As anyone who has sat in front of a computer scratching their head trying to remember a password can attest to, entering the correct password can be a frustrating experience, especially if you know you only have one more chance before you are locked out and need to call the Help Desk - yet again. As the number of systems and online sites that users have access to - all with their own unique IDs and passwords - has mushroomed, so too has the problem of forgotten passwords.
Last year was the year for biometrics - technology that uses bodily measurements to verify a person's identity - according to Mr Samir Nanavati, a partner at the International Biometric Group in New York. Biometrics proved more popular with consumers in one recent test than traditional passwords, and fingerprint scans won out overall as the preferred way of making secure online purchases.
Fingerprint scans beat voice, facial and signature scans in tests done with 240 people by the International Biometric Group. Least popular were keystroke scans, which measure the ways users press keys on a keyboard and traditional passwords. The New York firm released the full results of the tests on January 3rd.
The International Biometric Group carried out its most recent tests in September and October on behalf of 25 sponsors, including Visa International and the Financial Services Technology Consortium.
Ten biometric systems - six fingerprint scanners and one system each for signature, voice, face and keystroke technologies - were tested. The group has invited the sponsors to buy the results for $36,000 (€38,000).
One reason fingerprint scans proved popular was that "they're quick and easy to use to verify someone", said Mr Nanavati. He said the testing did not take place in an ideal laboratory environment, but "we like to use people off the street so we tend to get the worst case scenario".
Walking around the International Biometric Group's new showroom at 1 Battery Park Plaza in downtown Manhattan, which officially opens this month, Mr Nanavati pointed out the different devices on display. "We have every commercially available system," he said. In all, there are about 180 biometric vendors worldwide: 12 in voice scanners, 150 finger-scanners, 12 face-scanners, one irisscan, one retina-scan, one keystroke-scan and three for scanning signatures.
Of 150 fingerprint devices, two have smart cards and the recent tests included these smart card devices. The retina-scan, he said, "has limited possibilities because it is perceived to be more intrusive and difficult to use". He pointed out one new technology, which has yet to be deployed, that looks at the veins on the back of a person's hand.
Overall, the tests showed that physiological biometrics, such as finger, facial, iris or hand scans, are more popular than behavioural biometrics such as voice, signature or keystroke scans. The physiological methods were also shown to be less accurate in some cases. "Behavioural biometrics used to be less popular than physiological biometrics, but they have made dramatic strides, and they have improved in accuracy," Mr Nanavati said.
The tests indicated that some fingerprint systems lose the ability to verify users reliably in as little as six weeks because fingers can be affected by abrasions, weather, humidity, and temperature.
Six weeks after the fingerprint systems were installed, their false rejection rates rose by as much as 400 per cent. Only one system was totally unaffected. The upshot, Mr Nanavati said, is that systems must be designed to accommodate the effects of the seasons and changes in the skin's surface.
Generally, the biometric systems were found to be more accurate in this year's test than in a similar one done in 1998. The systems showed significant improvement in three categories: verifying authorised users, rejecting unauthorised users, and ensuring that a very high percentage of users can use them.
In previous tests, some technologies had high double-digit false rejection rates. The new round of testing had several systems, using various biometric technologies, with false rejection rates of less than 1 per cent.
For some applications, the false acceptance rate, or unauthorised users who could break into a biometric system, was close to zero. If biometrics are to gain widespread credence, Mr Nanavati said, they must demonstrate this degree of accuracy over a long term.
Even if a biometric system is highly resistant to break-ins, large-scale deployment may not be possible if the system cannot enroll a significant number of users, he said. The "ability to verify" measurement reflects a system's ability to enrole and identify legitimate users, which is crucial in network environments, Mr Nanavati said. If a large percentage of users still require password authentication, then the system's security protections may not be strong enough.
But, compared with two years ago, the systems have improved considerably, Mr Nanavati said, and as their accuracy has gone up, the size and cost of the units have come down.
In addition, "the interest from clients has skyrocketed". Microsoft endorsed biometrics last May, when it said it would incorporate biometrics into future versions of its Windows operating system. Some computer hardware makers are now shipping laptops or computer mice with fingerprint scanners included.
Sales of biometric hardware devices last year were $110 million, up from $58 million in 1999, according to the International Biometric Group. In 2003, $594 million will be spent on biometric hardware, the group estimates.
