Woudhuysen

What CIOs need to know about workplace biometrics

First Published by IDG, January 2018
Associated Categories Featured,IT Tags: ,
Workplace biometrics

Biometrics, in which IT captures and checks a person’s unique biological and behavioral characteristics, is spreading through the world’s workplaces. It’s time to understand where the technology is headed

North America, where the advent of mainframe computers enabled police forces to establish automatic fingerprint identification systems (AFIS) as early as the 1970s and 1980s, major organizations now want to bring to the workplace widely different kinds of biometric scanners, sensors and other hardware, and the image and signal processing and pattern recognition software that go with these things. Why? In the first place, to prevent unauthorized access to physical sites, and especially unauthorized access to sensitive areas on-site.

A trend toward using biometrics to control employee and contractor entry in factory and in office is one thing. However, the broader market for biometrics is also on the up, and enterprises need to first understand its dynamics before they turn to workplace applications.

To start with, Donald Trump’s policies on illegal migration and national security have driven a thriving market for military biometrics. There, AFIS are established, but the recognition of irises and of faces is set to grow. One report has North American military and civilian government purchases of biometric systems topping $2.5bn by the end of 2022; that might be an underestimate. A particular hotspot in US government: education, where biometrics can help assuage concerns about cheating and campus harassment.

Booming biometrics markets in law enforcement and general government are good news for giant biometric systems suppliers such as 3M Cogent, Fujitsu, Hitachi, Lockheed Martin, NEC, Nuance, Qualcomm, Siemens and Thales. But they’re also good news for smaller, more specialized firms with slightly cheesy names: BIO-Key International, CMI Time Management, Cross Match Technologies, EyeVerify, FaceFirst, GreenBit Biometric Systems and OT-Morpho. Companies like these can be expected to make their own efforts to extend the use of biometrics to the workplace.

General biometric techniques are spreading fastest, perhaps, in Asia. In North American and European healthcare, for example, concerns around fraud and patient security have been widely met by the deployment of biometric systems. Now it could be the turn of Asia and other developing regions of the world to help drive the global healthcare biometrics market from $1.3bn in 2015 to nearly $9bn in 2024.

In mainstream Chinese commerce, too, payment by means of face recognition systems is growing, especially in shops and fast food outlets. Bank ATMs also boast face recognition. In China as elsewhere, however, it’s government that’s leading the adoption of biometrics. In the dissident northwestern region of Xinjiang, for instance, Beijing has collected fingerprints and iris scans on everyone between 12 and 65 years old. Indeed, Beijing has added, to its database on Xinjiang, mass DNA samples and mass information on blood types.

How multi-modal biometrics being are used around the world

China’s adoption of biometrics is certainly controversial. But in Xinjiang the government is also pioneering the use of multi-modal biometrics – the sort that integrates data from more than one personal characteristic, or ‘biometric identifier’, whether it be fingerprints, finger veins, palm prints, hand veins, hand geometries, or irises. This extra-level-of-security kind of biometrics, indeed, could emerge as a specialty for Chinese biometrics suppliers. Search Alibaba for simple “biometric fingerprint scanners” and you’ll find more than 7600 Chinese products on the market. Search it for two-factor “biometric fingerprint and facial recognition” devices, and you’ll still find nearly 470 Chinese products.

In India, too, biometrics is both controversial and multi-modal. The country boasts, in its Aadhaar (Foundation) 12-digit national photo-identity card system, coverage of nearly the entire adult population. It captures all 10 fingerprints, irises, and, to include older people with fuzzier fingers and eyes, will catch faces too from 1 July.  But when Aadhaar was criticized for weak security, the government’s Unique Identification Authority of India (UIDAI) and the police cracked down on critics. On 17 January, 24 petitions against Aadhaar began hearings at India’s supreme court.

