The ramifications of this lingering dependence on passwords are significant. Every day, password-related data breaches put organizations in harm’s way. The latest high-profile debacle came to light in April, when the mortgage firm LendingTree announced that several former employees gave company passwords to outside lenders who then had free reign to view LendingTree’s customer files. The event not only undermined LendingTree’s good name, but it also opened the company up to a class-action lawsuit.
The unfortunate truth about the LendingTree situation and many others like it is that if the company had chosen a second form of authentication, the breach could have been avoided altogether. So why is it taking so long for enterprises to move beyond their singular dependence on passwords?
It is not for a lack of available authentication alternatives. These days, there are many options available, most notable among them being secure biometric technology. Universally regarded as the most secure authentication method, biometrics is based on who the person is rather than what they know—as is the case with passwords—or what they have—the identifier with USB tokens.
The challenge is that until now, many of the long-running biometric offerings have failed to successfully benefit the IT security world from their value, ease of use and ease of deployment to influence operational efficiency, and ultimately the bottom line. And those that do meet cost and ease-of-use requirements often suffer from slight accuracy deficiencies, a risk many IT security managers refuse to accept. But a new technology that reads the vein patterns in a user’s palm could be the game-changing biometric technology that finally convinces enterprises to step forward and update their authentication processes. This exciting new biometric category is poised to become a major player in enterprise authentication as it meets the current challenges facing the biometrics market.
One of the fundamental challenges with biometrics is that it deals with the human body. Because of this, biometric technology tends to be intrusive. Some people are not comfortable providing a fingerprint or standing in front of a device exposing their eyes to an unknown technology.
Additionally, because the human body and the nature of biometrics that deal with physiological factors are so unique, some biometric technologies statistically cannot be applied to certain users. In fact, it is said that 2 to 8 percent of the U.S. population cannot successfully interface with today’s fingerprint technology. Some users’ fingerprints are too thin, and others have been exposed to harsher elements, causing the skin to become too worn or dry to be read accurately. Even when a user can successfully interface, his body is always subject to changes that the technology cannot analyze. For example, some factors as simple as paper cuts can throw off certain fingerprint biometric systems.
Another important issue is accuracy. Although biometrics is known to be a very accurate method of identifying people, no single biometric technology can guarantee 100 percent accuracy. Vendors are competing with one another by attempting to get close to a 0 percent error rate for falsely accepting or rejecting a user. Though fingerprint biometrics is widely deployed, most of these technologies present some accuracy issues.
In many cases, they may be good enough for certain applications limited to personal use—for example, laptops and PDAs. But other more critical enterprise applications require more consistently accurate technologies, compared to conventional fingerprint recognition or other biometric techniques such as hand geometry comparisons or facial recognition. Iris scanning technology is one of the most accurate biometric technologies today, but it is not easy to deploy. It’s also an intrusive technology to many people and is cost-prohibitive to the average organization.
The final major stumbling block is ease of deployment. In the biometrics field, some vendors only provide sensors, some provide just the middleware and others only software. This leads to an integration-intensive security project for most IT departments, which want a product that will work right out of the box and easily interface with existing IT systems.
In recent years, palm vein pattern recognition technology, also referred to as vascular recognition, has been refined to meet all of these concerns. The underlying technology of palm vein biometrics works by extracting the characteristics of veins in the form of an image. The image is captured by a high-performance sensor that maps the deoxygenated hemoglobin running through someone’s veins.
Deoxygenated hemoglobin absorbs near infrared rays, so a sensor emits these rays and captures an image based on the reflection that comes back from the palm. As the hemoglobin absorbs the rays, it creates a distortion in the reflection light so the sensor can capture an image that accurately records the unique vein patterns in a person’s hand. The recorded image is then converted to a biometric template— a numeric representation of several characteristics measured from the captured image, including the proximity between veins. This template is then compared against a user’s palm scan each time he authenticates.
This technology is non-intrusive. There is no need to physically touch the sensor. All the user does is hold a hand above the sensor for less than a second.
