Abstract

With new technologies the eyes are more than “windows to our soul.” People are
carrying with them a living key or password that will never be forgotten and will always
be there. This paper throws light on various biometric technologies that are changing the
face of various methods and techniques that are intended to provide ultimate security to
important and confidential systems. However, the major part of this paper concentrates
especially on the biometrics that deals with the human eye, more specifically, the iris.
The technology is available now through work in computer vision, pattern recognition,
and man-machine interface to create a reliable lock that a person's iris pattern will open.
The randomness of iris patterns has a very high dimensionality making recognition
decisions reliable with a high level of confidence.

Biometrics is seen by many as a solution to a lot of the user identification and security
problems in todayUs networks. Password abuse and misuse, intentional and inadvertent is
a gaping hole in network security. This results mainly from human error, carelessness and
in some cases maliciousness. Biometrics removes human error from the security
equation.
Our project will examine all the technological and feasibility aspects as well as the
practical applications. We will look at many different biometric methods of identifying
the user. The project has been divided into the following areas:

• What is biometrics
• Why would Biometrics be used for computer network security?
• How will Biometric security measures be implemented?
• Where are we now technologically, with regards to feasibility?
• What is the future of Biometrics in networks?
• The pros and cons of Biometric authentication and the likelihood of widespread
public adoption
>main index < > biometrics index < > next <

History of Biometrics
The term "biometrics" is derived from the Greek words bio (life) and metric (to measure).

Biometrics is becoming an interesting topic now in regards to computer and network

security, however the ideas of biometrics have been around for many years. Possibly the
first known example of biometrics in practice was a form of finger printing being used in
China in the 14th century, as reported by explorer Joao de Barros. He wrote that the
Chinese merchants were stamping children's palm prints and footprints on paper with ink
to distinguish the young children from one another. This is one of the earliest known
cases of biometrics in use and is still being used today.

In the 1890s, an anthropologist named Alphonse Bertillion sought to fix the problem of
identifying convicted criminals and turned biometrics into a distinct field of study. He
developed 'Bertillonage', a method of bodily measurement whichgot named after him.
The problem with identifying repeated offenders was that the criminals often gave
different aliases each time they were arrested. Bertillion realized that even if names
changed, even if a person cut his hair or put on weight, certain elements of the body
remained fixed, such as the size of the skull or the length of their fingers. His system was
used by police authorities throughout the world, until it quickly faded when it was
discovered that some people shared the same measurements and based on the
measurements alone, two people could get treated as one.

After this, the police used finger printing, which was developed by Richard Edward
Henry of Scotland Yard, instead. Essentially reverting to the same methods used by the
Chinese for years. However the idea of biometrics as a field of study with usefull
identification applications, was there and interest in it has grown.
Today we have the technology to realise the aims, and to refine the accuracy of biometric
identification, and therefore the possibility of making it a viable field.

What is Biometrics and why use it in for Network

Authentication?
Network security relies on one of three approaches for identification - what you have,
what you know or who you are. Previous forms of identifiers relied on what you have or
what you know or both. Personal Identification Numbers (PINs) were one of the first
methods used for identification. There are also methods that involve passwords and
physical tokens e.g. smart cards. There are a number of problems associated with this
kind of identification. People forget passwords, lose tokens, reuse passwords, write them
down, tokens can get stolen. The recognition of the above does not mean the
identification of the person providing it - they could be presented by anybody. With the
advent of e-commerce brings increased pressure on IT managers to provide partners and
customers with means of identification to access corporate networks. This results in a
deluge of passwords and means of access, which are often forgotten, misused or lost.
With the increased population accessing these networks the risk of attacks on the
networks is increased. Companies are turning to Biometric Systems to bring tighter
security to their computer networks.

What is Biometrics?
"Biometrics is the development of statistical and mathematical methods applicable to data
analysis problems in the biological sciences"

With regard to technology Biometrics is the term given to the use of biological traits or
behavioural characteristics to identify an individual. Their traits may be fingerprints,
hand geometry, facial geometry, retina patterns, iris patterns, voice recognition,
handwriting recognition. A Biometrics system is basically a pattern recognition system,
including all the hardware and associated software and the interconnecting infrastructure,
enabling identification by matching a live sample to a stored pattern in a database. When
resolving an individual’s identity there is a distinction between verification and
identification and different Biometric systems fall into these two categories. Each sub-
category resolves a different question. The first, verification, involves confirming or
denying an individual’s claimed identity - ‘Am I who I claim I am?’ The second,
identification, involves establishing an individual’s identity - ‘Who am I?’ By resolving
these questions using biometrics these systems go beyond traditional security methods,
by insisting that the person trying to log on is the actual person. Biometrics is irrevocably
tied to the individual.

