|
|||||||||
|
| You are here: CESG > Policy and Technologies > BWG > Management Summaries > | ||||||||||||
|
Advice
on Biometric Product Selection - MS03 
This paper summarizes the factors that need to be considered before selecting a biometric product or system for installation into a working environment. The advice should also be considered before making a feasibility study, or pilot study, or even before deciding whether a biometric method is appropriate. There are several key areas that need to be considered before deciding on the selection or installation of a system using biometric authentication as described briefly in the following panels. These are a supplement (not a replacement) to accepted project management practices and methods. Security The main reason for considering a biometric device (not the only reason) may be in its potential improvements in security. You will need to consider how effective is the device considered to be in distinguishing between individuals. Although biometric features are considered to be distinctive, they are not guaranteed to be unique. Complete and accurate evidence on the distinctiveness of individual features is not freely available. Important to security are the likelihood of falsely accepting an imposter as a valid user (the False Accept Rate or FAR), and the likelihood of falsely rejecting a valid user (the False Reject Rate or FRR). These rates are different for different biometrics modes - for example fingerprints, hand shape, iris, facial recognition etc. For any particular mode, rates will vary between different types of sensor and different products, and will also depend on the user population. Rates quoted by manufacturers may exaggerate accuracy and should be backed up by the results of independent testing. Other security considerations may be the safety of template storage (which could be encrypted) and the existence of a reliable and accurate audit logging process. Environment Biometric sensors are much more susceptible to environmental factors than other IT systems. For example an iris recognition system will need careful control of light levels, and a voice recognition system may not work in areas of high ambient sound. All biometric sensors may be influenced by less obvious factors such as temperature and humidity. The need to maintain environmental controls may introduce additional costs into the installation of a system, particularly if the sensor is to be used outdoors. Procedures A working biometric system will need established procedures to define how it works and how it maintains security. For example, you should consider:
Because the biometric information is usually considered to be private, there are concerns as to who has access to this data and how it can be used. In many countries the use of biometric data is controlled by laws relating to Human Rights and Data Protection. [See Management Summary Number 06] User Acceptance For many reasons, users may be reluctant to use biometric devices. They have concerns about privacy, health and cleanliness, convenience and legal issues. Some users also have moral and religious objections to some biometric devices. You may need to assess user attitudes before deciding on a biometric solution, and a process of user education may be required when the system is adopted. [See Management Summaries Numbers 5, 6 and 7] Performance You should note that security is not the only reason for considering biometric systems. A new biometric system replacing an older technology may not increase security but could give improvements in effectiveness, efficiency cost (or even user acceptance). For example, using a biometric instead of a password or PIN may be easier for users and may reduce considerably the costs of resetting forgotten passwords. In addition to FAR and FRR described above, you will also need to consider throughput times, both for user authentication and for the initial enrolment process. Note that all performance measures will depend both on the user population and on environmental factors. [See Management Summary Number 11] Other Factors The following alternatives should be considered in considering any biometric system and its performance statistics.
As for any decision on project management, a justifiable business case will be needed – in which the biometric system is compared with a number of other options. All other things being equal, the decision to adopt a biometric system may be made just on the basis of costs. In addition to costs of purchase, installation, training, maintenance etc. which are part of any IT system, the following need to be considered for biometrics:
In considering a biometric system, all other aspects of IT systems need to be considered. For example:
Potential installers of biometric systems should carefully consider a number of factors before deciding which system to choose, or even whether to choose a biometric. These include security, health and safety, user acceptance, privacy and legal issues, accuracy and efficiency and the usual IT issues. Managers are advised to approach professional IT consultants for help, particular those with experience as systems integrators for biometric systems. They should clearly state the requirements of the system first and should then select the system which best matches those requirements. References For further information see the document “Advice on product Selection (pdf)” produced by the Biometric Working Group on the BWG web pages. For related information, see other Management Summaries, particularly as referenced in the text above. Back to Management Summary Index The UK Biometric Working Group, managed by CESG, supports the UK government and provides advice and information about the implementation and use of biometric authentication systems. For further details telephone +44 (0) 1242 221491 extension 34124 |
|||||||||||
 |
|||
|