This was supposed be the Year of Biometrics, a sales bonanza for vendors of fingerprint readers, iris scanners, face-recognition software, and other products in the wake of Sept. 11, 2001. Instead, 2002 turned out to be yet another building year for the long-anticipated biometrics revolution.

Certainly the notion of identifying people by biological markers has gained traction in the halls of government since the terrorist attacks: Face-recognition scanners have been installed at airports and on public beaches; airport personnel and visitors from certain Middle Eastern countries must submit to finger scanning; and the U.S. Department of Defense (DOD) is developing a biometric smart card for the wallets of armed-services personnel. Both the Border Security Act approved by Congress last May and the National Strategy for Homeland Security unveiled by the White House in July call for deployment of and further research in biometrics.

But businesses have greeted the technology with a collective yawn--or bemused head scratching. In a Forrester Research survey last summer of 300 U.S. and Canadian companies, 58 percent said they had no plans to implement biometrics this year, and only 14 percent were considering it. CIOs have shown little interest in biometrics to enhance security in PC/network access, workgroup collaboration, document approval, and financial transactions over the Web.

A solution in waiting

On the face of it, the case for biometrics in network access, document management, and e-commerce is compelling: Passwords and USB tokens can be stolen or misplaced; a biometric marker such as a finger-scan, iris pattern, or signature rhythm stays with you, an integral component of your physical being. In theory, everything from credit card numbers to medical records to trade secrets would be a lot more secure locked in a vault to which only one person on Earth has the key.

"Regardless of the criticisms you can levy about biometrics," says Michael Thieme, director of special projects for the International Biometric Group (IBG), an independent consulting firm based in New York City, "it's almost incontrovertible that compared with a PIN or a password, they do provide a higher level of security, or at least a very different type of security." Eliminating password resets alone--which cost U.S. companies between $50 and $100 per reset--would save billions of dollars a year in help-desk time and lost productivity.

Yet IBG projects worldwide sales of only $115 million for PC/network access devices and software this year, and a modest $601 million for overall biometric revenue.

The fault lies largely with the immature, fragmented biometrics industry itself. More than 150 companies hawking a smorgasbord of technologies vie for customers in an ailing IT market. A few sizable firms exist, such as Viisage Technology , a $26 million face-recognition firm based in Littleton, Mass., and Identix Inc. of Minneapolis, which claims to the world's leading multi-biometric security company with projected revenues of about $120 million in 2003. But most are small, with less than $5 million in annual revenue, and losing money hand over fist. Saflink Corp., a well-known biometric software firm based in Bellevue, Wash., lost $3.3 million on $560,000 in revenue in the first half of 2002.

Many biometrics firms have failed to deliver on performance claims. Identix's Argus face-recognition system bedeviled security personnel with false alarms when it was tested at Boston's Logan Airport earlier this year. And last April, a professor at a Japanese university demonstrated that 11 commercial finger-scan sensors could be fooled by the "gummy finger" tactic--imprinting a real digit on a homemade gelatin mold. Despite substantial improvements in accuracy, ease of use, and privacy protection in the past year, doubt is firmly planted in the minds of IT managers averse to costly failure.

Walter Hamilton, vice president of business development for Saflink, says, "There has been a lack of effective communication on the part of the biometrics industry to convince IT professionals that the technology is mature, it's reliable, it's available and cost-effective, and that there are solutions that allow it to be integrated into their infrastructures."

Two commercial markets that have taken a chance on biometric IT security are financial services and health care. In both arenas, federal legislation has spurred network managers to get serious about data security, considering biometrics as a replacement or adjunct for passwords. The Graham-Leach-Bliley Act of 1999 requires banks, insurers, securities companies, and other financial institutions to jealously guard personal financial information against "anticipated threats." And the Health Care Insurance Portability and Accountability Act (HIPAA) gives health care providers until next April to tighten the security cordon around electronically stored patient records.

At St. Vincent Hospitals and Health Care Center in Indianapolis, 3,000 physicians and staff touch a desktop fingerprint reader once to gain access to medical records, patient charts, and e-mail--applications that previously required separate logins. That's a huge pain reliever for doctors who routinely forget passwords. But Bruce Peck, St. Vincent's information security manager, also sees the Saflink system, which costs about $100 per user in annual license fees, as a tough first line of defense against data snoops and vandals. "I'm latching on to this as a way to elevate our security level for applications, aiming toward compliance with HIPAA," he says.

Finger-scan vs. the rest

Finger-scan is far and away the most popular biometric technology for IT security. Network overseers launching pilot projects and initial rollouts choose finger-scan for the same reasons Peck did: It's relatively inexpensive, with readers priced at about $120; it's a natural fit for employees accustomed to manipulating a mouse; and in benchmark tests by IBG it's demonstrated an acceptable level of performance in defending the enterprise.