With regard to computer networks, Biometrics can be used to automatically authenticate

an individual using their distinguishable traits. This security offers increased confidence
levels for users of the network, providing the system is correctly implemented and
utilized. The Network can be exploited fully without fear of a security breach. Biometric
secure Systems on the web would make the popular targets of banking data, business
intelligence, credit card numbers, medical information and other personal data
transactions on the web more secure and thus increase the populations confidence in
using these methods, increasing e-commerce confidence and thus enabling it to reach its
full potential.

Biometrics is also being called upon in the Cellular phone industry, where the companies
are vulnerable to cloning, where new phones are created using a stolen number, and new
subscription fraud, where a phone is obtained using a false identity. Here Biometrics
could be used on the handheld set to recognise ownership, and a biometric trait could be
taken at authentication.
Biometrics can be used to secure transactions at automatic teller machines, no longer
requiring the presentation of an ATM card (a biometric is hard to steal). It could also be
used for transactions at point of sale. Other markets include telephone banking and
Internet Banking. Biometrics can be used in any Network where the utmost security is
needed. It doesn’t just provide security because the physiological traits between people
are unique (PIN numbers should also be unique), but also because these traits cannot be
interchanged between people.

The fundamental argument for using Biometrics for Network authentication is the
increase in security while eliminating the extras such as PIN, passwords and smart cards,
which can get into the wrong hands and do a lot of damage to a network, which is then
not able to run at its full capacity until the security breach has been amended. In the
workplace passwords and logins are often passed between co-workers, written down for
convenience or reused multiple times for different networks. Biometric logins would
make it unfeasible for anyone, other than the intended login, to login to the network. So
for every worker, if they were to use the network an account must be set up for them. The
workers cannot forget their password, which may be one of several passwords, because
their password into the system is a physiological trait.

There are of course security issues with Biometrics that must be addressed. Where will
the data be stored? Are you authenticating an actual live sample or just authenticating a
message? Can the same Biometric be used for multiple different systems? Will the
system be securely implemented? These questions will be addressed in this paper. If
Biometrics for network authentication is accepted into society, in the future we may be
paying for our groceries at the supermarket on credit with a laser scan of the iris -
physical method of access and payment may become a thing of the past.

How are biometrics used in networks

The most obvious use of biometrics for network security is for secure workstation logons
for a workstation connected to a network. Each workstation requires some software
support for biometric identification of the user as well as, depending on the biometric
being used, some hardware device. The cost of hardware devices is one thing that may
lead to the widespread use of voice biometric security identification, especially among
companies and organizations on a low budget. Hardware device such as computer mice
with built in thumbprint readers would be the next step up. These devices would be more
expensive to implement on several computers, as each machine would require its own
hardware device. A biometric mouse, with the software to support it, is available from
around $120 in the U.S. The advantage of voice recognition software is that it can be
centralized, thus reducing the cost of implementation per machine. At top of the range a
centralized voice biometric package can cost up to $50,000 but may be able to manage
the secure log-on of up to 5000 machines.
The main use of Biometric network security will be to replace the current password
system. Maintaining password security can be a major task for even a small organization.
Passwords have to be changed every few months and people forget their password or lock
themselves out of the system by incorrectly entering their password repeatedly. Very
often people write their password down and keep it near their computer (on a post-it note
attached to the underside of the keyboard is a frequently seen favourite). This is of course
completely undermines any effort at network security. Biometrics can replace these. For
example the city of Glendale in Los Angeles county California replaced its password
system with fingerprint scanners that use biometrics. The cities employees had the usual
password problems. The passwords had to be changed every 90 days and no dictionary
words were allowed, only 8-digit alphanumeric strings. The vast majority of users failed
to change their passwords and as a result got locked out of the system. The only way for
them to get back in the system was a call to the IT helpdesk, which became swamped
with calls. The help desk staff ended up spending a disproportionably large amount of
time fixing problems with passwords. This is the hidden cost of using passwords, the
helpdesk admin costs that always result when people get locked out of the system. The
use of biometric identification stops this problem and while it may be expensive to set up
at first, these devices save on administration and user assistance costs.