The method also is highly accurate. The International Biometrics Group, which evaluates all types of biometrics products through comparative testing, found that palm vein technology was on par with iris scan biometrics in accuracy ratings and has better usability ratings. Palm vein recognition showed extremely low occurrences of both false positives and false negatives.
Palm vein recognition technology is significantly less expensive than iris scanning technology. In fact, the only biometric solution less expensive than palm vein authentication is fingerprint recognition. The edge in savings is coupled with distinct deployment advantages, as the most robust palm vein authentication solutions provide a full complement of hardware and software necessary to implement manageable deployments for most organizations.
Successful Case Studies
While significant research and lab testing has been done to advance vascular recognition technologies, the most telling sign that palm vein technology is a viable solution is its successful deployment in the field.
For more than three years, Bank of Tokyo-Mitsubishi UFJ, Japan’s largest bank and one of the 10 largest banks in the world, has been using palm vein authentication biometrics. The technology is rolled out in one of the most demanding customer- facing solutions, the ATM. Account holders register their palms and receive a smart card containing their vascular information. Each time they access accounts through an ATM, they must insert the card, type a PIN and then hold a palm over the sensor. These devices are installed in each of the 5,000 Bank of Tokyo-Mitsubishi UFJ branches across Japan.
The deployment affects more than 1 million people and has worked without incident. This real-world rollout is stronger evidence than lab-based studies and confirms that the technology works and can be easily accepted by end users.
Hospitals and healthcare providers are rapidly adopting this technology as well. Medical identity theft is a rising concern, and hospitals around the world want to provide customers with assurance that they are protecting their medical identity.Not only does this kind of identity theft cause financial problems for the victim, but it also can be highly dangerous.
For example, Annedorie Sachs became a medical identification theft victim when a woman stole her driver’s license, gave birth using her name and left her with $10,000 in hospital fees. To make matters worse, the woman abandoned the newborn in the hospital, and the baby later tested positive for methamphetamine. Afterward, an agent from the Utah Division of Child and Family Services notified Sachs that the agency was already putting paperwork together to take custody of Sachs’ four children, then ages 2 to 7. In the end, the false accusations were dropped, but Sachs’ medical records had been altered to include the blood type of a complete stranger. This put her at risk in future treatments since she has a blood-clotting disorder. If she is administered the wrong type of blood, it could be fatal to her.
Clearly, patient identification relates directly to patient safety, which is a No. 1 priority for hospitals. Carolinas HealthCare System in Charlotte, N.C., sought a secure method of authentication. The solution was a healthcare-centric version of a palm vein-based solution that allows Carolinas HealthCare System to accurately identify patients and retrieve their electronic medical records when they check in, thereby eliminating potential human error of pulling the wrong record, and protecting patients from identity theft attempts.
“There is great importance in properly identifying the patient,” said Dr. Rober Ray, Carolinas HealthCare System chief medical officer. “If there is a main benefit from the system, it will be in helping us avoid patient errors.”
Palm vein technology has proved to be the best choice for the organization due to its accuracy and usability, as well as the contactless sensor—a critical feature for maintaining a sanitary hospital environment. Through the use of its palm vein authentication solution, Carolinas HealthCare System has managed to achieve operational benefits. The burden on staff during the registration process has decreased dramatically due to the speed of patient registration using an automated system. Patients also are happier knowing their medical information is secure.
Many other vertical markets can benefit from palm vein recognition’s accuracy, cost-effectiveness and usability. Gaming and hospitality companies, government organizations and secondary education institutions are showing interest and starting to invest in this technology as well.
Such a secure biometric offering is especially attractive to enterprises moving toward identity management plans that include single sign-on initiatives. Though SSO solutions provide a more efficient and convenient way to manage passwords, they can represent a single point of failure if front-end authentication is not robust enough. By placing palm vein biometrics in front of an SSO system, organizations will be able to affordably ensure the system’s security.
Until now, there has been no biometric technology that can achieve the highest levels of security and usability at a reasonable cost. Palm vein recognition hits that sweet spot of biometrics between security, cost, accuracy and ease of use that makes it an optimal physical and IT access control solution for healthcare organizations, financial services firms, government agencies and other businesses across the globe.
Sources: Lending a hand