What biometrics can bring to the US workplace

In the US biometrics has also proved polarizing, but though some controversy has attended the police use of face recognition, much more has focused on the use of biometrics in the workplace. The 2008 Illinois Biometric Information Privacy Act (BIPA), arguably the most stringent piece of biometrics legislation in the US, has prompted class action complaints not just against employers using biometrics, but also against systems vendors. If Illinois restaurants and hotels, among others, have rushed to install workplace biometrics so as to monitor their employees’ timekeeping, it seems that some may have failed to notify staff beforehand.

Washington DC and Texas have similar laws to BIPA, but don’t allow a private right of action against employers. Soon New Hampshire, Idaho and Alaska may follow in their footsteps. Yet whatever the merits of the complaints about biometrics, in Illinois or any other location, the fact is that the use, in the workplace, of up-close and personal methods of identification is bound to raise concerns about privacy. Indeed, privacy in the workplace is already a major issue in Europe, and, even in the less regulated US, is nowadays felt to raise a number of grey areas – even without biometrics, and without, too, those related but non-biometric workplace technologies such as the tracking of employees using GPS. So by the time biometrics is rolled out in the modern, sensitive, somewhat charged workplace, there should be little surprise that implementing it can prove tricky.

That’s especially the case because the data picked up by biometrics, though unique, is no more secure than any other kind of data. Once it reaches databases and networks, its special power is available to any capable hacker.

For all this, the allure of workplace biometrics is clear enough. Especially when surveyed with multi-modal techniques, employees’ bodies should now be able to give employers more security. Measured by biometric methods, people’s idiosyncrasies can, with the help of IT, defend enterprises from any kind of site ‘visitors’ trying to impersonate customers, suppliers, regulators or, crucially, members of staff. Indeed, the advantages and benefits of biometrics over several other related but rival technologies in the workplace show that biometrics has more to offer organizations than just enhanced workplace security:

 

Advantage                                                                   Benefit
Accurate ID of staff and others on site Better access security than photo ID, passes, badges
Better timekeeping than punch clocks
Employer can track timekeeping more closely
No ‘buddy punching’ fraud on hours worked
Compliance with regulation and/or improved safety
Automatic, fast access, e.g., at entrances Fewer security guards, higher productivity
No staff keys or passes Better security – no loss or theft
No human memory needed Lower costs/higher productivity through fewer errors
Speed of accreditation of new staff on site Productivity of the enrolment/induction process
Speed of paying for food/drink at work Fewer/shorter queues during lunch breaks

 

So far, methods both conventional (fingerprints) and much-hyped (face recognition) have, through the mobile phone and especially through China’s massive mobile payments industry, done much to popularize biometrics in general. Yet other methods will be vital to the future evolution of the most secure kind of biometrics – the multi-modal kind. What’s more, other methods encompass not just people’s physiological characteristics, but also their behavioral ones.

The more exotic kinds of physiological biometrics

Fingers, hands, irises and faces don’t exhaust the body’s biometric identifiers. The veins in fingers and hands are also distinctive, and, since infra-red light is required to read them, veins can form the basis of biometric systems that are harder to tamper with than most. Barclays Bank has used finger vein readers with its corporate customers since 2014, and, again in banking and since the same year, Wells Fargo has used mobile phones to scan the veins in people’s eyes.

There are other ways of registering who’s who in the workplace: inspecting their lips or their ears, for example. Yet if doing that, just like sampling a member of staff’s breath, sweat or hair protein, or resorting to infra-red retinal scans, will be too provocative for most workplaces, there’s promise in identifying individuals through the pattern of their heartbeats – for example, by continuously sending out radio frequency waves at a heart to check the waveform of its beat; by using continuous-wave low-level Doppler radar to check the unique geometry and motion of a person’s heart; or, less sneakily, by making electrocardiograms of a user of online banking through obliging her to wear a special wristband when logging on. And if heartbeats won’t suffice, making workers wear headsets or earphones with biosensors so as to read the electrical pattern of their brains can again help employers determine who’s who – and also determine, perhaps, whether the worker behind the wheel or machine is in a fit mental state to use it.