Glendale locks down PCs with Digital Persona

biometrics
By Lynn HaberOctober 18, 2001
(http://techupdate.zdnet.com)

One way that biometrically verified logons would be implemented is using a centralized
system (particularly using voice biometrics). Such a system would be ideal for
implementing secure remote logons by mobile users. Remote network access enables tele
working, which has been promised by the ‘e’ community for a long time, especially with
the arrival of broadband access from the home. It is also important for field employees
who travel all over for the company, yet need access to company resources. Biometric
identification used along with a secure connection (a problem that is entirely separate to
that of Biometrics) to the network makes this once vulnerable aspect of networking more
secure.

Current uses of Biometric Authentication.

The most popular biometric authentication scheme employed for the last few years has
been Iris Recognition. The main applications are entry control, ATMs and Government
programs. Recently network companies have realized the advantages of biometric
authentication for networks and offer products to achieve this scheme. Products offered
include fingerprint analysis, iris recognition, voice recognition or combinations of these.
However widespread use of biometrics as a means of authentication has not yet been
fully realized.
Biometric Authentication ATMs, Law enforcement and
Airports.
Iris recognition in Law enforcement
In 1996 the prison in USA became the first correctional facility to use iris scanning.
Sometimes the facility would need to release a prisoner on short notice and could not
wait for the fingerprint tests.

ATM iris recognition.

Using an iris recognition ATM, a customer simply walks up to the ATM and looks in a
sensor camera to access their accounts. The camera instantly photographs the customer’s
iris. If the customers iris data matches the record stored a database access is granted. At
the ATM, A positive authentication can be read through glasses, contact lenses and most
sunglasses. Iris recognition proves highly accurate, easy to use and virtually fraud proof
means to verify customer’s identity.

The Nationwide Building Society in Britain introduced iris recognition within in its cash
dispensing machines as a replacement fro the PIN in 1998.

In 1999 national Bank United in the USA installed biometric authentication in three
ATM outlets in Houston, Dallas and ft. Worth. The scheme employed an iris recognition
system created by DieBold Inc , a company specializing in iris recognition.

Standard Bank in South Africa was using fingerprint verification on DieBold Atms, but it
was recently determined that it wasn’t as reliable as it could be. The company is now
researching other biometric solutions that don’t have the same issues that fingerprint
verification did.

DieBold Inc anticipates that widespread use of biometric ATM is still several years away.
It hasn’t been determined yet which type of biometric technology will take-off as the
standard. For this reason they are researching the technology to determine the most
appropriate form of this technology.

Atm iris recognition has is currently the most successful due to its high accuracy,
virtually fraud proof means to verify customer identity. The products used are standard
video cameras and state of the art real time image processing. The entire experience only
takes a few seconds.

Iris recognition in Airports.

In July 2000 iris authentication entered a new area of use as two airports began scanning
passengers irises as part of an effort to streamline boarding and security processes. The
airports rollouts are among the first major applications for iris scanning. The system used
a 30 frame/sec, black and white camera to take a picture of the eye from 6 to 36 inches
away. Once passengers enroll, their codes will be stored for further use. Airline
passengers will step up to a terminal kiosk and get scanned in one second. The iris is
compared to a database of customers to authenticate. Then the passenger can be issued a
boarding pass.

Current Biometric authentication in Networking.

A host of networking associated companies have recently added biometric authentication
features to their products. Companies such as Novell, Baltimore Technologies are some
of the first to take advantage of biometric scheme.

Keyware Technologies LBV (layered biometrics verification) Internet Toolkit will allow
software providers to add biometric voice and fingerprint authentication to traditional
security applications that protect Internet servers, the company said. Keyware is targeting
companies who deal with e-commerce applications requiring high levels of security,
Veronique Wittebolle, Keyware executive vice president, said in a telephone interview
last week. "Everyone realizes there is not one baseline (technology) that is going to solve
everything (needed for complete security)," Wittebolle said. "But biometrics can and does
work."
Keyware's LBV software can integrate several biometric identification features into an
application, and is compatible with Microsoft Internet Explorer 4.01 and higher and with
Microsoft's Information Server, the company said. Pricing begins at $4,550 for the LVB
Internet Toolkit with LVB Server. One analyst said the layered security levels can
provide most value for companies needing high levels of security. "If you are selling $12
million of steel, maybe you want to be really, really secure," Frank Price, senior analyst
with Forrester Research, said in a telephone interview. "That's where you may go the
extra mile."

