We all know that one day mobile phone theft will be a thing of the past because they will be programmed to only operate for their rightful owner. How will this work? Using the same technology we have all seen in Star Trek for securely controlling access through doorways. You know the one: you place your palm flat on a scanner and the door magically recognises you and opens with a satisfying swish without your having to stop to find the right key, or type in a code.

So how does it work? The answer is a technology called ‘biometrics’: using machines to recognise people by their physical or behavioural features. In the light of recent border security breaches there is intense interest in methods of spotting particular people. Imagine if you could point a CCTV camera at the queues crossing your borders and, using face recognition technology, spot those on your ‘wanted’ list.

Does this spell the end for smart card technology before it even caught on? The short answer is ‘no’. Let’s look at the reasons why.

Firstly, biometric technologies are relatively immature. The classic problems are known as false acceptance and false rejection, or to put it another way, letting the bad guy in and keeping the good guy out in the cold. Face recognition seems to be the worst performing technology at present being tried at airports. However, some biometric technologies are rapidly improving and hand geometry has been used in Israel for several years.

There are standards emerging such as BioAPI which allows different biometrics to be easily integrated. Already governments such as Hong Kong have committed to their smart ID card (being issued soon to all 7 million residents) providing the capability of identifying the cardholder by thumbprint recognition. Trials with frequent flyers aimed at speeding passage while improving security are already being conducted at Schiphol and Heathrow airports using iris scans held on smart cards. Secondly, biometrics are best implemented using smart cards. Remarkably small amounts of memory are needed to store biometric templates, ranging from a few bytes for hand geometry up to a few hundred bytes for face or signature recognition. Smart cards can store the biometric template inside the tamper-resistant chip. Either they perform the comparison locally or for more difficult matches such as voiceprint, they can encrypt for sending data across a network for comparison with a central database server with greater computing clout. Without encryption, your template might be captured in transit and used to impersonate you at a later date. Imagine trying to convince a jury that someone else used your biometric while you were at home watching TV.

Even if biometrics work acceptably well, we still need smart cards in order to communicate securely across networks. As mentioned, encryption is the best technology for this and smart cards are the best way to securely store our cryptographic keys.

We have seen biometrics are useful for linking things with their rightful user (phone, passport, bank card, etc). So does this mean that they will replace the ubiquitous personal Identity number (PIN) or password used as cardholder verification? Well, probably not.

PIN pads are usually cheaper than biometrics readers. The downside of passwords compared to biometrics is that they are easily forgotten (or worse written on the back of the card!). However, if your password is compromised, you can easily change it to something else; reconfiguring your hand geometry is less appealing and modifying your voiceprint might turn out to be just plain embarrassing. Very soon the teething issues will be resolved, and biometrics will be good news for smart card schemes.

Most likely, smart card, password and biometric will co-exist. They will be used in various combinations depending upon the degree of security required and the budget available for implementing the cards and terminals.

Reprinted with permission form John Elliott e-mail john.elliott@consult.hyperion.co.uk
Principal Consultant
Consult Hyperion
www.consult.hyperion.co.uk