Biometrics have existed since innovative crime stoppers in the 19th century figured out that fingerprints could be used to identify criminals, no matter what aliases they used or how many years had passed since they committed a crime.
Even as computers and other advanced technologies have created such biometric measures as retinal scans—and now, hand geometry—fingerprints remain the staple measure of biometric identity authentication for most financial institutions.
“Our applications, called FingerKey, HandKey, and HandPunch, address two concerns: access control and time and attendance,” says Vijay Kumar, senior portfolio marketing manager at Ingersoll Rand Security Technologies. “Credit unions often use HandKey and FingerKey to control member access to safe deposit boxes, rather than go to the time and expense of having an employee accompany a member. The credit union can supplement the hand image or fingerprint scan with a personal identification number request.”
For employees, HandPunch tracks actual time on the job. “In situations where state laws or labor contracts call for employees to take a break, HandPunch won’t allow employees back on the job until the stipulated break time is over. This helps both employees and the credit union avoid misunderstandings or mistaken claims.”
Kumar says error rates with fingerprints generally are higher than with hand geometry, which takes a three-dimensional measurement of the hand to create a complex algorithm that’s hard to duplicate.
He adds, “No, you can’t spoof a hand reader like they do in the movies by cutting off somebody’s hand to present to the reader. The loss of blood would change the shape and proportions of the hand so that the reader would not recognize it.”
Kumar says the system also is self-updating. “An example would be a pregnant woman whose hand shape changes over the course of her pregnancy. The system notes minor changes and updates the image of her hand as it goes along.”
Next: ROI benefits
For Cameron Meldrum, product manager at ProfitStars, fingerprint-based IDs not only can be tailored to give access across multiple applications, they also present an opportunity for return on investment (ROI).
The company’s Biodentify® brand offers two products for credit unions: Employee ID and Member ID. “Employee ID is an enterprise-level, single sign-on solution,” says Meldrum. “You take it off the shelf, install it, and it’s ready to go.”
The system can take an employee’s fingerprint, attach it to an existing password and user name to establish a basic credential, and then use it across the enterprise. “Basically, our credentialing technology can assign one set of credentials to a large number of applications,” Meldrum says.
That ability is where ROI comes in. “It reduces time and management costs to administer multiple passwords, such as when employees forget passwords or when new passwords need to be set up across the enterprise,” Meldrum says. “With one password, confirmed by a fingerprint ID, it’s much simpler. And because the solution works across the enterprise with third-party applications, it lowers the number of password lockouts.”
Member ID works with a separate module from the employee ID, referring to a separate database.
“Member fingerprints are registered and linked to the various accounts a member holds at the credit union,” says Meldrum. “Members subsequently only need to have their fingerprints scanned for all their accounts to become available. The system can scan 10,000 names in less than a second, so calling up information is virtually instantaneous.”
While people are sometimes apprehensive about having their fingerprints stored, fearing theft or duplication, he says it’s virtually impossible for that to happen. “We never store an actual fingerprint in a database. Instead, we use a proprietary algorithm to capture and analyze its patterns, focusing on ‘minutiae points.’ We then create an encrypted mathematical representation of that print called a template that can’t be reverse-engineered. The template can only be read by our proprietary software.
“Biometrics is so much easier than whipping out numerous forms of ID,” Meldrum continues. “Once members get used to it, it’s hard to go back to the old way.”
Next: The cocktail test
Fingerprints, handprints, or other direct biological markers aren't necessary for biometrics. For example, “keystroke dynamics” from AdmitOne Security is based on a simple premise that can be tested from a distance.
“When you type, there’s a pattern to how you do it—how long you hold down a key and the interval between pressing one key and going on to press the next,” says Matt Shanahan, the company’s senior vice president of strategy. “You can then create a statistical derivation that will predict how long a person holds down and then moves.”
Originally, AdmitOne Security Sentry, a risk-based authentication solution, was based on keystroke behavior by itself. “But then we realized, what about people with disabilities who may have unusual keystrokes or different people typing for them? What about people with broken hands or temporary employees at a workstation? What if somebody goes home, has several glasses of wine, and then attempts to log in to a secure system?”
That’s why the company added other security measures, such as sending a one-time password to a cell phone to gain access. (The odds of a fraudster having access to a person’s mobile device are slim.)
“Or, we might couple permission to our knowledge of when a person usually logs on and from what device,” Shanahan says. “If the time and source match what we know about that person’s behavior, we can take into account changes in keystrokes brought on by those after-work cocktails.”
Shanahan says the product is nonintrusive and difficult to thwart. “It’s not a silver bullet in terms of solving all access security problems, but it’s close. We’ve tested the system to see if somebody could game it by trying to match the keystroke of another person. We did an experiment where different people typed the same text to the beat of a song. Even then, with keystrokes landing at virtually the same time, there were perceptible differences."
Next: Pattern detection
Pattern detection is based on what people typically do—types of transactions, how they navigate a website, when they usually access the site, and how often, Shanahan explains.
“Once you know the pattern, it’s not only easier to detect fraud, it’s also easier to know when you don’t have to be suspicious,” he says. “For example, when a member who usually doesn’t do wire transfers suddenly does one, it creates grounds for suspicion. But if the transfer has been preceded by the member’s usual pattern of activity, that tells us it’s legitimate.”
Another company, VeriSign, also uses pattern detection to verify someone’s right to access a credit union account.
“We use a risk-based authentication engine that watches each user’s patterns and then builds a profile,” says Kerry Loftus, vice president of user authentication. “For example, Katie almost always logs into her account between 9 a.m. to 5 p.m., at work on a PC. Occasionally, she’ll access it from home on her Mac. If activity on her account departs from this routine, the credit union can notify her, send a password to her mobile phone, and ask her to enter it on the website to keep the account active. Or it can ask her to call customer support.”
The passwords, called “OTPs” for one-time passwords, are numerical sequences issued to one user only. “They’re viable only for the short time—usually 60 seconds—allotted to them,” says Loftus. “The assumption is that there must be something that you know, such as a name or a password, and something that you have, such as a cell phone. Say a stranger steals your mobile device. While he has physical possession of one part of your ID, he doesn’t know the other part—your name and password.”