Internet Banking
One area where the tool kit could be used is for enhancing security for Internet banking.
A bank, contracting with an ASP (application service provider), could require biometric
verification for a high-value transaction over the Internet. A vendor seeking to wire
money using the Internet would go to the bank's Web page, fill out the required
information and submit the transaction. If the transaction is for a high value, the bank
would decide it needs biometric verification and automatically send a message to the
Keyware LBV server requesting that the vendor speak a passphrase and use the
fingerprint scanner. The LBV server would then verify the passphrase and the fingerprint
and notify the bank if the request is accepted or rejected. No biometric templates leave
the Keyware server, keeping them away from possible public access, according to
Keyware.

Baltimore Technologies offer biometric security.

April 9, 2001 - eTrue, the first biometric authentication service outsourced over the
Internet, has announced its partnership with Baltimore Technologies (NASDAQ:BALT;
LONDON:BLM), a global leader in e-security. eTrue will integrate its biometric
authentication service with Baltimore SelectAccess(tm). The combined offering will
provide comprehensive secure access control and authorization management using
multiple biometrics, such as face and fingerprint identification.
By combining these two solutions, businesses can provide users with a higher level of
trusted access to valuable data and applications on websites and networks. Users will be
authenticated using multiple biometrics and then authorized to access data and
applications and conduct business in a secure manner. Customers with highly sensitive
information, such as those in the healthcare, financial services and government markets,
can now have a higher level of security when allowing ...employees, partners and
customers access to business-critical data and applications.
The eTrue Internet outsourcing service authenticates users for both Web and local
network logon. Through the use of multiple biometrics, exception handling and a call
center, eTrue provides 100% user authentication.

Conclusion
The use of biometrics in networks as an authentication feature is gaining momentum.
However the widespread use and acceptance of biometrics is, at this current time, still in
its infancy.

The Future & Issues of Biometrics

The biggest issue in biometric implementation is user acceptance. If a user doesn’t like a
particular system it will not be used properly and will not be effective, no matter how
efficiently the system is implemented. Fingerprinting is one of the first methods that
comes to mind when talking about using biometrics for security. However many people
are no comfortable with the idea of specialized fingerprint reading pads. These remind
the user or the other main use of fingerprints, identifying and cataloging criminals. A
more subtle approach is required for obtaining fingerprints. It exists in the form of a
fingerprint reader built into a mouse. A mouse with a thumbprint scanner built into its
side was demonstrated in the 1999 COMDEX exhibition. Such biometric mice are now
widely available to the public. (for a review of one such device go to
http://www.pcstats.com/articleview.cfm?articleID=535)

Eye recognition is a frequently touted means of biometric identification, however one

problem with early systems was that people are naturally very protective of their eyes and
in the past have found this type of scan intrusive. However improvements in eye
recognition technology enable a person’s iris to be scanned from up to twelve inches
away. The scanning device no longer intrudes on a person’s personal space.

Voice recognition is another option for biometric security. Voice recognition has
problems in that a persons voice can be subject to more change than their fingerprint e.g.
through sickness (a sore throat perhaps?). Also somebody’s voice can be easily
reproduced with a high quality recording. Just because a persons voice is present doesn’t
mean they are. It does have the advantage of being probably the cheapest biometric
security device at the low end of the market, as they require no special hardware.
However the more secure and robust centralized forms of voice identification systems
can cost upward of £50,000 (sterling). Another big issue in biometric implementation is
software support for the biometric hardware devices. This is a problem that is rapidly
disappearing. A consortium known as the BioAPI group formed in 1998
(http://www.bioapi.com), with the aim of developing a widely available and widely
accepted API (Application Programming Interface) that will serve for various biometric
technologies. This API is intended to be Operating system and Biometric Data
independent. Already vendors are announcing products that are compliant to the BioAPI
standards. Another big boost for widespread implementation of biometric devices has
come from Microsoft. In the spring of 2000 Microsoft announced that upcoming versions
of windows would have biometrics technology integrated into them. While this may
cause issues for the BioAPI and others trying to create biometric standards it will
undoubtedly encourage more widespread use of biometrics.