In construction, digital door locks that are biometric, rather than operated by keypads, are already being widely installed in buildings. But on the staff side of the sector, the use of helmets on the part of building workers will probably see brainwave biometrics become one of the modes that accompany the already widespread deployment of fingerprint and face recognition on-site.

Across all industries and service sectors, we can expect wristbands and earphones to be one of the modes through which employers identify members of staff.  But by the time physiological biometrics is applied to people’s brains, we’re beginning to move away from the body, and into the domain of behavioral biometrics.

The rise of behavioral biometrics

Behavioral biometrics establishes who a person is through their voice, the gait they show when walking up to a company car, or by the way they type, or the way they use a mouse, applications or their organization’s IT system. The way people wield a pen is also telling: as early as 2014, Italy’s Data Protection Authority chalked up a world first in giving legal status to signatures taken on tablets and pens (to establish identity, signatures are tracked for the ‘graphometric’ data that describe the unique manner in which they’re performed).

In understanding the potential and also the complexity of behavioral biometrics, it’s worth reading a seminal University of Buffalo paper [PDF], published in 2008, which lists no fewer than 29 different kinds of the genre, right down to the style in which a person drives a car, writes code or paints, as well as ‘soft’ biometrics (height, weight, gender, ethnicity). Registering the kinds of interaction, input devices, enrolment times and verification times associated with each, the authors of the paper concluded, of the 29, that only two – signature/handwriting and speech –were useful ‘for reliable large scale person identification’.

That, though, was back in 2008. Since then behavioral biometrics has matured enough for Gartner to suggest that, when coupled to machine learning, it will make passwords to smartphones redundant by 2022. Again in mobile, IBM has partnered with SecureTouch, a specialist in behavioral biometrics, to track scores of behavioral traits with smartphones, such as gestures, finger pressure and speed of swiping. Perhaps the biggest advances in behavioral biometrics, though, have been made with voice recognition. Now that Microsoft has built a voice recognition API for its Azure products, and Amazon has launched Alexa for Business APIs, there should be a significant increase in the use of voice biometrics in the workplace over the next few years. Moreover, the use of voice biometrics around phones, which a number of banks now use with customers, will no doubt be extended to staff. Voice biometrics is particularly powerful when used with wider telephone ‘audio fingerprints’ – location, background noise, number history, call type and many other characteristics.

The promise with behavioral biometrics is not just of extra modes of checking that people are who they say they are. The promise is also that the checking done will be less obtrusive than most physiological biometric methods. That, though, may make the behavioral kind of workplace biometrics more subject to disputes than the clunkier, but more obvious kind.

Conclusion

The future of workplace biometrics is, as we’ve seen, likely to be just as, if not more controversial than the use of biometrics in other fields. But as enterprise concerns mount about intellectual property, cybersecurity and gender relations, workplace biometrics is poised for rapid adoption. It’s poised, too, to become more sophisticated, as multi-modal analysis becomes more common.

In tomorrow’s workplace biometrics, the US research firm Tractica predicted a couple of years ago that annual global unit sales of devices and software licenses would increase from 12.7 million in 2015 to 142.0 million in 2024, with enterprise biometrics revenues moving from $183m to $1.7bn over the same period. Tractica forecast a big growth in the surveillance of eye veins (50 million devices by 2024) and faces (more than 50 million), as well as continuing role for fingerprints (about 20 million) and a growing one for voice (10 million).

Biometrics, and especially behavioral biometrics, has however moved ahead rapidly in the past two years. The CIO wanting to move his or her workplaces over to using a number of different biometric modes simultaneously, for enhanced security, will be spoilt for choice. At the same time, though, it will be vital for that CIO to research very thoroughly how acceptable each mode is likely to prove with the organization’s workers.

Share Button

0 comments

Comments are closed.