As security concerns mount domestically and abroad, databases are becoming a potent tactical tool, and a growing number of companies are arming the frontline with biometric tools to help identify threats and persons of interest. Down the road, these biometric tools may not only be useful at the tactical edge of national security, but may also have a home as a complement to conventional IT security as well.
One of the biggest pushes to advance biometric information in security came in 2015, when the FBI modernized a 15-year-old fingerprint system with the Next Generation Identification (NGI) System. This improved biometrics system cost over $1.1 billion, effectively replacing the 1990s vintage Integrated Automated Fingerprint ID system (IAFIS) with facial recognition capability and 10-digit fingerprint correlation.
Now, biometrics is increasingly used across state, local and federal agencies to bring a higher level of assurance to national security. In particular, biometrics information is routinely being used to track refugee movement and to ID potential terrorists or persons of interest.
How does biometrics identify persons of interest?
For the uninitiated, everyone has identifying characteristics unique to each individual – from fingerprints to facial appearance, iris structure, DNA, and so forth.
This biometric information is recorded in large databases, tied to a particular identity, to be able to correlate information and identify the person to whom that information belongs. Characteristics can be captured from crime scenes – such as latent fingerprints and DNA from handling bomb-making materials – and matches are sought from databases. The unknown is effectively being linked to the known to identify bad actors and to take them out of the picture.
Most of this may seem elementary to international travelers. If you come into this or other countries, whether you are a foreign national or a citizen, your fingers are already scanned and your photo is taken. That information is nearly instantly correlated against existing data to identify the person recognized. (Outside of the US, the biometric push is sometimes more elaborate, adding iris scans to other captured information.)
Some systems are as small as several thousand records, some in the multi-millions. DHS maintains a database of some 750 million records. A new system in Mexico has a planned reach of 100 million records. And in Europe, the Euro Dactyloscopy Fingerprint Database (Eurodac) connects 27 countries across Europe on a single system to monitor, track, and trace refugees moving across these countries.
Correlation speed depends on system requirements, of course, but it’s virtually real time. The DHS requirement is six seconds or less to search their 750 million records and return a response.
These types of systems have been deployed in federal agencies ranging from DHS, and the DOD, to the US Secret Service and the US Marshals. Biometric systems even extend to state, local and county systems. The one hitch in this is that all of these, by and large, are separate systems. When an agency can’t find the individual they’re looking for in their own system, they may be allowed to run searches on other systems, but in general they’re not as connected as you might think.
Biometrics in IT security?
Biometrics is a more efficient and lower cost response to the limited value of traditional “after the fact” security tracking methods – police checks, surveillance videos, and simple fingerprint analysis, for example. With real-time face recognition and real-time alerts of biometric matches, wanted persons or persons of interest can be tracked anywhere, anytime without burning through extensive police force resources.
Information security, by way of access control, can benefit from this technology. It makes sense to marry biometrics with traditional multifactor authentication technology. With multifactor authentication, if your password or token is compromised, you can change it. Biometric information works fundamentally differently in that respect. Even if you wanted to, you can’t change biometric information such as the characteristic details of the iris of your eye (not readily, and not easily, anyway).
With that in mind, vendors now are providing biometric systems for agencies with a range of security concerns. These agencies may require fingerprint or palm print matching systems against databases of up to tens of millions of records, or they may need to integrated existing information systems or provide secure Web-based identification services.
Biometrics will not eclipse the need for traditional multifactor authentication—the two approaches stand to complement each other in the IT security arena. In the future, an IT system with integrated biometric technology and other security protocols could provide the ultimate protection against intrusions by bad actors, foreign or domestic.
For now, the advances being made in biometrics give us an exciting glimpse into what’s in store for national – and international – security of all kinds.