Cost is considered to be another major factor in the implementation of biometrics. In the

past this was more the case, as biometrics was an emergent unproven technology but as
biometrics have gained more industry support the cost has fallen. Many of the lower end
voice security systems are available for around £50 (sterling). Finger print recognition
systems cost between £99 to £199 per user which may be expensive for a large-scale
network but does give a very high level of security The aforementioned biometric mouse
comes in at the lower end of this price range.

Another aspect of Biometrics is the user's right to privacy concerning their biometric. For
instance many user may feel uncomfortable knowing that their fingerprints are on file
with their company. Luckily it appears that the manufacturers of biometric devices
understand the concerns of these users (if you were a cynic you might say that it is
nothing more than a marketing move). Most biometric device manufactures design their
device so that it does not simply record the users fingerprint, but rather a mathematical
model of the fingerprint which contains only the attributes that the device uses to tell
fingerprints apart. It may be possible to derive what a fingerprint may roughly look like
from this model, but it would be very difficult to get an image of a full fingerprint

Pros and Cons of Biometrics

Biometric Authentication has been heralded as the future of security systems, a
verification system that not only drastically reduces the risks of the systems security
being compromised but also eliminates the need for much of the traditional security
overhead. In recent years biometric authentication systems have become more prolific as
numerous manufacturers of biometric sensing devices and middle-ware providers have
entered the market. Having met with particular success in restricting physical access in
high-security environments it is curious to note that this success has not been echoed
where network authentication is concerned. It is with this in mind that we look at the pros
and cons of biometric authentication for networks and investigate whether this slowness
of uptake is an indication of things to come or whether biometric authentication is the
next big thing, worthy of all the claims of it's biggest proponents.

Each form of biometric authentication has it's own strengths and weaknesses, but before
going into specifics it is necessary to discuss biometrics as a whole and whether
biometric authentication is a practical concept or subject to any one of a number of
design flaws. The following paragraphs shall loosely be devoted to the pros and cons in
that order with arguments for being given in the paragraph discussing the pros along with
any counter-arguments aimed at specific points, the converse is true for cons.

Arguments in favour of adopting biometric authentication for network access are many
and varied but the core arguments revolve around three key areas. The first of these is the
uniqueness of biometric attributes. The uniqueness of biometric attributes makes them an
ideal candidate authenticating users. The fact that fingerprints have been used as a
method of identification since as early as 1858, Scotland Yards Central Fingerprinting
Bureau being established in 1901 is a testament to its longevity. What better way to
verify a users identity than by something that is inherent and unique to that user. The
second argument in favour of biometrics in principle is one of the least disputed, with the
user now unable to forget and share passwords, password administration and overhead is
reduced while network security as a whole is increased. This in fact could be considered
the driving argument behind the biometric authentication movement. The third argument
is again that of security, it is thought to be much more difficult to replicate a biometric
feature at the data acquisition stage than it is to replicate someone's user ID or password
and as opposed to tokens a biometric characteristic cannot be lost or stolen.

Arguments against the introduction of biometric authentication are far more numerous.
The current cost of Biometric authentication measures are, while falling, still very
expensive. Not only does the hardware and software need to be acquired but it must also
be integrated with the current network. The price return ratio is not as of yet satisfactory;
while biometric authentication may reduce administration overheads the cost of
introducing the system is still far too high. Also it must be borne in mind that as it stands,
biometric authentication is only suited to simplistic networks at best. The high price
couple with the fact that biometric authentication is an all or nothing technology is
another argument against. By all or nothing it is meant that there is no point in having
biometric authentication at every desktop on your network if someone using a laptop can
remotely login in with no biometric authentication as this would completely undermine
the system. While it can be argued that storing the biometric data (data of a more
personal nature than a username and password) is an invasion of the users privacy
proponents of biometric authentication counter that it is not the data it self which is stored
but a representation of that data from which the original cannot be constructed, that said it
would still need to be ensured that the data was not misused and kept secure. Given the
tendency of successful technologies to spread there is a danger that the same biometric
data could be used in to authenticate the user in a variety of different applications this
could mean that were someone’s biometric data to be compromised it might not only
compromise network security but also their bank account, their car etc. This issue is often
brushed aside stating that as it stands there are so many independent incompatible
vendors and products that the chances of the same biometric data being used for multiple
applications are negligibly low, but with the emergence of standards as is necessary for
any technology seeking global acceptance this is sure to change.

