimates spending on fingerprint systems will grow from $25 million in 2000 to $290 million by 2006, not including sales of high resolution units used by law enforcement agencies to identify criminals. “It is a very dynamic market,” said Prianka Chopra, a Frost & Sullivan analyst. “There are a number of vendors, which makes it very competitive.” As a result, fingerprinting units that used to cost $500 each a few years ago are dropping to less than $100 now. The remaining challenge is for software developers and solution providers to integrate this technology into enterprisewide systems, industry experts said. “Fingerprinting is good because it is very simple,” Chopra said. A form of biometrics, fingerprinting identifies a person by his or her unique characteristics. When coupled with digital certificates and public key infrastructure tools, this authentication tool can guarantee the security needed for electronic exchanges, according to supporters. At the enterprise level, this convenience can actually save money. For an organization with 10,000 users, password management can run as high as $350 per person per year because of help-desk calls for forgotten passwords, said Damon Wait, director of investor relations at identification solution provider Identix of Sunnyvale, Calif., who quoted Barry Keyes a study from market research company Gartner Inc., Stamford, Conn. In contrast, an Identix-based fingerprint authentication solution that eliminates passwords can be installed for around $150 per seat plus a maintenance cost of about 15 percent, Wait said. Although fingerprinting scanners have long been used in specialty areas, the industry is being invigorated by recent price drops in silicon-based microchips. A design for chips costing $10 to $20 each, developed by now-defunct authentication technology developer Veridicom Inc., was sold in July to solutions provider Precise Biometrics AB, Sweden. The technology was also licensed to information technology manufacturer Fujitsu Ltd. Semiconductor company Authentec Inc., Melbourne, Fla., has stepped up with its own series of chips that cost $25 to $30 and are expected to drop below $10 each by year’s end, according to industry sources. Optical-based scanner producers such as Identix have responded to this competitive heat as well, Chopra said. For instance, Identix has recently released a scanner on a PCMCIA card. “Systems integrators have to stay on top of the biometrics field. Almost every company has a biometrics division,” said Michael Thieme, senior consultant at the International Biometric Group, a New York-based integration and consulting firm. For example, eTrue, Southborough, Mass., which signed a deal to provide NASA with Internet-based biometric authentication system for remote log-ons, has signed partnerships with SRA International Inc., PriceWaterhouseCoopers LLP and Sytex Inc. Spyrus Inc., San Jose, Calif., provides biometric solutions to three of the five prime contractors in the General Services Administration’s Smart Access Common ID Card contract, a $1.5 billion, 10-year contract awarded in May 2000. Spyrus is on teams led by Electronic Data Systems Corp., KPMG Consulting Inc. and Litton PRC Inc., now part of Northrop Grumman Corp.’s Logicon Inc. unit. Identix has also formed partnerships for this GSA contract with EDS, PRC, Maximus Inc. and Logicon. Logicon and PRC won their contracts before Northrop Grumman acquired Litton Industries Inc. earlier this year. The biometrics companies are also securing their own government contracts. Identix was selected by the Florida Supreme Court to secure its 650-seat, wide-area network enterprisewide, which encompasses five District Courts of Appeal and the State Supreme Court. And Aug. 7, an unnamed Arizona county contracted Identix’s solutions for a 1,000-seat network to ensure that only authorized attorneys are able to access sensitive court records. “You still see contracts coming in for several tens of thousands of desktop seats,” Thieme said. “The pace is quickening, but with 50 million seats out there, it still isn’t making a big dent.” According to Thieme, the barrier to mass acceptance resides in the work needed to be done to modify enterprise-level, back-end systems. “Companies have done a fine job at bringing hardware to acceptable levels. It’s the software that is the problem,” Thieme said. “If you have 15 or 20 applications that need biometric verification where a password used to be, that’s where the biggest obstacle is.” Single sign-on solutions can address this problem, but “when you have one sign-on for 20 applications, you better make sure that is the right person signing on,” said Henry Kunicki, vice president of sales for eTrue. Thus the need for more expensive multiple-form authentication, where fingerprinting is paired with PKI verification, he said. Bill Bialick, technical director at Spyrus, pointed to another problem: slutions vendors offering proprietary models. Because of this, agencies are reluctant to trust one vendor’s standard for an organizationwide authentication. Part of the solution here may come from the BioAPI Consortium, which announced the final release of the BioAPI specification last March. BioAPI defines an open system standard application program interface, or API, for applications to interface with a broad range of biometric technologies. “It would be nice if this standard gains acceptance, but it’s still young,” said Barry Keyes, vice president of eTrust Security Solutions at Computer Associates International Inc., Islandia, N.Y. At present, Computer Associates works with individual biometrics vendors to assure interoperability with its eTrust single sign-on and eTrust Web Access Control tool sets. “We have the back-end software that can provide multiple authentication across the enterprise with complete policy management,” Keyes said. However, the adoption rate would increase with a common standard, he said. Once standards are recognized industrywide, then fingerprinting technology is almost certain to gain mass adoption. “Everyone wants to get rid of PIN numbers,” Bialick said. © 2001 Post Newsweek Tech Media Group