Biometric Voter Registration (BVR) is a phrase that has become quite loaded in our politics. More heat and smoke have been generated than light and the acronym BVR is being bandied about with little understanding of what it is.
Identification of individuals has been one of the most glaring weaknesses in information vetting system. There are ways to make user identification almost foolproof. Almost because no security system is perfect, but this tends to make such systems horrendously unusable and extremely expensive.
In settling upon a reasonably secure identification system, therefore, a tradeoff usually has to be made between usability and complexity. The beauty of biometric systems, however, is the range of applications that the enterprise can adapt them to.
Biometric authentication is the technology behind the BVR kits that have caused so much controversy in Kenya recently.
At the core of such a system is the assumption that no two people are totally identical, and therefore that capturing a unique aspect of any person – usually a fingerprint, a palm print, a retina scan, or a voice pattern, but also extending to such unusual ones as ear shape recognition, face and even gait recognition – provides a very reliable way of identifying that person, which is harder to hack than the traditional password or PIN employed universally by corporates to secure data and ICT systems.
By and large, fingerprint scanners are the most popular biometric authentication systems in use today. Many laptop models already incorporate such devices.
Windows and Linux systems can be configured to include such features quite easily, and the addition of disk encryption makes it more resilient in case the user database is compromised. Biometrics dramatically improve security over passwords, especially if authentication is carried out on a local server.
This is because transmitting a biometric hash over the internet opens it up to the risk of being stolen using a man-in-the-middle attack, or of a sustained Denial of Service attack that renders authentication impossible and forces the system to revert to easier methods such as passwords, which can then be attacked successfully.
By removing the possibility of attackers snooping to see others’ passwords, and of social engineering being used to coax passwords out of unwitting users, and also of brute force attacks used to crack passwords using sheer computing power, biometrics lessen the chances that security will be compromised by attackers other than by attacking the central authentication database itself, or physically compromising the devices used to authenticate users.
The applications of biometric authentication in a typical corporate are almost endless. Attendance systems have long struggled with cases in which employees log in for each other, especially where they are paid by the hour: traditionally, they are given cards that they clock in and out. However, crafty employees hand their cards to a colleague to clock in and out for them when they are absent.
Using a biometric system – such as a palm print – would allow the employer to track the time when employees come in and leave, and remove the possibility of cheating the system. Users can also be enrolled in enterprise biometric systems that log them into company computer application systems.
In many corporates, shared passwords are a particular headache of audit and assurance departments, which frequently run into transactions performed by one user but utilising another user’s password. Implementing a biometric system to authenticate any transaction in sensitive systems, for example, would ensure that responsibility for such transactions is unequivocally clear, and that audit trails are straightforward.
There are demerits to each of these systems, of course. Fake iris scans have been created by spy agencies and will eventually find their way into commercial use, and fake hands with printed-on fingerprints are not uncommon.
Voice-dependent systems are perhaps the easiest to fool, and they even fail if a registered user has a cold and their voice pattern changes as a result. As with most things ICT, a combination of technologies makes the best solutions.
A combination of biometric identification – to gain access to the workplace and log into workplace applications – and, say, a password or PIN number to authenticate a transaction ensures that the chances of playing the system are markedly reduced.
By ensuring that the software underpinning those systems is well-written, certified and secured – unlike the insinuation by Kenyan journalists that BVR software can be knocked together in one afternoon – corporates can ensure that their systems and their data are that much better protected against compromise and theft.
The author is an ICT consultant working for Saudi Telecom Corporation in Riyadh, Saudi Arabia. [email protected]
