24 Oct 2001 10:38
The old saying "the eyes never lie" took on new currency yesterday as Siemens Business Services launched Australia's first iris-recognition authentication system. However, is this case of using expensive Hollywood-style hardware to sell less-than-sexy security software solutions? And could your eyes reveal more to your employer than you ever wanted it to know?
Siemens and a consortium of network solution providers presented the iris authentication system to government Information Technology managers in Canberra, offering it as a more cost effective and secure solution than those that rely on PINs, passwords or 'tokens', such as smart cards.
The iris-recognition technology is already used in organisations that need to control access to their sensitive documents at a single point, but now Siemens says that the technology is ready to replace online data security systems that depend on older forms of identity verification.
Aaron Parker, spokesperson for Biodata Information Tehcnology AP, a company that produces its own biometric solution based on multiple low-cost inputs, is highly optimistic about biometrics and certain that the technology will be used broadly in the future. However he says that iris authentication technology is still too expensive for wide-scale deployment, estimating that scanners can cost up to $500.
"The equipment is very specialised, it's not just a normal digital camera...you can have it at the entrance of a laboratory door but you could never have it on every PC in your office unless you're very rich."
Greg McAweeny, a business consultant at Siemens Business Services, concedes that the equipment is expensive, but at an estimated $400 for one-off purchases his view of the technology more optimistic, and it gets brighter the more you're prepared to use it.
"Obviously it depends on the scale," he said. "If you were implementing the solution across your organisation the cost would come down extensively."
The cost could fall below $100 for an organisation with 5000 points of presence to service according to McAweeny, but despite this the scanners are still only an "optional" component of Siemens overall solution.
McAweeny says that replacing clunky pass code and token dependent technology and improving return on investment is the iris recognition's biggest achievement. McAweeny says the technology eliminates costs associated persistent, vexatious support calls that usurp helpdesk resources and removes potential security holes associated with human behaviour, such as sharing unique identifiers.
"You pay for the cost of the technology and the camera and you recoup it over the lifetime of the installation. You don't have the management costs that you would normally have," he said
However Parker cautions against perceiving biometrics it as foolproof without the assistance of ancillary security measures.
"With any biomeric system it's possible to steal an identity, but with the correct policy you can safeguard against it," said Parker. "People don't understand the role of policy, they think all biometric systems are going to solve all problems, but unfortunately that's not the case."
Despite the fact that Siemen's scanning technology has achieved a zero false acceptance rate and ASIO certification, McAweeny made it clear that it's only as good as the broader range of software and network security services it depends on.
Siemen's iris-scanning technology creates a digital signature of the user's eye and converts into a 512-byte file using an algorithm. The file is then stored for future authentication events.
"Depending on the policy of the corporation our consortium can have the files hosted in a military certified environment," he said choosing his pronouns carefully.
Siemen's consortium partners include Allied Technologies Group, Cisco Systems, eSign and iSecure.
Parker, who is highly circumspect about the welfare of the biometric security industry, raises a much more alarming concern about the use of iris-recognition authentication generally. He says that such technology could give employers a means of determining their employee's medical condition -- perhaps before the employee is aware of it his or herself.
"Your company might be paying tens of thousands dollars for your training. Your company wants to know if you're going to die next year. They want to know if you're an alcoholic; if you have liver disease; lung disease. But it's every person's right to keep that information private," he said.
McAweeny says that currently Siemen's technology will only be used for "standard applications", and judging by the mechanics of the security, which converts image information into small files, that seems a reasonable suggestion. However, he was unsure how difficult it would be to modify the technology and place it in the service of more devious ends.
Anyone who quibbles over questions about whether the technology can record information in a format that is meaningful to a medical practitioner is missing the point says Parker.
"That's the thing what's being recorded no-one knows. The same camera could be watching you the entire time. If it's in your home you have control, but if it's at your office you have no idea."
See the Surveillance News Section for the latest headlines.
More enterprise IT news in ZDNet UK's Enterprise Channel
Have your say instantly, and see what others have said. Click on the TalkBack button and go to the ZDNet news forum.
Let the editors know what you think in the Mailroom. And read other letters.
Story URL: http://news.zdnet.co.uk/itmanagement/0,1000000308,2097913,00.htmCopyright © 1995-2010 CBS Interactive Limited. All rights reserved
ZDNET is a registered service mark of CBS Interactive Limited. ZDNET Logo is a service mark of CBS Interactive Limited.