It has been mentioned that biometric data has not got the necessary attributes of a key,
i.e.: secrecy, randomness and the ability to update and destroy (Schneier). Not only are
your biometrics unique, but they are also unary. If your biometric data is compromised it
is not simply an issue of issuing you a new password. There are also a number of other
minor objections to it's use as network authentication: people's comfort level with the
new technology which is always a factor, that fact that not all people are able to enrol to
any one particular system, statistically between .5 and 10% of users will not be able to
enrol on a given system due to features which the system is unable to extract reference
point from, and the worry that a system may not recognise a valid user. This last is
particularly worrying in cases where the biometric used to identify the user is one in
which change is not unlikely, such as a cold for vocal analysis, any fallback
authentication also compromised the integrity of the system. It should also be noted that
no two reads from biometric data reader are exactly the same and while a user name and
password are binary i.e. either you have access to the system or you don't, biometric
authentication gives a likelihood of a match, though access can be set to be granted to
those of very high likely hood, there is still an element of uncertainty which results in a
not entirely secure system.

A number of other issues exist such as ensuring the measured biometric is live, but after
this most of the issues are those that apply to the majority of networks today. It must be
remembered that after data acquisition the biometric data is represented they same way as
any other authentication measure and as such is vulnerable to the same attacks. It should
also be mentioned that although storage is getting cheaper the biometric data template
could take up a lot more space than regular user/password combinations.

The pros and cons associated with specific devices are highlighted below:

Fingerprint readers

Pros
· Not much storage space is required for the biometric template

Cons
· Has traditionally been associated with criminal activities and thus users could be
reluctant to adopt this for of biometric authentication

Hand Scans

Pros
· Low data storage requirements for templates
Cons
· Not unique to every user

Voice Authentication

Pros
· More readily accepted by users (non-intrusive)
· Additional hardware is cheap and readily available (Microphone)

Cons
· Back ground noise must be controlled for accurate verification
· Large storage space required for template between 2,000 and 10,000 bytes
· Easily influenced by extraneous circumstances such as sore throat, common cold
· For remote access phone lines may not be of high enough quality to transmit voice traits
accurately

Retina Scans

Pros
· High Accuracy in identifying users
· Low data storage requirements for templates

Cons
· Extremely intrusive, low user acceptance rate
· Extremely expensive, special hardware required

Iris Scans

Pros
· Non-intrusive, camera can be up to 12" away
· High accuracy in identifying users
· Low data storage requirements for template

Facial Scans

Pros
· Data acquisition non-intrusive

Cons
· Data acquisition difficult, user must position face in same position each access
· Background lighting important for accurate verification
· Users may feel violation of privacy as data may be captured verified and user without
their knowledge

In conclusion the effectiveness of a biometric authentication system is for the most part
dependant on the requirements of the network and the chosen biometric. What is
guaranteed is the combination of biometric authentication with a smartcard or token
system results in a far more secure network access. Whether biometrics will become
widespread remains unlikely at this point given the associated costs and large number of
disadvantages. However as technology improves and costs come down we may well see a
change in this as demand for more secure networks increases. A indication of what may
be to come may be found in Microsoft’s recent announcement that they are to include
biometric authentication software with forthcoming releases.

Refrences
The Biometric Consortium
http://www.biometrics.org/

Avanti - the biometric reference site

http://homepage.ntlworld.com/avanti/

The Association for Biometrics

http://www.afb.org.uk

John Daughman's personnal site

http://www.cl.cam.ac.uk/users/jgd1000/

FBIs use of fingerprint compression

http://www.c3.lanl.gov/~brislawn/FBI/FBI.html

Cornell University dept. of Biometrics

http://www.biom.cornell.edu/

Companies specialising in Biometrics

http://www.biometricaccess.com
http://www.dobi.com/
http://www.biometrics.co.za/

General Sites of Interest

http://netsecurity.about.com/cs/biometrics1/
http://www.secmgmt.com/info_biometric.html
http://www.sans.org/infosecFAQ/authentic/biometric.htm
http://www.counterpane.com/insiderisks1.html
http://stat.tamu.edu/Biometrics/
http://webusers.anet-stl.com/~wrogers/biometrics/
http://www.rand.org/publications/MR/MR1237/