Biometrics FOR DUMmIES ‰ by Peter Gregory, CISA, CISSP and Michael A Simon Biometrics For Dummies® Published by Wiley Publishing, Inc 111 River Street Hoboken, NJ 07030-5774 www.wiley.com Copyright © 2008 by Wiley Publishing, Inc., Indianapolis, Indiana Published by Wiley Publishing, Inc., Indianapolis, Indiana Published simultaneously in Canada No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600 Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or online at http://www.wiley.com/go/permissions Trademarks: Wiley, the Wiley Publishing logo, For Dummies, the Dummies Man logo, A Reference for the Rest of Us!, The Dummies Way, Dummies Daily, The Fun and Easy Way, Dummies.com, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc and/or its affiliates in the United States and other countries, and may not be used without written permission All other trademarks are the property of their respective owners Wiley Publishing, Inc., is not associated with any product or vendor mentioned in this book LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SERVICES IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE FURTHER, READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ For general information on our other products and services, please contact our Customer Care Department within the U.S at 800-762-2974, outside the U.S at 317-572-3993, or fax 317-572-4002 For technical support, please visit www.wiley.com/techsupport Wiley also publishes its books in a variety of electronic formats Some content that appears in print may not be available in electronic books Library of Congress Control Number: 2008930830 ISBN: 978-0-470-29288-4 Manufactured in the United States of America 10 About the Authors Peter Gregory, CISA, CISSP, is the author of several books including IT Disaster Recovery Planning For Dummies, Blocking Spam & Spyware For Dummies (with Mike Simon) and CISSP For Dummies Peter is the security and risk manager at a financial management software company located in Redmond, Washington Prior to this, he held tactical and strategic security positions in large wireless telecommunications organizations He has also held development and operations positions in casino gaming-management systems, banking, government, nonprofit organizations, and academia since the late 1970s He is a member of the Board of Advisors and an occasional lecturer for the NSA-certified University of Washington Certificate Program in Information Assurance & Cybersecurity Peter can be found at www.peterhgregory.com Michael A Simon is the author of The Internet Starter Kit for Windows (with Adam Engst and Corwin S Low) and Blocking Spam & Spyware For Dummies (with Peter Gregory) Mike has been working in computer security and policy development since 1985, working at the time for the University of Idaho, a regional pioneer in computer security and one of the first NSA Centers of Excellence in Information Assurance Education Currently, Mike is an adjunct faculty member for the University of Washington, and occasionally lectures at Seattle University, University of Idaho, and several civic organizations on the subject of information assurance and computer security He sits on the advisory board for the Information Assurance certificate program for the University of Washington, the technical advisory board for Goldfish Holdings, Inc., the Advisory Board for the Computer Science Department at the University of Idaho, and on the Founders Board for the Information School at the University of Washington Dedication To Becky and Shannon — Peter Gregory To my teachers: past, present, and future — Mike Simon Authors’ Acknowledgments Peter Gregory would like to thank Carole McClendon, his literary agent, and Tiffany Ma and Amy Fandrei, Acquisition Editors at Wiley, for their support of this project Thank you to Nicole Sholly, Project Editor at Wiley, for your help organizing our work, and to Barry Childs-Helton and John Chirillo for copy and technical editing, respectively Thank you, Mike, I always enjoy working with you on collaborative projects Mike Simon would like to thank Paul Donion for dealing with a business partner with deadlines Thanks to Erin Klunder and Ray Pompon for answering random biometrics questions about law enforcement and finance (respectively) Much thanks to Al Gidari and Joseph Cutler of Perkins Coie, LLP for the use of the table of State Data Breach laws in Chapter Thanks, Peter, for making me look good (again) Publisher’s Acknowledgments We’re proud of this book; please send us your comments through our online registration form located at www.dummies.com/register/ Some of the people who helped bring this book to market include the following: Acquisitions and Editorial Composition