"It's very, very accurate," declares Saflink's Hamilton. "Is it perfect? No. Is it accurate enough to log in to a computer network once you've claimed your identity? Absolutely. False matches are statistically insignificant in this application."

More than 50 other companies, including Identix, Bioscrypt, AuthenTec, Inc., and Siemens have developed finger-scan products for the desktop. This year, Melbourne, Fla.-based AuthenTec and SecuGen Corp. of Milpitas, Calif., released upgraded sensors that purport to foil gummy fingers--and reduce rejection rates for people with dry, dirty, or abraded digits--by sensing "live," subcutaneous properties of the finger such as temperature, pulse, and electrical activity. At St. Vincent Hospitals, Peck says that AuthenTec finger-scan sensors have performed well, despite the prevalence of dry, over-scrubbed skin among nurses and doctors.

The Defense Department is considering incorporating finger-scan into its Common Access Card, a contactless smart card to be issued over the next two years to more than four million military personnel. The identity card will control access to computer networks as well as DOD installations and secure facilities. Intel, Honeywell, and other high-tech companies already issue such cards bearing a template that must match an on-site finger-scan, to restrict physical access to sensitive areas.

Other biometric technologies haven't made much of an impression on IT security. All have serious drawbacks related to expense, reliability, or ease of use in an office environment.

Iris-scan's powers of discrimination--the human iris contains 10 times as many unique data points as a fingertip--make it extremely accurate; false matches are virtually impossible. But the fact that one company, Iridian Technologies, holds the patent on the scanning technique makes the method expensive; desktop iris-recognition cameras cost about twice as much as finger-scan readers.

Face recognition makes a lot of sense in situations where human eyes provide backup--airport surveillance, or spotting card cheats in casinos.

But facial scanning isn't discerning enough to police the human/machine interface in IT applications, IBG's Thieme says. That's not to mention the expense involved in placing a video cam on every desktop. Banks, brokerages, and catalog merchants have cottoned to voice recognition as a way to verify account information over the phone, but who wants to hear the guy in the next cubicle say "take me to Naboo" every morning, especially when background noise or a bad cold forces him to repeat himself?

Signature-scan also faces an uphill struggle for acceptance in the IT world, although it may find a niche among Graffiti-happy PDA users. Under an August licensing agreement with Communication Intelligence Corp. of Redwood Shores, Calif., Motion Computing will embed a signature-scan logon application into its Tablet PC.

Worth the hassle?

Is 2003 destined to be the Year of Biometrics? Thieme of IBG thinks so; he predicts a sales surge late next year as IT budgets recover and larger, more stable vendors convince CIOs and security chiefs that they really do have the technology to separate sheep from goats.

Forrester analyst Laura Koetzle disagrees, predicting that biometrics will remain a niche technology for IT security in the military and data-sensitive industries such as financial services, health care, and pharmaceuticals. Most companies, she says, simply don't see the need for a biological firewall. "Like anything else, it's a tradeoff between security and cost," Koetzle says. "If you have something that's worth the expense and hassle of implementing biometrics, then you'll do it. But most companies don't really feel like they have assets that are worth that sort of expense and effort."

For biometrics to have any hope of entering the IT mainstream, prices must drop considerably. The technology--especially face recognition, voice-scan, and signature-scan--must get better, streamlining the authentication process and reducing the chances of user rejection and bogus matches. And common technical standards must supplant proprietary hardware and software, allowing company-wide deployments and consumer applications such as e-commerce and home networking. The front-running biometric standard is BioAPI, freeware endorsed by IBM, Hewlett-Packard, Intel, and the U.S. Army--but conspicuously not by Microsoft, which has its own standard.

Privacy concerns constitute the biggest potential fly in the ointment for the growth of biometrics in the enterprise. Public resistance to biometrics has ebbed since Sept. 11; in a Harris Poll last fall, 83 percent of surveyed Americans said they'd be willing to have their fingerprints scanned at airports. But as biometrics slowly infiltrates corporate networks, more employees are likely to question how their personal data points are stored and shielded from hackers, marketers and law enforcement. "You don't know how many people have access to the data," says Koetzle, who herself was reluctant to submit to fingerprinting while working on a Wall Street IT project two years ago. Privacy watchdogs fear that a biometric smart card will form the basis for a national, mandatory ID card.

In an attempt to allay such anxieties, the International Biometric Industry Association (IBIA) has adopted a set of "privacy principles" that calls for clear company policies on how biometric data is collected, stored, and accessed--while preserving the rights of individuals to limit how the data is distributed and used.

In the end, it will be end-users--we who yield a piece of ourselves to the scanners--who declare the Year of Biometrics.