Insurance & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security

03:43 PM
Connect Directly
RSS
E-Mail
50%
50%

Biometrics: As Plain As The Nose On Your Face?

Although biometric technologies are useful for applications such as network security, user apprehension may be stalling implementation in insurance.

People have forgotten passwords and many an ATM card has been lost, but despite mothers' chiding you would be pretty hard pressed to find a person whose head wasn't attached. With biometric technologies—the most common of which identify a person's finger, face, hand, iris, voice, keystroke and signature—the only thing users have to leave home with is themselves.

For the biometrically challenged, the technology generally comes in two types: physical and behavioral. The former measures things like the ridges and twirls on a fingerprint or the distances between features on a face. In contrast, behavioral biometrics may assess the pressure and angle of a person's signature or the keystroke dynamics of their typing. Today biometric technologies are being used for granting access to everything from doors to gun triggers.

But is there a place for biometrics in insurance? According to Dan Morrison, partner, risk consulting, Andersen (Chicago), biometrics currently are much more prevalent in other financial services areas. Banks and brokerages "are using technologies like voice and facial recognition and hand geometry and fingerprints," says Morrison. "The largest use of biometrics within financial services I have seen is for the protection of networks."

At an insurance company, the areas housing the most sensitive information would benefit most from the use of biometrics, according to Morrison. "If there are PKIs (public key infrastructures) and a route key must be generated for the certification of authority, then the protection of that key would certainly require some form of biometric," says Morrison.

In fact, biometrics are an option among the data security requirements by which health insurers must abide for compliance with the Health Insurance Portability and Accountability Act (HIPAA; see related article on page 16). In addition to the required automatic logoff and unique useridentification, at least one of the following must be implemented: biometric, password, PIN, telephone callback or token.

According to Morrison, it is likely that health insurers will investigate biometric technologies for HIPAA compliance, but such technologies may be difficult to push into an insurance organization. "Insurers are so dispersed with brokers and agents," he says. "It is hard to come up with a standard."

RETINAL SCAN? NO WAY!

Perhaps the biggest obtacle to biometrics, says Lyle Scott, consultant, International Biometrics Group (IBG, New York), is user acceptance. Companies unsure that a technology will be accepted are wary of big financial commitments, according to Scott. Users may think biometric technologies are an invasion of privacy, and many fear that devices are harmful.

Usually, the more accurate biometric technologies seem the most invasive. "I am sure that a lot of people would have a problem submitting their DNA," says Andersen's Morrison of what he describes as the most accurate of biometric techniques. Second-best, he says, is the similarly intrusive retinal scan, which looks at blood vessels in the the eye.

Although biometrics are not widespread throughout insurance for customer-facing applications, carriers utilizing them do so internally for applications such as network access. "Biometric technologies are almost always used within a company first," says IBG's Scott. "Deploying biometrics for the public is useful, but harder."

For policyholders in North America, says Andersen's Morrison, biometrics are a hard sell. "In terms of the older population, there would be a problem with fingerprint scanning," says Morrison. " A policyholder may only make one claim their entire life, and they may have changed significantly from when their biometric was initially taken, causing a false rejection. Unless we can come up with a way to measure a trait that doesn't change over time and is less intrusive, customer-facing functions will have to wait."

AS CLOSE TO A SURE THING AS...

Still, in an increasingly wired business environment, deploying biometrics may become a competitive necessity. According to Dwayne Krumme, president of DigiKnox (Puyallup, WA), a biometrics technology vendor, whether secure access is granted by what you have (card, token), what you know (PIN, password) or who you are (biometric), biometrics offers greater security than traditional methods.

Although a user's biometrics are not as easily tampered with as other security methods, they may not always be 100 percent accurate. The performance of a biometric technology is usually measured by the percentage of imposters accepted by the system, or false-accept rate (FAR), and the percentage of valid users rejected, the false rejection rate (FRR). Most systems, according to Mike Hendry, author of "Smart Card Security and Applications," (Artech House, 2001), can be tuned to either sensitive detection or coarse detection. The level where the FAR and FRR are identical is the crossover rate. Most commercial biometrics have crossover rates below .2 percent. Some are below .1 percent.

Different biometric technologies used together, according to Dave Teitelman, president and CEO of Southborough, MA-based eTrue, provide 100 percent authentication. ETrue, an outsourced biometric authentication provider, has partnered with Microsoft (Redmond, WA) to provide biometric logon services for Microsoft.NET Enterprise Server customers. ETrue's service currently supports face, finger, iris, voice and signature technologies.

However, deploying even one biometric technology could be cost prohibitive if done on a wide scale, says Andersen's Morrison. "They are a lot less expensive than they were a few years ago," he says. "The cost of biometrics would be on par with some of the more sophisticated two-part authentication products out there," adds Morrison, refering to technologies that require users to identify themselves with something they know (password) and something they have, (ATM card).

From a technical standpoint, biometric devices, whether a camera, fingerprint scanner or signature pad, are usually USB- or serial port-compliant, so the products are easily attached to PCs. Other devices, such as thumbprint scanners, can be built directly into a keyboard. According to IBG's Scott, Microsoft is developing a set of drivers that will enable Windows to be biometrics ready, so installing biometrics will be as simple as installing a printer. Biometrics also require some sort of database to store representations of metrics that can be compared later for identification.

Previous
1 of 2
Next
Register for Insurance & Technology Newsletters
Slideshows
Video