David R. Lease, the operations director for the newly formed Government Health Services division of CSC’s North American Public Sector, prepared this paper for CSC’s Leading Edge Forum, which awarded it the grand prize in its 2007 paper competition.

The Findings article in this issue, “Biometric Authentication in the Private Sector,” is a much abbreviated version of this paper.

Biometrics is attracting attention largely because of the shortcomings of traditional security measures. The problem with “what you have” methods — ID badges, keys, etc. — is that badges and keys can be lost, stolen, or duplicated. “What you know” methods — passwords, PINs, etc. — are stronger, but only if users create different hard-to-remember passwords or other kinds of codes for each point of access.

Biometrics can be called a “who you are” method that directly authenticates users based on physiological or behavioral characteristics. Lease focuses on the five most widely deployed biometrics — fingerprint verification, facial recognition, hand geometry verification, iris recognition, and voice verification. The first four types of biometrics are based on recognition/verification of a physiological characteristic of a person, while the last one involves verification of a behavioral characteristic, in this case voice.

Lease describes these five biometric technologies, then evaluates their relative advantages and disadvantages in comparison to other commonly used authentication methods. He also discusses the common objections and barriers to biometric implementation
and why organizations are reluctant to embrace the new technologies. In the conclusion, Lease offers recommendations designed to assist companies in making decisions about biometrics adoption and implementing biometric authentication and identification controls.