Services Project Editor: Nicole Sholly Senior Project Coordinator: Kristie Rees Acquisitions Editor: Amy Fandrei Layout and Graphics: Reuben W Davis, Joyce Haughey, Melissa K Jester, Abby Westcott, Christine Williams Senior Copy Editor: Barry Childs-Helton Technical Editor: John Chirillo Editorial Manager: Kevin Kirschner Proofreaders: Dwight Ramsey, Nancy L Reinhardt Editorial Assistant: Amanda Foxworth Indexer: Claudia Bourbeau Senior Editorial Assistant: Cherie Case Cartoons: Rich Tennant (www.the5thwave.com) Publishing and Editorial for Technology Dummies Richard Swadley, Vice President and Executive Group Publisher Andy Cummings, Vice President and Publisher Mary Bednarek, Executive Acquisitions Director Mary C Corder, Editorial Director Publishing for Consumer Dummies Diane Graves Steele, Vice President and Publisher Joyce Pepple, Acquisitions Director Composition Services Gerry Fahey, Vice President of Production Services Debbie Stailey, Director of Composition Services Index types of biometrics See also comparing biometric solutions behavioral, 12–13, 200–201 physical properties biometrics, 201–205 physiological, 11–12 typing dynamics biometric basis for, 112 comparisons, 117, 256–257 described, 13, 111, 275 future technologies, 198 practical considerations, 112–113 uses for, 113–114 •U• ultrasonic/sonar biometrics, biometric basis for, 72 comparisons, 73 defined, 274, 275 fingerprints, 65 future technologies, 187–188 overview, 71–72 practical considerations, 72–73 uses for, 73 Uncertainty Principle, Heisenberg’s, 86–87 uniqueness, 14, 275 United Arab Emirates (UAE), 45, 94 United States See also U.S federal and state laws Department of Justice, 37, 220 ports of entry, 47–49 use of iris-recognition technology, 94 United States Visitor and Immigrant Status Indicator Technology (US-VISIT), 48, 56, 275 universality, 14, 275 updating the data, 14, 158, 159 upgrades, hardware, 161 U.S Department of Justice, 37, 220 U.S federal and state laws See also legal issues data breach disclosure laws, 52–54 Electronic Patient Health Information (EPHI), 54, 271 overview, 46–47 users accepting biometric technology, 15 behavior changes required of, 144–145 with disabilities, 221–222 enrollment, 13, 138 health issues, 157–158 helpdesk for, 155–156, 250 information published for, 156–157 locked out, 155–156 needed for biometrics system, 132 needs of, 24–25, 122 privacy concerns, 127–128, 226–227 problems with, 153 safety of, 261 sharing/stealing credentials, 10, 170 as stakeholders, 129–130 surveying, 214, 227 training/educating, 17, 137–138, 152–153 workloads, reducing, 250 US-VISIT (United States Visitor and Immigrant Status Indicator Technology), 48, 56, 275 •V• vendor/manufacturer See also on-site testing; selecting a biometric system choosing, 139–140 determining biometric requirements and, 131 following up with, 140 on-site testing through, 134–139 reference contacts for, 133–134 stability and support potential of, 139 Web site resource, 222 video surveillance, 193, 266 virus biometrics, 203–204 voice See also speaker recognition biometrics; speech range and harmonics of, 105 recognition, 13, 27, 102, 275 recording to use as fake credentials, 172 translating into text, 103 vulnerabilities See also attacks; securing biometric systems; threats database, 168 defined, 164, 275 identifying, 163–165 matching flaws, 170 operating-system, 167 overview, 164–165, 166 physical, 167 replay, 170 re-registration flaws, 170 software, 168–169 291 292 Biometrics For Dummies •W• walking, 13, 109 See also gait-recognition biometrics Walt Disney World, 10 Web sites author’s, Biometrics Catalog, 223–224 Central Intelligence Agency (CIA), 41 Electronic Frontier Foundation (EFF), 218–219 European Union (EU), 55 findBIOMETRICS, 222 fingerprint misappropriation, 64 International Center for Disability Resources on the Internet (ICDRI), 221–222 John Daugman, 224 National Biometric Security Project (NBSP), 135–136, 219 National Geographic, 217–218 security information, 183–184 Third Factor Biometric Authentication News, 223 U.S Department of Justice, 37, 220 workloads, reducing, 250 •Y• Young Frankenstein (film), 148 ... Wiley, the Wiley Publishing logo, For Dummies, the Dummies Man logo, A Reference for the Rest of Us!, The Dummies Way, Dummies Daily, The Fun and Easy Way, Dummies. com, and related trade dress... of several books including IT Disaster Recovery Planning For Dummies, Blocking Spam & Spyware For Dummies (with Mike Simon) and CISSP For Dummies Peter is the security and risk manager at a financial... advisory board for the Information Assurance certificate program for the University of Washington, the technical advisory board for Goldfish Holdings, Inc., the Advisory Board for the Computer