Advances in biometric technology and usability have given embedded systems designers a wide range of choices for adding biometrics to their products says Jim Meador, Senior Manager, Product Management, UPEK, Inc..
He is teaching a class in Secure Biometrics for Embedded Systems (ESC-544) at the upcoming Spring 2009 Embedded Systems Conference in San Jose, Ca.
Examples of biometric technology, he said, include fingerprints, iris scan, face recognition, voice recognition, hand shape analysis, palm vein analysis, among others. The benefits to end users of the embedded systems in which biometrics is incorporated, said Meador, is that they are more convenient and user friendly.
“Biometric technology enables users to verify their identity more quickly and conveniently than other methods, and this in turn can help to foster better security practices,” he said. “Furthermore there are new standards being adopted by the US government and others that are opening up huge new markets for access control and other identity verification applications using biometrics. “
In a world where people are being required to remember more and more PINs and passwords and ID numbers, and carry more keys, cards, and other tokens, he said, end users today are looking for ways to simplify their lives. Products that are simpler and more convenient to use are more valuable and more useful to the users.
“In the case of access controllers or other security-related products,” said Meador, “very often good security practices are not actually followed because it creates too much hassle. Making it convenient to follow good security practices increases the adoption of good security practices. So there are a lot of good reasons to add biometrics to products.”
On the other side of the coin, however, warns Meader, biometrics can open up new avenues for hackers to bypass security and gain unauthorized access to data, systems, facilities, etc. “And this is something that is explored quite often by movies,” he said.
“Fortunately or not, biometrics has a 'Gee Whiz' association which is attractive to screenplay writers for spy thrillers and science fiction films,” he said. “It also attracts the people from the'”MythBusters' television show, and there is also a lot of interesting YouTube material that involves biometrics. ” To address these scenarios, in his class Meador goes into detail on some of these issues, and separate the arcane scenarios from real-world issues.
Aside from the convenience, he said, most applications for biometrics have a security element, so it is important not to undercut the security aspects of your product when you add biometrics, which will require a careful analysis of the tradeoffs that are required.
“One of the key points that you have to take into consideration when you perform a security analysis is to set your baseline: how secure is the system to begin with, before you add in biometrics?” he said. But it is important to separate the real and probable scenarios you will have to face, not the off-the-wall glitches which are a faint possibility in any design, but not very probable..
“In my experience, once you start to think about adding biometrics to a system, ” said Meador, “you get some people who lose their perspective and start to invent all kinds of arcane scenarios, often inspired by the movies, in which the security could be compromised through the biometrics.
“Well sure. A lot of these things are possible. The question you have to ask your self is if they are really probable and if that represents a lowering of the bar compared to the alternative without biometrics. “
To help developers sort through the range of possible security scenarios and separate the more probable from the less probable, Meador, in his class will take attendees through a list of questions that need to be answered including:
1. What kinds of vulnerabilities already exist?
2. How valuable is the target?
3. How difficult/expensive is the attack?
4. How likely is the attack to succeed?
Aside from the security aspects that must be considered in any design, he said, the developer needs to keep in mind also that the processing requirements for embedding biometrics is somewhat high.
“But there are off-the shelf solutions that can encapsulate all the functionality in a easily embeddable modular subsystem, which simplifies the requirements and speeds up the implementation,” said Meador. “Although biometrics is often the subject of cinematic hijinks, practical systems can be deployed for many applications which enhance security, bringing real value and convenience to end users.”